PSA Freewallet and Jaxx Getting Robbed - Over 10 Million USD Stolen

in bitcoin •  11 months ago

There was a bug found in Jaxx.io wallet lately - anyone with 20 second access to you PCs network can get all keys to your wallets due to seed Jaxx generates.

The main problem is that the Jaxx software encrypts the mnemonic using a hard-coded encryption key, instead of making use of a strong user-supplied password. (As Daira Hopwood points out in the comments, using the PIN would not be sufficient.)

If you use Jaxx - move coins out ASAP.

Some people already claimed their coins were stolen. Full text - https://vxlabs.com/2017/06/10/extracting-the-jaxx-12-word-wallet-backup-phrase/

Literally right now, wallets from https://freewallet.org/ are getting cleared

If you used this service for some reason - move out ASAP.

The Wallet

Follow, Resteem and VOTE UP @kingscrown creator of http://fuk.io blog for 0day cryptocurrency news and tips!

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  Trending

This post is about people reporting they lost funds due to using 2 wallets. Its a PSA post - Please Stay Aware.

If super skilled guys like transisto or andu want to argue about Jaxx exploit - please do it with finder whos linked in article https://vxlabs.com/2017/06/10/extracting-the-jaxx-12-word-wallet-backup-phrase/

Im not as skilled as you two to say hes wrong.

And people moving coins to other wallets due to my post are not losing anything, but people NOT moving coins if this PSA is real will loose.

@kingscrown, while I've enjoyed a number of your posts, I am concerned that this one crosses the line into irresponsible reporting. For those of us who are sufficiently fluent in the technical underpinnings of this Jaxx "bug", the truth is that this is a far cry from "the sky is falling". Seeing the nature of responses below from folk new to crypto confirms that your directive to "move coins out ASAP" makes this sounds like everyone is screwed. Period. Which is unfortunately far from the truth. I really am sorry that I cannot Upvote this one.

As far as the "bug",

  1. Is this an undesirable feature of Jaxx, YES.
  2. Will everyone, everywhere lose all their coins, NO.
  3. Will Jaxx "fix it"? They have indicated they won't, but before you crucify them, speaking from experience as a developer the solution may be more complex than you imagine and could break more things than it fixes.

The best thing we can offer to all the newbies out there is accurate, understandable information on both the capabilities and the responsibilities of this technology. Some simple, basic steps when choosing a wallet and how we secure it can go a long way toward preventing all these supposed terrible things happening.

For those who have read this far, the effect this Jaxx function has on the safety of your coins can be compared to your physical wallet or purse(for those who carry one). Would you really want to walk down the street just hanging it out there for anyone to easily see or grab? Would you leave it unattended on a bench at the city park?

So, what should you do?

  1. If you are super paranoid, switch to a paper wallet. A good tutorial can be found here and some warnings here.
  2. If you want to keep your wallet on your computer or phone, then keep the device secure. That means:
    a. Keep it patched and updated.
    b. Make sure you have a "not easy to guess" password or passcode.
    c. As exciting as it might be to jailbreak your iPhone or Android, please don't keep your wallet on there. You are just asking for trouble.
  3. You know the whole "don't click on a link or open an e-mail you weren't expecting"? Seriously, that's how the bad guys get you almost every time. Stop it. You might have all the other precautions in place, but by clicking, you just opened the front door of the house and invited them in.
  4. Don't connect to the Internet without protection.
    a. Please put some kind of router/firewall between your computer and your internet connection at home (cable, DSL, fiber, whatever).
    b. Think twice (or thrice) before connecting to that "Free WiFi" when you are out and about. It always comes at a cost.

So, maybe I am just a minnow swimming upstream, but for me, I am keeping my Jaxx wallet and already had protections in place to ensure no one can get access to it for the ten minutes they need to crack my backup phrase.

·

Thanks, i did not say anywhere everyone on Jaxx will loose money, i said if you have money there - move them for safety ;) The post was done as PSA, nothing wrong moving your coins out till this bug is fixed!

anyone with 10 second access to you network

Also please notice this post is about TWO wallets of whom users reported lost coins.

All i say - move out and be safe.
Possibly most people dont get what PSA means.

PS. I do love Jaxx and my network is secure, but many people could have their networks hit.
Better be safe than sorry. If you know what your doing - good, if you are not sure - move for now.

·
·

Exodus wallet is good to use and pretty secure thanks for info 👍 Paper wallets all the way don't keep your wealth in a exchange get them off line soon as you can😀

·
·
·

In case if any of you are curious whether the Exodus Wallet shares similar vulnerability, I've emailed the exodus support and received the following reply:

http://prntscr.com/fk7lib

·
·
·
·

Thank you for the information. I have Exodus and was curious if the same could happen. Regardless, just reinforcement that larger amounts of coins should be kept in paperwallets.

·
·

I hear you. For small players, though, the mining fees to keep moving your coin around adds up.

Gauge the reaction of your readers and adjust as you go.

Cheers!

·
·
·

All good man :)

·

This is superbly put. Thank you!

·
·

Thank you for your kind words and vote!

Great post i saw that freewallet just scamming ETH out of so many users it is incredible.

·

Spread this to people who still have their money tied up on Jaxx.

Jaxx_Annie said on this reddit thread (https://www.reddit.com/r/jaxx/comments/6gpurq/limit_on_send/):

"No worries! We're actually working on a new security model as we speak. We'll update you all shortly :)"

·
·

I like the Jaxx wallet so I hope they get this fixed.

·

Well I have been using Jaxx for the past 4 months and still using it. My Eth and Dash are still safe. And I'm going to stick to Jaxx as it is one of the best multiWallet.

·
·

I am sticking to Jaxx too as in my opinion its not one of the best but the best multi currency wallets out there for small amounts. I have the mobile iOS version which I think is safe enough for the small amounts i keep on there. BUT what might have been safe 4 months ago can be very unsafe today and I wont hesitate to move my funds the moment I read and article that convinces me that Jaxx is unsafe for iOS.

·
·
·

By itself this problem doesn't make your eth vulnerable

·
·
·

Yes, I keep small sums on Jaxx as well. I guess it is unwise to have very large sums all in one place. If I had a large amount of crypto I'd probably split it in different places.

·
·
·
·

Yeah that's the best way to do it. Luxury problems though, wish i had those issues. ;)

·

Just spread words on twitter , follow https://twitter.com/Soul_Eater_43 for bitcoin updates team

·

Soul_Eater_43 The Cryptofiend tweeted @ 13 Jun 2017 - 02:01 UTC

Very worrying: PSA #Freewallet and #Jaxx Getting Robbed - Over 10 Million USD #Stolen@Steemit #bitcoin @jaxx_io… twitter.com/i/web/status/8…

Disclaimer: I am just a bot trying to be helpful.

I'm not worried.

Such bad reporting,

anyone with 10 second access to you network can get all keys to your wallets due to seed Jaxx generates.

It's physical access to device storage, very hard on a pin locked phone.

This is proper reporting : https://steemit.com/cryptocurrency/@steemitguide/jaxx-security-and-exploit-allows-easy-extraction-of-the-jaxx-s-wallet-12-word-backup-phrase
(2 days ago)

·

Somewhat true. On a phone it's almost impossible to get to the files containing the encrypted mnemonic. Hard code encrypted as it is. The apps are sandboxed. If you choose to hold your coins on a rooted phone, well that's your problem right there.

Secondly, the desktop side which is more exposed. The hacker needs access to your drive, to your files. If you can't secure your computer to not be breached, then again, you shouldn't be holding Jaxx or any wallet on your desktop.

They are comfortable with this approach for the moment as some of the responsibility is also in the hands of the coin holder. There are also developments to increase security.
Stop spreading FUD @kingscrown. People that have these levels of breaching should get their own security on par with the industry trend. If you forget your credit card on a counter, is it the bank's fault that your funds get stolen?

·
·

Jaxx_Annie said on this reddit thread (https://www.reddit.com/r/jaxx/comments/6gpurq/limit_on_send/):

"No worries! We're actually working on a new security model as we speak. We'll update you all shortly :)"

·
·

Thanks, for the info. I just lost some bitcoins to hackers that stole it from my third party wallet . Security is really a BIG challenge to cryptocurrency. This will discourage many from investing in crypto.

·
·

He could be a CIA mole on Steemit--tons into cryptos, trying to sabotage anyone who makes too much money like beating down silver and gold when they rise too high. Creates lack of trust in cryptos. Theft event may also be Fake News--may never have happened. Also all browsers are viewed by CIA, NSA--anything non-encrypted. Write down password immediately on a piece of paper and delete from laptop--breach could have occurred with unencrypted password viewed by owner on laptop.

·

True and most Democrats will try to sabotage Crypotocurrencies. Democrats live on triple bookkeeping entries and ledger legerdemain. Rogues are rogues and rogues by nature destroy--that's all they do--no values. A danger to cryptocurrencies. Hundreds of CIA Deep State guys and gals are surely into cryptocurrencies trying to destroy them.

·
·

Me think you're responding to wrong comment.

·
·

Wonderful times ahead as the crypto community try to avoid theses baddies. Decentralised exchanges are one way so we can avoid by bypassing the likes of Coinbase, Kraken and other centralised exchanges

·
·
·

Decentralization is probably the BEST security possible within the current system, as the per-account cost remains additive, rather than anti-log.
That will become moot when the baddies get access to quantum processing.

·

right... trolls everywhere . such bad reporting .

·

I was wondering about this. Nobody has 10 second access to my phone. I treat that thing like a physical wallet.

·

Do you use coinbase? How secure is it please and please is there any platform to trade btc in Africa?......am a crypto rookie please, pardon my intrusion!

·
·

coinbase is cool to buy crypto but don't store it there.. download Jaxx or get a Ledger S Nano hard wallet to store your crypto. Never keep crypto on an exchange like coinbase thinking it's a wallet...

·
·

If you cannot use Coinbase try Xapo

·

Jaxx_Annie said on this reddit thread (https://www.reddit.com/r/jaxx/comments/6gpurq/limit_on_send/):

"No worries! We're actually working on a new security model as we speak. We'll update you all shortly :)"

·

I guess if people leave heir mnemonic lying around and if people don' set up a pin code then safety is pretty much zero. Otherwise I think most wallets are more or less equally safe (or unsafe? lol).

·

Dont think so, but two wallets are getting emptied now

·
·

wow....very troubling...
It is a bit strange because Coinbase also had a lot of issues today, ppl couldnt access funds etc..
https://steemit.com/cryptocurrency/@digicrypt/coinbase-having-major-issues
I know it is completely different and most likely not at all related, but it is weird to see this level of disruption in the sector, especially when the markets are in a sea of red. (Other than ETH) Thank you for the heads up I will resteem this.

·
·
·

My ETH transaction through coinbase has been pending for over 10 days now. Withdrawn from my account but something is going on and its starting to stink.

·
·

Also...just found this article about the security flaw that was posted yesterday??
Weird
http://www.newsbtc.com/2017/06/11/anyone-can-extract-jaxx-wallet-mnemonic-seed-developers-will-not-fix-problem/
"To put this into perspective, it appears the Jaxx team is aware of this problem. However, the team has no intention of fixing this flaw by any means."
What is going on here?

·
·
·

I knew it since some time but didnt look like good enough for a post here. 2 hacks.. now we are talking!

·
·
·
·

The news is going to have a field day with this...

·
·
·

whoa; everything about that sounds super bad -

·
·
·

there isn't a flaw per se. If a hacker get access to your computer are you really concerned just about your Jaxx data. c'mon people... keep your devices secured and nobody will steal your funds.

Horrible to see.

https://freewallet.org/ always looked like a scam. xD
Why else would you set up a shitload of wallets, and have no way to make profit.

Thanks for bringing this to the masses!

·

i have no idea, never heard of it till i saw all news of their wallets getting empty

·
·

damn.. never knew they had so many users...
it's always hard to trust online wallets

·
·
·

What kinds of Wallets do you trust most? -- SO far, I like wallets that give me both an app, and an online back up - but am wondering about the actual desktop (downloadable programs) if that makes sense; I'm thinking about getting into PeerCoin and looking for a good Ripple Wallet - (other than Gatehub)

·
·
·
·

freewallet is still running and i still have my balance on it though

·
·
·
·
·

Lucky!

·
·
·
·

I trust all wallets where I am the only person who has the private keys ;-)
-Openledger: Decentralized Exchange
-Core wallets
-Paper wallets

·
·
·
·

Ledger Nano S has announced support for Ripple and Stratis recently, I think Lisk soon. I have just bought a matched pair (1 for use, 1 for backup) for less than $200USDT - to distribute more amongst my present Ledger Nano and airgapped machine, and paper-wallet (gift-card) regimen. At this stage of the game, hardware wallets seem the pick of the bunch, now beginning to make sense for hodling altcoins.

Jaxx wallet? So where is the safe haven now?
So many people new to this and then find out the whole thing is as unstable as the damn banks! What does everyone recommend then?
If you download to Jaxx but then a hard wallet shouldn't you be ok?

·

take a look at the bitshares platform. similar security to steemit, built by @dan

good stuff.

·
·

Thanks will do

·

A hardware wallet is the safest bet at the current moment.

·
·

Are you talkin a wallet made from leather Or is a 'hardware wallet' a thing? Newbie here can you maybe expand on that ? :) Thanks

·
·
·

Look into Trezor, Ledger nano, paper wallets, etc..go from there.

·
·
·
·

Awesome, Thanks man.

·
·

I can't agree more and it's like everything else it's either in your hand or not. At least a hard wallet is disconnected from any device. Thanks for the reply.

·
·

Definitely, I would recommend having multiple hardware wallets (as backups) for redundancies, also make sure the wallets are offline (combination of USB Ledger + always offline laptop would work).

·

Myetherwallet.com is good, used it to register adrianroberttorres.eth which is my ether address now lol

The sooner Trezor supports much more cryptos the better for everyone.

Upvoted and resteemed. I wanted to try this wallet before as it is the only IOS wallet for Ethereum I know so far. I am so glad that I didn't do so. The wallet is close-source and I use Bittrex to store most of my cryptocurrency instead, except Bitcoin.

·

get a Trezor - it can accept btc, dash, zcash, eth, etc, and all eth tokens - at the moment, I'm sure more are to follow

·
·

And recently litecoin, although its on a beta wallet server.

·
·
·

hmm, cool did not know that

After hearing about free 20$ dash, i wanted to give it a try but after seeing it's rating on Google play i held myself back, and went for Coinomi, glad i did.

This post received a 45% upvote from @randowhale thanks to @kingscrown! For more information, click here!

If we can get STEEM in the news, we can get it over $5 each.

Everyone should use this Media email list (3000+ contacts)
https://steemit.com/steem/@marsresident/how-you-can-help-get-steem-in-the-news-simply-using-your-email

And send them this:
http://www.reuters.com/article/us-currency-steem-idUSKCN0ZS2MF

And this:
https://coinmarketcap.com/currencies/steem/

God thats HORRIBLE! Not the first time this happened..

Why people use online wallets?!Stop it!

·

So what is a safe multi currency alternative for iOS?
I've been looking for something for weeks but keep coming up empty. I'd rather have my coins stored on my device with a paper backup but so far nothing out there is sufficient to keep my various coins in one place and accessible from my mobile so I can spend if I need them. I'd LOVE any suggestions.

Hey found you again ! Thanks good read!

Congratulations @kingscrown!
Your post was mentioned in my hit parade in the following categories:

  • Upvotes - Ranked 1 with 1323 upvotes
  • Comments - Ranked 2 with 262 comments
  • Pending payout - Ranked 1 with $ 2185,99

The Freewallet incident hasn't been confirmed yet. The guy who started the Reddit thread may have gotten the pitchforks in too early. He's currently in communication with their support staff.

While I do not use Freewallet (I haven't even heard of it until today) I do hope that no one is actually affected and that the issue will be resolved tomorrow. I recommend that people just keep calm and wait.

If it turns out that nothing actually happened, just maintenance or something like that, I'm sure that a lot of people will feel stupid and the company's public image terrible. It already looks like it is destroyed.

·

Thats why its PSA - move out, wait, see what happens

did some research and found this blog from Jaxx CTO. Jaxx is a hot wallet suitable for small amount of fund

http://decentral.ca/jaxx-balance-security/

scary stuff.

THANKS KINGSCROWN! :) FEPE APPROVES THIS IMPORTANT MESSAGE :)

Does Ethereum Wallet really work on mobile with the blockchain size? I'm having trouble about to run out of disk space on my laptop as the blockchain has swelled to 70 GB+; lite version on mobile?

·

Use light sync:
https://www.reddit.com/r/ethereum/comments/669cn9/how_to_use_the_geth_light_client_in_combination/

It takes 5 minutes to sync and uses only 400 megabytes of space.

·
·

Thanks, great catch.

Thank you for posting! I will let everyone I know about this hack. best, @altcoinusa

Every time you come up with something awesome an beneficial there is always someone who'd try to take away that happiness sad.

It is crashing!!! I told you all!!
But seriously, what's up with people using online wallets?

·

So what's a good multi currency wallet that stores only on your device?

Wowzerz!!! Always protect your money guys! 🙌🏼🙌🏼🙌🏼

Man, this sucks. Thanks for getting the word out.

Thanks for letting people know. That is crazy!

Apparently it's a centralized wallet and they are just moving money around.

·

That would be great! For now all people are scared and keep posting about stolen funds.
Jaxx bug is known since some time though, its real for sure.

·
·

Very possible stolen, at first I tought 8m ETH, no dump, impossible, 20k ETH is nothing... so quite irrelevant.

Upvoted & Resteemed.... Woah $8 Million vanishing into thin air is absurd. Whomever that whale is really needs a cyber hug right about now. :/

Wow, I just set up a Jaxx Wallet this morning but honestly didn't like the process; When I downloaded the app Initially and had no username or password; no email linked - i was wondering how it would translate to the desktop; when I figured that out, I was like .... wow ... still no email associated; I Didn't 'feel' as comfortable with it; Sorry to hear this happened to them but Glad the community is spreading the word!!

Thanks for the news- that's awful!

Bad news, such a pity

·

follow me and IFollow you Back.
Sorry Newbie here.😣

·
·

This is called spam Aaron.
Not good.

·
·

Lol, okay

OMG thats crazy! Thank you for the imformation!

I love Jaxx but I only use it as a "hot wallet" (basically for transactions I am going to make fairly soon) .. Thanks for the heads up.. If I see my $2 missing I'll know what happened to it!

wow that's brutal! a sorry lessen to anyone that keeps coins HOT

I thought this only affected those that ran the Desktop client?

upvoted and resteemed .. sad for them..

If you are good at something, never do it for free..

You think coinbase is safe?

oh noooo
I will resteem this post to make people safe
thank you very much for your help

Hi, im krgf1motors.
Tanks votes

Better get that cold storage set up

Always use a wallet that YOU control.

Thank you very much for this!
(just moved 15btc to another wallet until code wallets comes int mail. I must scare easy..)

You are of course completely right, the PIN would not be sufficient, jaxx would really need to add a passphrase to encrypt the backup phrase.

who pimps this, oh right, the same ones involved in all other shit

Gracias por la noticia, pero nada agradable

Upvoted & Resteemed... I use Coinomi because I've heard good things. Can this hack happen to any wallet or only the idiots running these companies?

·

No, it can only happen to idiots who do not PHYSICALLY SECURE their hardware- which, given the attitude of Jaxx management, they assume they're immune to this attack, and probably are.

Eiahhhhhh ! There doth exist a crypto-bug ! Yikes !!

what a joke

Thanks for informing sir :)

I can't even move out, all the exchanges are taking like 10 hours or more...

What wallet do you recommend?

HEY GUYS - REMEMBER!!!! ...your cryptocurrencies are safe ONLY in a cold storage wallet

I feel sorry for their loss.. :/

nek minute govs are making laws to protect your money and take away your freedoms

Damn that is some madness.

Oh my gosh ! Very odd this and worrying.

Snap. Well guess I better get mine out of jaxx tonight. Thanks for the warning! Mine was still in there luckily. All these things that happen like this are bad for crypto and it sucks!

Holy cow, I am glad I stayed away from these guys. Cheers for posting man.

Wow, Jaxx was supposed to be safe haven for coins. So that long random phrase was totally useless or basically nothing is safe.........

Coinpyments wallet had a glitch with their ripple wallets this week, alot of balanced are emptied (just like mine)... 😕... I've started to make paper wallets on a offline Linux PC...

thanks for your posting. I'll resteem and also tell other users about this..

Sad News !

Damn multiwallets. Just use the core fucking wallet for every coin and you're pretty much golden.

God....I am using Jaxx

HiJaxxed..

This is bad news for the crypto world!

I have a feeling I was robbed disguised as "transaction fee"....

Anyone here paid 66$ to send BTC anywhere??

Screenshot_1.jpg

well.. with a name like Jaxx you should expect things are stolen (jacked) lol, jokes aside I'm sorry to anyone this affected

Making long story short. People using this wallets should keep the Jaxx desktop app’s local storage directory on an encrypted filesystem which you only mount when you’re using Jaxx.

I've always found it a bit questionable that Jaxx is not open source. It's hard to establish trust if you can't have another party verify the code.

Fuc......k that
Is there any way to have your coins refunded/returned
I lost some Sc from poloniex recently opened a ticket but I am waiting for 2weeks now without answer from polo

This bad news although I'm using this wallet its better to do something about this thing. Upvote and follow you @kingscrown

Everywhere scammers... sad.

Thanks @kingscrown for this news (y)

=> Protect your money guys!

Yikes I heard about this earlier today, glad I moved all my coins ok sorry not everyone will be able to say the same

That's why I'm using a TREZOR...

This is so scary I used jaxx wallet once to sweep dash paper wallet and thankfully didn't use it again after transferring funds out. Also only the other day I was about to download monero wallet from freewallet.org but again thanks to the negative comments at the android store I opted out, so glad I did. Wow.

nice post although some of us that are not very complex like you on cryptocurrencies and new on steemit need better clarification.

Thanks good news

What happens to these users? coins are gone for ever?

·

That is why it is important to use 20+ character passwords

Thanks for the share man. I feel so sorry for the victims of this attack. What a disaster,

I have download jaxx week ago. I plan to use it this week. Thanks of your news.

I have a few ICO stashes and some ETC in a jaxx wallet on a dedicated android wallet phone. I have a PIN and an encrypted filesystem. Am I safe? Do I need to move my coins and tokens elsewhere until this is resolved?

·

Wisdom demands that you move it......... wait..... until it's confirmed.

Wooow! I really expected more from them :\

They have to make money by any ways, Never trust non open source projects

thanks for your informations!

So any of you fell victim to this? Everything is still there in my Jaxx wallet. Always loved the functionality, completeness and shapeshift on board.

I hoped coinbase is safe, that is where my entire life is........!!!

will it affect on price of eth?

I convinced my brother to put Jaxx on his phone a day before this happened, but we didn't move any money over into it.
He's completely out of crypto currencies now.

Hi thanks for info I posted a few days ago about freewallet.org warning people it was a scam about there free steem wallet too and how bad it is they don't send funds and basically denie you access to your funds it just says transaction failed

@kingscrown thank you very much for this article. It is very challenging to keep everything secured in cryptocurrency. And also followed you.