Background

Wallets play a vital role in the Web3 world. They are storage tools for digital assets and necessary tools for users to conduct transactions and access DApps. In the previous issue of the Web3 Security Beginner’s Guide to Avoiding Pitfalls, we primarily introduced the categorization of wallets and listed common risk points to help readers get to know the basic concepts of wallet security. With the popularity of cryptocurrency and blockchain technology, cybercriminals have also targeted the funds of Web3 users. According to the SlowMist Security Team’s received stolen form, it can be seen that many users have been stolen due to downloading/purchasing fake wallets. Therefore, in this issue, we will explore why users may download/purchase fake wallets and the risks of private key/seed phrase leakage. Additionally, we will provide a series of security recommendations to help users safeguard their funds.

Download fake wallets

Since many mobile phones do not support Google Play Store or due to network problems, many people will download wallets from other ways, such as:

Third-party download site

Some users will download wallets through third-party download sites such as apkcombo, apkpure, etc. These sites often advertise that their apps are downloaded from Google Play Store mirrors, but how safe is it? The SlowMist security team has conducted an investigation and analysis of third-party sources of Web3 fake wallets, and the results show that the wallet version provided by the third-party download site apkcombo does not exist. Once the user creates a wallet or imports a wallet seed phrase on the start interface, the fake wallet will send the seed phrase and other information to the server of the phishing website.

Search engine

Search engine result rankings can be manipulated, leading to cases where fake official websites rank higher than genuine ones. Therefore, it is not recommended for users to directly search for wallets through search engines and then click on the top-ranking links to download wallets. Doing so may very likely lead to accessing a fake official website and downloading a fake wallet. When users are unsure of the official website’s URL, it is difficult to determine whether it is a fake website based solely on the appearance of the website’s display page. This is because scammers create fake websites that closely resemble genuine official websites, making it hard to distinguish between the two. Therefore, it is also not recommended for users to click on links shared by other users on platforms like Twitter or other platforms, as these are often phishing links.

Relatives and Friends/Pig Butchering Scams

In the dark forest of blockchain, maintaining zero trust is crucial. While your friends and family may not have malicious intentions towards you, the wallets they download could be fake, and they might not have been compromised yet. Therefore, if you download a wallet through the QR code/link they share, there’s a possibility of downloading a fake wallet.

The SlowMist Security Team has received numerous reports of scam incidents involving the theft of funds. Scammers often establish trust with victims, guide them into cryptocurrency investments, and then share links to download fake wallets. Ultimately, victims not only lose their funds but also their trust. Therefore, users should remain vigilant when interacting with online acquaintances, especially when they encourage investments or send suspicious links. Don’t trust them in such situations.

Telegram

On Telegram, by searching for well-known wallets, we found some fake official groups. Scammers would claim that the group is the official channel of a certain wallet, and even remind users in the group to look for the only official website link. However, these links are all fake.

App Mall

It is important to remind you that the apps in the official app mall are not necessarily safe. Some criminals induce users to download fraudulent apps by purchasing keyword rankings to divert traffic. Readers are advised to be careful.

So, what can users do to avoid downloading fake wallets?

Download Apps from the official website

The ability to find the true official website will not only be used when downloading the wallet, but will also be used when users subsequently participate in the Web3 project, so we will talk about how to find the correct official website here.

Users may directly search for the project party on Twitter, and then judge whether it is an official account based on the number of followers, registration time, and whether it has a blue or gold label. However, these can all be faked. In the article “Authentic and fake project parties | Be wary of fake account phishing in the comment area”, I told you about the black and gray products that sell high imitation numbers. Therefore, it is recommended that newbies first follow some security companies, security practitioners, well-known media, etc. in the industry on Twitter to see if they follow the official account you found.

(https://twitter.com/DefiLlama)

Through the above method, users have a high probability of finding the real official Twitter account, but we still need to do multiple verifications. After all, it is not uncommon for official Twitter accounts to be hacked, and hackers will also replace the official website link on the official account with a fake official website link, so users need to compare the official website link they just found with links found through other channels (such as DefiLlama, CoinGecko, CoinMarketCap, etc.):

(https://defillama.com/)

(https://landing.coingecko.com/links/)

After finding and confirming the official website link, it is recommended that users save the link to bookmarks so that they can find the correct link directly from the bookmarks next time without having to find and confirm it again every time, reducing the probability of entering a fake official website.

App Mall

Users can download the wallet through official application stores such as Apple Store, Google Play Store, etc., but before downloading, be sure to check the application developer information first to ensure that it is consistent with the official developer identity. You can also refer to information such as application ratings and downloads.

Official version verification

Some readers who see this may be wondering: how do you verify whether the wallet you downloaded is a real wallet? Users can perform file consistency verification, which determines whether the file has changed during transmission or storage by comparing the hash value of the file. Users only need to drag the previously downloaded APK file into the file hash verification tool. This tool will use a hash function (such as MD5, SHA-256, etc.) to generate the hash value of the file. If this value is consistent with the official hash value, it is a real wallet; if it does not match, it is a fake wallet. What should a user do if they verify that their wallet is fake?

1. First confirm the scope of the leak. If you just downloaded the fake wallet but did not enter the private key/seed phrase, then just delete the app and re-download the official version.

2. If the private key/seed phrase has been imported into the fake wallet, it means that the private key/seed phrase has been leaked. Please go to the official website to download the genuine wallet and import the private key/seed phrase, and create a new address to quickly transfer transferable funds.

3. If your cryptocurrency is unfortunately stolen, you can use our free community assistance services for case evaluation. You only need to submit a form according to the classification guidelines (funds stolen/fraud/extortion). At the same time, the hacker address you submitted will also be synchronized to the InMist threat intelligence cooperation network for risk control. (Note: Submit the Chinese form to https://aml.slowmist.com/cn/recovery-funds.html, and submit the English form to https://aml.slowmist.com/recovery-funds.html)

Purchase a fake hardware wallet

The situation mentioned above is why fake wallets are downloaded and the solutions. Let’s talk about why fake hardware wallets are purchased.

Some users choose to purchase hardware wallets in online malls, but hardware wallets from such unofficial authorized stores have very large security risks, because before the wallet is in the hands of the user, how many people will it pass through, and whether the internal components have been tampered with, are uncertain. If the internal components have been tampered with, it will be difficult to detect the problem from the appearance and function.

(https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155/)

Here are some of the ways we offer to deal with hardware wallet supply chain attacks:

Purchase from official channels: This is the most effective way to address supply chain attacks. Do not purchase hardware wallets from unofficial channels, such as online malls, purchasing agents, netizens, etc.

Check the appearance: After getting the wallet, first check whether the outer packaging has been damaged. This is the most basic, although hackers will most likely not be exposed at this step.

Authentication: Some hardware wallets provide official website physical device verification services. When the user initializes the wallet, the device will prompt the user to perform official website physical device verification. If the device is tampered with during transportation, it will not be able to pass the real device verification on the official website.

Disassembly and self-destruction mechanism: You can choose to purchase a hardware wallet with a disassembly and self-destruction mechanism. When someone attempts to open the hardware wallet and tamper with the internal components, the self-destruction mechanism will be triggered. All sensitive information in the security chip will be automatically erased, and the device will no longer be able to be used.

Risk of private key/seed phrase leakage

Through the above content, everyone should learn how to download or purchase a real wallet, but how to keep the private key/seed phrase is another problem. The private key/seed phrase is the only credential to recover the wallet and control the assets. The private key is a 64-bit hexadecimal string composed of letters and numbers, and the seed phrase generally consists of 12 words. The SlowMist security team would like to remind you that if the private key/seed phrase is leaked, the wallet assets are very likely to be stolen. Let’s take a look at some common reasons that lead to the leakage of the private key/seed phrase:

Improper confidentiality: Users may tell relatives and friends the private key/seed phrase and ask them to help save it. As a result, the funds are stolen by relatives and friends.

Network storage or transmission of private keys/seed phrase: Although some users know that the private key/seed phrase should not be told to others, they will save the private key/seed phrase through WeChat favorites, taking photos, screenshots, cloud storage, memos, etc. Once these platform accounts are collected and successfully breached by hackers, the private keys/seed phrases can be easily stolen.

Copy and paste private key/seed phrase: Many clipboard tools and input methods will upload the user’s clipboard records to the cloud, leaving the private key/seed phrase exposed in an unsafe environment. Moreover, Trojan software can also steal the information in the clipboard when the user copies the private key/seed phrase. Therefore, it is not recommended that users copy and paste the private key/seed phrase. This seemingly harmless behavior actually can pose a large risk of leakage.

So how to avoid private key/seed phrase leakage?

First, do not tell anyone, including friends and family, your private key/seed phrase. Secondly, try to choose a physical medium to save the private key/seed phrase to prevent hackers from obtaining it through network attacks and other means. For example, copy the private key/seed phrase onto good quality paper (you can also seal it in plastic) or use a seed phrase box to store it. In addition, setting up multi-signatures and decentrally storing private keys/seed phrases can also improve the security of private keys/seed phrases. Regarding how to back up the private key/seed phrase, you can read the “Blockchain Dark Forest Self-Rescue Handbook” produced by SlowMist: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main /README_CN.md.

Summary

This article mainly explains the risks when downloading/purchasing a wallet, how to find the real official website and verify the authenticity of the wallet, and the risk of leaking the private key/seed phrase. We hope that the content of this issue can help everyone take the first step into web3. In the next issue, we will explain the risks when using wallets, such as phishing, signature, and authorization risks. Welcome to follow us. (Ps. The brands and pictures mentioned in this article are only used to assist readers’ understanding and do not constitute recommendations or guarantees)

1. This article is reprinted from [微信公众号：慢雾科技]. All copyrights belong to the original author [慢雾安全团队]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.