Is your little fox and imToken wallet being targeted? Attacks and phishing targeting mainstream wallets are exploding on a large scale

Various wallet security incidents have been emerging in the industry recently: On April 18, a tweet of 5,000 ETH stolen coins by MetaMask wallet developer @tayvano_ was widely circulated in the encryption community, believing that MetaMask had vulnerabilities, causing panic in the community. On April 19, MetaMask responded that it was false that the vulnerability was stolen, but it was studying the source of the vulnerability. On April 20, imToken officials reminded that fraudsters have recently impersonated imToken officials and contacted users by sending text messages and other methods to induce users to visit fake websites and enter mnemonic phrases, causing users to suffer asset losses. On April 21, SlowMist researchers said The top advertisement after searching for "imToken" on Google is a new type of phishing website. Users are advised not to click on the link and be careful to avoid risks.
On April 22, Trust Wallet issued an announcement that there was a vulnerability in the addresses of new wallets created from November 14 to 23 last year, and a compensation process was created for affected users.
With the explosion of demand for interaction on the chain such as DeFi and NFT, the industry is no longer like the early days. Just buying coins on CEX and placing them on CEX can meet the needs of most investors. Most investors will put some or even all of them Tokens are kept in one's own wallet, which has also caused this industry to become a paradise for hackers. From time to time, it is reported that some investors download fake APPs due to authorization, leak private keys, or have vulnerabilities in the wallet itself, resulting in the theft of their assets. , in the end it turned out to be nothing. Ensuring the safety of its own assets has become an essential skill in the industry. Next, we will comprehensively understand how to protect the security of blockchain assets from several aspects such as wallet-related knowledge, stolen cases, and knowledge of protecting private keys.
01 Wallet related knowledge
Before ensuring the safety of your assets, you need to have a certain understanding of some basic knowledge about wallets in the industry so that you can better understand how to protect your assets. Next, we briefly introduce some related concepts. 1. Symmetric encryption and asymmetric encryption Before understanding the public (private) key, we first briefly understand the symmetric encryption and asymmetric encryption in cryptography. Symmetric encryption means that A can obtain B through a certain algorithm, and conversely, B can reversely decrypt A through the same algorithm. Here, the same algorithm is used for encryption and decryption; asymmetric encryption means that A through A certain algorithm can obtain B, but B cannot be reversely decrypted through the same algorithm. Different algorithms are required for encryption and decryption here.
As shown in the figure, the difference between symmetric encryption and asymmetric encryption lies in whether the public key of the message recipient and the private key of the message recipient in the figure are the same key.
2. Public (private) key, mnemonic phrase, address. Understanding symmetric encryption and asymmetric encryption can help you better understand some basic concepts related to wallets.
Key pair: In asymmetric encryption, there is a pair of key pairs, namely the public key and the private key. The public key is public and the private key is not public.
Public key: used to encrypt data. Data encrypted with the public key can only be decrypted using the private key.
Private key: The private key can generate a public key, which is used to decrypt data encrypted by the public key.
Address: Corresponding to the "public key", because the public key is too long, there is an "address", and the address is generated by the public key.
Mnemonic: Corresponding to the "private key", because the private key is a randomly generated string that is too long and difficult to remember, a set of human-readable words were created to replace the private key to help users remember the private key. , usually 12 irregular phrases. (private key = mnemonic phrase)
Electronic signature: For a certain piece of information (you transfer 100 Ethereum to someone), this information needs to be signed by your private key and then broadcast to the blockchain.
Signature verification: The receiving end can verify through your public key that the message is indeed signed by your private key, that is what you published, and the transaction record is on the chain. Therefore, whoever controls the private key controls the wallet.
To simply understand, the public key (address) is equivalent to your account number, and the private key (mnemonic phrase) is equivalent to your account number + password (the private key can generate a public key). Using the bank card analogy, public key = bank account, address = bank card number, password = bank card password, private key = bank card number + bank card password, mnemonic = private key = bank card number + bank card password, Keystore + password = For private keys, regarding the basic knowledge of wallets, you can check out the previous popular science article "If you want to keep your assets safely, you must first know these things about wallets." 3. Saving the private key (mnemonic phrase). Your coin is not stored in your wallet APP, but in the address corresponding to the private key in the blockchain network. As long as you have the private key, you can use the private key. Log in to all wallets (this wallet supports the chain where you have coins). The wallet is only a front-end for displaying account funds and does not save your private key. If the private key is lost, it means that your assets will also be lost and cannot be retrieved through the wallet. When registering a wallet for the first time, the wallet page will generally remind users of this. This is completely different from the QQ and WeChat we used before. If the password is lost, it can be verified through mobile phone verification, questions and friend verification. Of course, this is also the charm of blockchain decentralization. Your assets are completely Be your own.
4.Wallet types
Depending on whether the private key is connected to the Internet, wallets can be divided into hot wallets and cold wallets, as shown below.
Hot wallet: client wallet, plug-in wallet, mobile APP. It is easy to use, easy to operate for novices, has relatively high efficiency in transaction transfers, but has poor security and is easy to be stolen.
Cold wallet: Hardware wallet.
It has high security and is suitable for storing large amounts of assets. Complex creation, troublesome transfers, hardware damage or loss of private keys may cause the loss of digital assets. For a more detailed classification of wallets, you can check out the previous popular science article "Popular Science | What types of digital asset wallets are there?" From the above, we can know that the private key is everything, and all our measures to protect assets are actually to protect the private key. Protect the private key, protect the private key. (Prevent the private key from being lost and obtained by others)
02 Stolen cases
After understanding the relevant concepts, let's take a look at the main loss cases currently. Through the cases, we can better protect our own wallets. 1.Leakage of private key (mnemonic phrase)
At the beginning of 2021, Yiren, the founder of Making Money Youshu, saved the Bitcoin private key in Cloud Notes, resulting in the loss of eight-digit assets in BTC.
In November 22, Fenbushi Capital founder Shen Bo’s digital assets worth US$42 million were stolen. The stolen assets included: 38,233,180 USDC, 1,607 ETH, 719,760 USDT and 4.13 BTC. According to subsequent analysis by the security agency Slow Mist, the theft was caused by the leakage of the mnemonic phrase.
  2. The private key (mnemonic phrase) is lost
British IT engineer James Howells lost his computer hard drive in 2013, which contained 8,000 Bitcoins. Nine years later, he planned to spend US$74.3 million rummaging through junkyards to recover the computer hard drive.
3. Click on the virus link
A user randomly clicked on a link sent by others, causing hackers to read metamask's local encrypted backup and all assets were stolen.
Twitter KOL clicks on the private link sent by others, causing the Twitter account to be stolen, and then publishes poisonous airdrop information, using fans' trust in the KOL to click on the link to steal fans' assets.
4. Authorization at will may lead to vulnerabilities in the application.
On October 2, Token Pocket’s DEX Transit Swap officially stated that it had suffered a hacker attack, with asset losses exceeding US$15 million, and reminded users to cancel authorization.
On October 11, the plug-in wallet Rabby developed by the DeBank team claimed that its Swap contract had a vulnerability and recommended that users cancel the Rabby Swap authorization. In the end, the hacker made more than $190,000.
  5.下载假的APP（带病毒软件）
After some hackers obtain platform user information, they spread panic messages to users through text messages. The platform is no longer safe. They need to click on the link to reinstall the application or log in to the account. After logging in, the account funds are stolen.
A user downloaded a fake Binance app and when transferring money, transferred it to someone else's address, and 5 ETH assets were completely lost.
We can see from the above cases that user assets are stolen mainly in the following situations: leakage of private keys (mnemonic phrases), loss of private keys (mnemonic phrases), clicking on virus links, arbitrary authorization, and application vulnerabilities. There are several situations such as downloading fake APP (with virus software). Next, let’s sort out what methods can be used to avoid the above situation.
 03 How to avoid property damage
1. Storage of private keys (core: not easy to lose, not easy to damage, and cannot be accessed or used by others)
Back up the wallet immediately after it is generated, double backup, because once lost, it cannot be retrieved.
The mnemonic phrase is stored on a medium that is not connected to the Internet and is not easily lost or damaged, such as copying it on paper and encrypting it yourself (adding or subtracting specific characters to facilitate memory); find a camera storage that is never connected to the Internet; there are some wallets Providers sell iron plates related to mnemonic phrases.
Use a cold wallet (hardware wallet) and choose a well-known cold wallet; purchase from official channels and not through third-party channels (third-party channels may contain viruses); set a strong password and back up the private key to prevent the hardware wallet from being lost or damage.
2. Prevent private key (mnemonic phrase) leakage
Do not copy and paste the private key, some software can read the user's clipboard
Do not save the private key in WeChat collection, transfer files, Baidu Cloud, Evernote and other online platforms
Never tell anyone your private key. Remember, it’s anyone. Some scammers pretend to be wallet officials to defraud your private key. Don’t believe it. The wallet party has no right to obtain the user’s private key.
Don’t copy and paste private keys when using public Wi-Fi
To download various applications, you should go to official channels. Sometimes all application stores are not trustworthy (remember, all) and there are fake applications.
Be cautious when signing your wallet. For heavy users of DeFi protocols and NFT interactions, remember to revoke authorization in time to prevent theft of assets due to vulnerabilities in the application.
Do not click on links (text messages) sent by others at will, download files shared by others, or even click on some KOL links at will, as they may contain viruses.
Once you find that there is some asset leakage in your wallet, you should abandon the wallet as soon as possible and don't take any chances.
Don’t use a free VPN
Keep up with the news and learn about new stolen information in real time
All the above measures are actually to protect your private key from being leaked. Not your key, not your coin!
3. Assets are dispersedly placed
You can disperse your own funds in wallets and trading platforms. Although the FTX incident has led to a lack of trust in centralized trading platforms, for most people, it is better to put their assets in a few centralized trading platforms than to hold them in their own hands. It is relatively safer and more convenient than a wallet. As long as the loss is not particularly large, several leading platforms can generally afford the compensation. There are several points to note when using a centralized trading platform:
Turn on triple verification (mobile phone, email, Google two-step verification)
Enable coin withdrawal whitelist
Download the App from official channels
When transferring money, confirm whether the address is correct
04 Conclusion
Through the above related knowledge, novice users can have a comprehensive understanding of the relevant knowledge of blockchain asset security. With the development of blockchain and the increase of on-chain interactions, the use of wallets will gradually become a Important basic skills and various measures are actually not absolutely safe, but relatively speaking, they can allow us to avoid most pitfalls. With the development of blockchain, new problems will continue to arise, requiring us to continue to improve. own knowledge reserve. Small amounts of funds do not have to be saved according to the above method, but you must be cautious and cautious when saving large positions of funds, because one mistake on your part may cause you to be thrown off the blockchain train forever. Can never catch up.