One of the biggest crypto hardware wallet providers is rolling out a new service for users who want to have a backup of their secret recovery phrase. The secret recovery phrase is used to restore access to crypto wallets in case the hardware device gets lost or destroyed. Without the recovery phrase, users lose access […]
The post Ledger Crypto Hardware Wallet Launches Subscription-Based Backup Service for Secret Recovery Phrases appeared first on The Daily Hodl.
Ledger emphasized that the ID checks required for its private key recovery tool are not like KYC checks as they require “much less” information.
Hardware wallet firm Ledger is rolling out its cloud-based private key recovery solution despite facing significant criticism from the crypto community.
Ledger Recover, an ID-based private key recovery service for the Ledger hardware wallet, is launching on Oct. 24, the firm officially announced on X (formerly Twitter). The release comes in conjunction with Ledger finalizing the open-source code for the Ledger Recover on GitHub.
Provided by blockchain protection platform Coincover, Ledger’s seed phrase recovery solution is a paid subscription service allowing users to backup their Secret Recovery Phrase (SRP). SRP is a unique list of 24 words that backs up the private keys and gives users access to their crypto assets.
Ledger Recover was designed for users who “want to add an enhanced layer of resilience” in case their SRP is ever lost or destroyed, Ledger’s chief technology officer Charles Guillemet said. He also emphasized that Ledger Recover is an optional recovery service, adding:
“If you don’t wish to use the service, no worries — it’ll always be 100% optional. You can simply continue using your Ledger as you did previously — nothing will change.”
At launch, Ledger Recover is compatible with Ledger Nano X, with Ledger Stax and Ledger Nano S Plus integration coming in the near future. The solution is not compatible with Ledger Nano S, according to the Ledger Recover FAQ.
Ledger Recover is initially available to passport or identity card holders in the United States, Canada, the United Kingdom and the European Union. “We will be covering more countries and adding support for more documents,” Ledger said.
The firm emphasized that Ledger Recover’s identity verification “is not the same” as Know Your Customer (KYC) checks carried out by centralized crypto exchanges. Ledger noted that its recovery system only requires a “valid, government-issued document,” stating:
“Identity verification inherently collects much less information compared to KYC [...] KYC involves ID verification but it can also include revenue information, record of criminal activity, citizenship check, etc.”
According to social media posts, Ledger Recovery service will be available at $9.99 per month, or about $120 per year. If a user fails to pay the subscription, the subscription will be suspended, allowing the user to reactivate subscription in the next nine months.
Related: ETF filings changed the Bitcoin narrative overnight — Ledger CEO
“You will need to pay an administration fee of 50 EUR along with any outstanding balance,” Ledger Recover FAQ reads.
The rollout comes months after Ledger paused the recovery service in May 2023 in response to community backlash. Ledger CEO Pascal Gauthier subsequently said that the firm will launch the product once its open source code is released.
Ledger’s largest competitor, Trezor, has stayed away from introducing a cloud-based private key recovery solution, opting for a physical backup solution. Trezor launched its own physical seed phrase recovery tool, Trezor Keep Metal, in mid-October 2023.
Magazine: How to protect your crypto in a volatile market — Bitcoin OGs and experts weigh in
Trezor is celebrating its 10th anniversary by releasing three new self-custody products, with a focus on providing entry-level devices.
Trezor, a major provider of hardware cryptocurrency wallets, is celebrating its 10th anniversary by releasing three self-custody products, including a new Trezor wallet, a proprietary private key backup solution and a Bitcoin (BTC)-only wallet.
The Czech Republic-based company officially announced the launch of Trezor Safe 3, its brand-new hardware wallet supporting more than 7,000 cryptocurrencies, on Oct. 12. The firm highlighted that the new wallet launch marks an important milestone in Trezor’s provision of entry-level hardware wallets.
The release of the Trezor Safe 3 wallet comes nearly five years after the hardware wallet firm rolled out the Trezor Model T in February 2018. Retailed for $79, Trezor Safe 3 is available in four colors: solar gold, stellar silver, galactic rose and cosmic black.
The new wallet device maintains Trezor’s commitment to open-source development, applying open-source principles in using the security component, the announcement notes. Trezor has chosen a third-party secure element vendor that allows it to publish any potential vulnerabilities it discovers.
In addition to the Trezor Safe 3, Trezor has also introduced its own physical private key storage solution, Trezor Keep Metal. As previously reported by Cointelegraph, the safety of a seed phrase or a private key is far more important than the safety of a hardware wallet device itself, as users can restore access to the wallet even if a hardware wallet is lost or damaged.
Trezor Keep Metal has much in common with similar physical backup solutions in the market, allowing users to keep their recovery safe under any conditions against fire, water, acids and impacts. The backup tool is made from corrosion-resistant stainless steel with a watertight seal.
According to Trezor CEO Matej Zak, Trezor Keep Metal is another important component of Trezor’s commitment to enhancing usability to boost global crypto adoption.
“It is very easy to use in the way that it is because all the other solutions usually have some kind of conversion so that you need some numbering system against the word,” Zak told Cointelegraph reporter Gareth Jenkinson in an interview.
“Whereas here, it’s very intuitive in a way that you just punch in the actual letter from the word onto the steel,” the CEO added.
Related: Ledger lays off 12% of staff, citing ‘macroeconomic headwinds’
Available for $99, Trezor Keep Metal allows users to store 12-word and 24-word standard backups. The Trezor Keep Metal catering for three 20-word Shamir backups sells for $249.
Finally, Trezor’s Bitcoin-only hardware wallet was released to mark the company’s anniversary, featuring a limited-edition run of only 2,013 devices. In recognition of Bitcoin’s ability to empower individuals in underprivileged and marginalized communities, Trezor will donate $21 from each sale to support the Trezor Academy, a Bitcoin education initiative, the announcement notes.
Founded in 2013, Trezor is one of the largest global providers of hardware wallets, allowing users to store cryptocurrencies like Bitcoin. Trezor’s first wallet, the Trezor One, was released in 2014 and is still for sale, offering the basic functionality of storing multiple coins long-term.
Magazine: Web3 Gamer: Minecraft bans Bitcoin P2E, iPhone 15 & crypto gaming, Formula E
The hacker’s wallet with more than $100K worth of USDT was blacklisted and frozen, while the Victim had been drained for almost $170K worth of NFTs and other assets.
With the help of police and cyber authorities, a victim of a hack worth 90 Ether (ETH) has gotten the attacker’s Tether (USDT) address blacklisted. As a result, they may be able to get most of their funds back.
[2023/08/11 17:30] USDT blacklisted 0x788bc56b67c289399cd6e2022f0d76484f04724a in block 17893148 https://t.co/WipjkHXFGp
— usdt blacklist (@usdtblacklist) August 11, 2023
The victim, who goes by @l3yum on X (Twitter), was initially drained on March 16 after the hacker managed to get a hold of their hot wallet seed phrase. Several Yuga Labs-related NFTs were stolen, alongside some crypto and other NFTs from smaller projects, and then promptly swapped or sold off.
In an Aug. 11 X thread, L3yum highlighted that the hacker’s Ethereum-based USDT address had been blacklisted, as he noted that: “Today after working with the police and cyber team in my country, I was able to get the stolen funds sitting in USDT frozen and black listed.”
The people I was working with were amazing
— L3yum (@l3yum) August 11, 2023
The original police officer I dealt with didn’t even know anything about crypto aside from hearing of it, but after a few phone calls just by the way he was talking I knew he was learning and actually cared
Very grateful
At the time of writing, 90 ETH is equivalent to roughly $166,000 and the blacklisted wallet has $107,306 worth of USDT locked up in it, suggesting the victim may not get the full value of their stolen funds back.
While it is also not yet 100% certain if the victim will be reimbursed, in previous instances in which a USDT address has been blacklisted under similar circumstances, Tether has burned the blacklisted USDT and re-issued equal amounts of the asset to the original owner.
It is also worth noting that the blacklisting of a USDT address by Tether generally comes after a court order.
Related: How easy is a SIM swap attack? Here’s how to prevent one
When asked if this was the case in the comments, L3yum confirmed this was the likely path forward, but suggested it hasn’t been confirmed yet.
“This is the part I’m unsure about but yeah from my understanding this is how it works and the funds that are blacklisted are essentially burnt. Don’t quote me on that though, but that is my understanding!” he wrote.
It is not entirely clear how the hacker got access to the seed phrase in March, however the general thought at that time was that the victim had either been SIM-swapped, mistakenly had their seed phrase backed up on iCloud, or had been using the wallet across several devices.
Another member of our community was compromised yesterday. $70k+ gone.
— quit (,) (@0xQuit) March 15, 2023
11 Eth, a Mutant, a Koda, and more. While the exact attack that @l3yum suffered is unclear, we narrowed it down to a few possibilities - and it could have been prevented by one thing
On hardware wallets 1/
Magazine: NFT Collector: On-chain music sounds off with latest raise, artistic duo Hackatao find their lane
Ledger Recover is an OTA firmware update, which would allow users to back up their seed phrases by third-party entities only if a user chooses to opt-in to the new service.
The launch of Ledger Recover, a service that allows users of the Ledger hardware wallet to back up their secret recovery phrases, met with immense resistance from the crypto community. Ledger co-founder and ex-CEO Éric Larchevêque took the criticism against Ledger as “a total PR failure, but absolutely not a technical one.”
Ledger Recover is an OTA firmware update, which would allow users to back up their seed phrases by third-party entities. If a user chooses to opt-in to the new service, the recovery phrase fragments get encrypted and are stored by 3 different parties, which can be used to recover the phrase in the future. However, the idea of the seed phrase leaving the hardware wallet did not resonate with users that considered Ledger as a trustless service for storing cryptocurrencies.
Addressing the rising concerns of users worldwide, Larchevêque posted on Reddit clarifying that Ledger was never a trustless solution:
“Some amount of trust must be placed into Ledger to use their product. If you don't trust Ledger, meaning you treat your HW manufacturer as an adversary, that can't work at all.”
He argued that the Ledger Recover update has no impact on the hardware wallet’s security model. He added:
“My mistake as a CEO during my tenure was probably not be relentless enough about explaining the security model, but at some point you just give up as people don't care at all. Until they care again, like now.”
Larchevêque believed that the only thing that changed is the general user’s perspective on trustlessness and that the Recover code in the firmware is not a malicious code:
“Ledger is still safe, there is no backdoor, the Ledger Recover is not a conspiracy, no one will ever force anyone to use Recover.”
Trusting Ledger with sharding the seed phrase is just like trusting Ledger with signing a transaction, he added. Addressing a user’s recommendation about having two different firmware to eradicate ‘backdoor’ concerns, Larchevêque said that “it wouldn't change anything” and would be saddening for him personally.
The firmware update in question is not available for Nano S — Ledger’s cheapest hardware wallet offering — as the chipset does not have enough memory to store the new firmware.
Related: Crypto community reacts to Ledger wallet’s secret recovery phrase service
Amid the rollout of Ledger’s controversial firmware update, competing hardware wallet provider GridPlus decided to open-source its firmware for its users.
The most trusted name in cryptography, relied upon by the world's governments for their highest security applications for decades, sold products backdoored by the CIA. How can we ensure this won't happen again? Open-source software.
— GridPlus (@gridplus) May 18, 2023
GridPlus will open-source its firmware in Q3. pic.twitter.com/889OnqXd20
Turning the Ledger controversy into a marketing opportunity, GridPlus announced plans to open source its device firmware in the third quarter of 2023 to deliver greater transparency.
Ledger’s latest update — aimed at making private seed phrases on its wallets recoverable — was simply an attempt to innovate and improve user security.
It’s counterintuitive for a CEO to defend a competitor, particularly when that competitor is rolling out a feature similar to one we pioneered years ago. But given the debacle around Ledger’s new “Ledger Recover” feature, it’s time to provide a balanced perspective.
The company is under fire for releasing an update to its wallet firmware that allows it to send a version of the wallet seed phrase to third parties. But the outrage feels out of proportion. The perception that Ledger is carelessly “sending seed phrases to a server” is fundamentally misinformed. Let’s be clear: The new system is opt-in only. There is no forced participation or hidden backdoor. The seed is locally split into three encrypted shards using Shamir Secret Sharing, a well-respected cryptographic process, and sent encrypted, a practice the industry has been familiar with for years.
One of the corporations hosting the shards is EscrowTech, a company we brought into the crypto sector four years ago. I’m confident that Ledger, despite our rivalry, can successfully implement a system that matches its claims. They’ve shown commitment and seriousness in the past, and there is no reason to expect otherwise now.
WTF is this real @Ledger ? this is unreal im literally getting sick
— Clouted (@CloutedMind) May 16, 2023
do you have any idea how much money your devices secure ???
have you been lying all this time saying the seed on the device cannot be accessed in anyway? pic.twitter.com/34txno7koR
In the face of backlash, it’s essential to remember: If you don’t like it, don’t use it. Period.
We have always strived to provide an upgrade to such systems, but for those who choose to stick with seed phrases, Ledger Recover is undeniably a step forward. I’m giving credit to Ledger where it is due: To truly onboard billions, and move assets to our self-custodial universe, Ledger Recover is a potential solution. Securely encrypted secrets stored in the cloud are the future, not pieces of paper or steel plates stored under your mattress or worse in a bank vault (the irony…)!
Related: Elizabeth Warren is pushing the Senate to ban your crypto wallet
That being said, there are a few things Ledger got wrong. Their suggested solution identifies a fundamental problem that cannot be fixed by Ledger Recover: seed phrases. I dislike them and consider them outdated and unfit for personal security. An estimated $100 billion in Bitcoin (BTC) (alone) has been lost or stolen in the last decade because of seed phrase mismanagement. And it’s not getting any better: Every day, new stories of key misplacement and loss appear on forums, such as Reddit and Twitter.
Seed phrases represent a single point of failure, which puts too much burden on the user and is prone to human error, phishing attacks, account takeovers and so many more disasters. Multiparty computation (MPC) wallets and other battle-tested cryptographic techniques offer vastly superior trade-offs where seed-based approaches seem archaic in today’s rapidly advancing digital landscape.
Ledger’s current users, mostly hardcore crypto enthusiasts, feel betrayed, but the existing seed model simply doesn’t work for everyone. Even Ledger acknowledged it on its own website.
Beyond ignoring the fundamental seed phrase vulnerability, Ledger Recover itself has its own share of issues: The one-way firmware update, the closed-source sharding, the Know Your Customer (KYC) gating, the pay-to-recover scheme and, most of all, the “trust me this is opt-in only” without ways to verify the source code. The closed code, dependence on external custodians and the seven-day cut-off if payment ceases will absolutely surface more questions (and already has).
The introduction of Ledger Recover might also invite new attack vectors on and off systems: From local malware to government coercion, social engineering (already deployed at scale in their last e-commerce breach) and fake KYC recovery, which need to be addressed. Lastly, Ledger’s communications and timing could have been better articulated and managed to avoid the current uproar.
Related: Cryptocurrency miners are leading the next stage of AI
However, this doesn’t take away from the fact that they are trying to innovate and improve user security, albeit in a different way than we might.
To Ledger, I suggest providing a comprehensive demo video end-to-end, a documented white paper with possible third-party audit reports, and a thorough explanation of how Ledger Recover works. The FAQs leave questions unanswered, and customers are left guessing or misinterpreting the service. The community thought they could trust you blindly, but you need to earn this back after this episode.
This is not a clear-cut case of right or wrong. Ledger is making strides in the right direction and has built a remarkable track record in an incredibly hostile environment — we know that first-hand. But they also have room to learn and improve.
Imposing a new security path, even optional, is like asking to believe in a second religion you did not choose in the first place. It’s a divisive issue, certainly, but it’s vital for the crypto community to focus on facts rather than interpretations. Eventually, our words here (or on social media) will not matter, and people will vote with their dollars (I mean their crypto). As competitors, we may not agree on every detail, but we can all agree on the need for innovation, security and transparency.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Crypto hardware wallet firm Ledger is pushing back against critics who say their new seed phrase recovery option indicates the company has a potential “backdoor” to obtain user data. Ledger says their new product, “Ledger Recover,” is an optional subscription for users who want a backup of their secret recovery phrase. The product encrypts a […]
The post Crypto Hardware Wallet Ledger Responds to Criticism of New ID-Based Seed Phrase Recovery Solution appeared first on The Daily Hodl.
If the words of a 12-word seed phrase are known, it’s deceptively easy to enter the wallet and sweep the funds.
A systems architect cracked a seed phrase and won a 100,000 Satoshi bounty, or 0.001 Bitcoin (BTC), worth $29, in just under half an hour. Cointelegraph spoke to Andrew Fraser in Boston, who underscored how critical it is to keep a Bitcoin wallet seed phrase secure and offline.
A seed phrase or recovery phrase is a string of random words generated when a wallet is created that can access the wallet, similar to a master key. Fraser brute forced a 12-word seed phrase that Bitcoin educator “Wicked Bitcoin” shared on Twitter:
Anyone want to try and brute force this 12-word seed phrase securing 100,000 sats? I’ll give you all 12 words but in no particular order. Standard derivation path m/84'/0'/0'…no fancy tricks. GL.https://t.co/c9FyMv3HYM pic.twitter.com/nPGTB9bX2g
— Wicked (@w_s_bitcoin) April 26, 2023
As shown, Wicked’s Tweet challenged users to decipher the correct order of the 12-word seed phrase.
"Anyone wants to try and brute force this 12-word seed phrase securing 100,000 sats? I’ll give you all 12 words but in no particular order. Standard derivation path m/84'/0'/0'…no fancy tricks. GL.”
It took just 25 minutes to unlock the 100,000 Satoshis–or just under $30. The incident serves as a timely reminder for Bitcoin users and crypto enthusiasts to take crypto security seriously.
Fraser cracked the code using BTCrecover, a software application available on GitHub. The software offers a range of tools that can determine seed phrases with missing or scrambled mnemonics and passphrase-cracking utilities. Over Twitter DMs, Fraser told Cointelegraph:
"My gaming GPU was able to determine the correct order of the seed phrase in about 25 minutes. Though a more capable system would do it much faster.”
He noted that anyone with a basic knowledge of running Python scripts, using the Windows command shell, and understanding the Bitcoin protocol–particularly BIP39 mnemonics– should be able to replicate his success.
Cointelegraph queried Fraser about the security of 12-word seed keys. Fraser explained they are "perfectly secure if the words remain unknown to an attacker or there is a passphrase '13th seed word' used in the derivation path of the wallet."
Moreover, he emphasized the superior security of 24-word seed keys.
"Even if an attacker knew the out of order words of your 24-word seed key, they would never stand a hope of discovering the correct seed.”
Fraser broke down the entropy calculations to explain the difference in security between the two types of seed keys. A 12-word seed has approximately 128 bits of entropy, while a 24-word seed boasts 256 bits. When an attacker knows the unordered words of a 12-word seed, there are only around half a billion possible combinations, which is relatively easy to test with a decent GPU. A 24-word seed, however, has roughly 6.24^24 possible combinations–and that's a lot of zeros.
Related: The worst places to keep your crypto wallet seed phrase
Even the probability of an attacker cracking a 12-word seed phrase is borderline absurd. 24-word seed phrases may be superior, but as Wicked points out in a post-mortem to the seed phrase challenge; “it’s not going to be hacked tbh.”
In the off chance that someone finds your seed phrase cut up and out of order, then yes lol.
— Wicked (@w_s_bitcoin) April 27, 2023
Ultimately, it’s a timely reminder to readers to ensure seed phrases are never published or shared online. That means a seed phrase should not be stored in a password manager, a cloud storage solution, and they certainly should not be typed out into a phone.
Fraser also stressed the importance of keeping seed keys secret and to take advantage of a passphrase that functions as part of the derivation path. As for the 100,000 Sats Fraser took home? Fraser tweeted that he spent them on dinner that night: Chicken Marsala. Talk about circular economy.
Cointelegraph Magazine: Bitcoin in Senegal: Why is this African country using BTC?
The co-founder of Webaverse said they somehow got their crypto hacked from their Trust Wallet during a meeting with two people claiming to be investors.
The co-founder of Web3 metaverse game engine “Webaverse” has revealed they were victims of a $4 million crypto hack after meeting with scammers posing as investors in a hotel lobby in Rome.
The bizarre aspect of the story, according to co-founder Ahad Shams, is that the crypto was stolen from a newly set up Trust Wallet and that the hack took place during the meeting at some point.
He claims the thieves could not have possibly seen the private key, nor was he connected to a public WiFi network at the time.
The thieves were somehow able to gain access while taking a photo of the wallet’s balance, believes Shams.
The letter which was shared on Twitter on Feb. 7, contains statements from Webarverse and Shams, explaining that they met with a man named “Mr Safra” on Nov. 26 after several weeks of discussions about potential funding.
“We connected with “Mr Safra” over email and video calls and he explained that he wanted to invest in exciting Web3 companies,” explained Shams.
“He explained that he had been scammed by people in crypto before and so he collected our IDs for KYC, and stipulated as a requirement that we fly into Rome to meet him because it was important to meet IRL to ‘get comfortable’ with who we were each doing business with,” he added.
full story https://t.co/vdkAHyBaG9
— 0xngmi (aggregatoor arc) (@0xngmi) February 6, 2023
While initially “skeptical,” Sham agreed to meet “Mr Safra” and his “banker” in person in a hotel lobby in Rome, where he would later show the project’s “proof of funds" — who Mr. Safra claimed was his requirement to begin the "paperwork."
“Though we grudgingly agreed to the Trust Wallet ‘proof’, we created a fresh Trust Wallet account at home using a device we didn’t primarily use to interact with them. Our thinking was that without our private keys or seed phrases, the funds would be safe anyway," said Shams.
However, turns out Sham he was thoroughly mistaken:
“When we met, we sat across from these three men and transferred 4m USDC into the Trust Wallet. “Mr Safra” asked to see the balances on the Trust Wallet app and took out his phone to “take some pictures”.
Shams explained that he thought it was okay because no private keys or seed phrases were revealed to "Mr. Safra."
But after "Mr. Safra" took a photo and stepped out of the meeting room to consult his banking colleagues, the crew vanished and Shams saw the funds siphoned out.
"We never saw him again. Minutes later the funds left the wallet."
Almost immediately after, Shams reported the theft to a local police station in Rome and then filed an Internet Crime Complaint (IC3) form to the U.S. Federal Bureau of Investigation (FBI) a few days later.
Shams said he still has no idea how “Mr. Safra” and his scam crew committed the exploit:
“The interim update from the ongoing investigations is that we are still unable to confidently establish the attack vector. The investigators have reviewed available evidence and engaged in lengthy interviews with the relevant persons but further technical information is necessary for them to come to confidently establish conclusions.”
“Specifically, we need more information from Trust Wallet regarding activity on the wallet that was drained to reach a technical conclusion and we are actively pursuing them for their records. This will likely provide us with a better picture on how this has transpired,” he added.
Cointelegraph reached out to Shams and he confirmed he wasn’t connected to the hotel lobby's WiFi when he revealed the funds on his Trust Wallet.
Related: Just get phishing scammers out of your way
The Webaverse co-founder believes the exploit was carried out in similar fashion to an NFT scam story shared by NFT entrepreneur Jacob Riglin on Jul. 21, 2021.
There, Riglin explained that he met with potential business partners in Barcelona, proved that he had sufficient funds on his laptop, and then within 30-40 minutes the funds were drained.
NFT Scam full story;
— Jacob (@jacobriglin) July 21, 2021
After the response to my previous tweets about the $90,000 scam I was involved in, I wanted to share more details on it to help warn any others of falling victim to it.
I was contacted by a Philippe Maloof from Canbury Properties Limited. He said he had a
Shams has since shared the Ethereum-based transaction where his Trust Wallet was exploited, noting that the funds were quickly "split into six transactions and sent to six new addresses, none of which had any prior activity."
The $4 million worth of USDC was then almost entirely converted into Ether (ETH), wrapped-Bitcoin (wBTC) and Tether (USDT) via 1inch’s swap address feature.
Shams admitted that “the event haunts me to this day” and that the $4 million exploit is “undoubtedly a setback” for Webaverse.
However, he stressed that the $4 million exploit and pending investigation will have no impact on the firm’s short term commitments and plans:
“We have sufficient runway of 12-16 months based on our current forecasts and we are well underway to deliver on our plans.”
Cointelegraph has also reached out to Trust Wallet for commen
