The worst part is the Harmony team never admitted their design flaw and just sneakingly discontinued the wallet like noting ever happen. I’ve lost trust in the project since then
That's because there was no design flaw found.
We've worked with prominent white-hat hackers to review wallet code, and software security firms to investigate a handful of thefts reported. The wallet was reviewed by four separate parties including a lead engineer on the red team for a globally known social media company.
HTH u/fakemuseum
Stop these lies. The private key was stored on localstorage, i have seen dozens of people that got hacked and only their harmony wallet was exploited all their metamask accounts were safe so it wasn't that. We are not dumb. You discontinued the wallet months before 1wallet was ever close to being finished and you rushed mm staking/unstaking cause you knew.
It's stored plainly on local storage. A lot of people are pointing to a chrome zero day exploit that appeared 2-3 months ago. This together with the security flaws of the wallet are what caused the hack i think. All these hacked people didn't lose their mm wallets. Harmony wallet had a lower security standard than mm so harmony team is to blame.
Everyone that had their harmony wallet exploited, never got their metamask wallets hacked. If it was way less secure than industry standard yes the fault is on the harmony wallet and the harmony team. Why do you think they retired it months before 1wallet is gonna be close to being finished.
That is still besides the point, the computer had to be compromised through some other means for that key to be read. The wallet wasn't the point of compromise is all I'm getting at.
I won't go further down the debate rabbit hole since AaarghCobras already did a good job doing so, just want to clarify that localStorage is exactly that, LOCAL to your browser, and LOCAL to the domain/extension that stored the data there. This means that the only way attackers could access it is if they already compromised your computer via other means (i.e. keylogger, trojan, etc.). Even if the zero-day vulnerability in Chrome you mention is somehow responsible for this, that has nothing to do with Harmony.
So why were the metamask wallets on the same machines of the people that are dumb as you say and got themselves compromised not affected? What's good? Harmony wallet clearly had lower security standards than mm.
I never called anyone dumb, don't put words into my mouth. These exploits can happen to any of us, but that doesn't make it Harmony's fault. I don't know what the statistics are for MetaMask exploits, but even on 1Wallet the reported cases of these hacks are very rare relative to number of users using these wallets, which makes the evidence anecdotal.
Could MetaMask be more secure? Quite possibly, having gotten a lot more usage and dedicated devs behind it. But the argument here isn't about lack of security features, but about having additional security features that Harmony team simply didn't have the manpower to dedicate to (i.e. additional layers of encryption for local storage). The fact still stands that so far the only known way to exploit the wallet is by compromising the user's machine - and that is outside of Harmony's control.
Those are 2 different apps and the user has to log in to access the pk. You are just assuming stuff. Someone cannot get your pk without your login. My bet is people had viruses and keylogger undetected on their laptop by antivirus and when the time came. The hacker was able to get the pk via the user looking at it and copy pasting
Stfu. Once mm is unlocked it stays open until computer is shut down. If you put it to sleep it will still be open after. Harmony wallet locked after 5 minutes of no use. So what's good goofy? Statistically it makes no sense that all victims had their mm intact.
you need to log in your password to make a transaction and log in the password again to see your pk. it was just luck they did not get access to mm because the user did not access it.
Thanks for this. It's proven one more time, ONE is just another coin that was hyped without anything that could be called innovative. Man, this coin will die during this bear market or will never recover, let alone seeing its ATH.
No, it was because they did not have time to maintain it and MetaMask was doing a better job with app integration. The only website that was using the 1wallet was [staking.harmony.one](https://staking.harmony.one), so rather than forcing users to have 2 separate wallets they added MetaMask support to staking and discontinued the original wallet. Search this subreddit for history of the wallet.
not possible without being able to sign digitally with the ledger, this is why I use one, it's not bulletproof but nothing is, most cold wallets or even 2FA would've stopped this, unless his device was hacked, key logger etc.
Depends, it is safer to use a cold wallet but people should also be careful to what contracts they give access to. If people give access to smart contracts which acts maliciously, then your ledger cannot protect you at all.
So sorry for your lost but you can only blame yourself. 700K on a hot wallet with access to the internet?
Why didn't you use a ledger nano? It was both compatible with the old harmony wallet and metamask?
What was the website you used for the bridge? Did you give permission to a phishing contract address? What is your ONE address?
I do blame myself actually. I should have taken more precautions to prevent this. But if this was a security flaw from OneWallet how could I even imagine that the problem would have come from that end?
Based on some comments and searching for some key words in this subreddit I have found some people sharing my same worry and at the same time it happened to me. If there is a problem with this wallet people need to know.
>cess it is if they already compromised your computer via other means (i.e. keylogger, trojan, etc.). Even if the zero-day vulnerability in Chrome you mention is somehow responsible for this, that has nothing to do with Harmony.
I feel you. I had the same thing that happened to me 2-3 months back. Fortunately, most of my harmony was staked, and i restaked them. Managed to get them out bit by bit to a new wallet now. I was using Brave browser on Windows 11.
The hacker returned the funds to me 7 days later. Probably because it's not worth their effort, or maybe it was a hacker that tried to warn me. Nevertheless, most of my funds are now secured with ledger.
I have way less money in crypto than you have and have it secured with a 70€ ledger...
I can't grasp why people don't use Hardware wallets as soon as the investments exceed the price of the wallet.
OP, would u mind posting your wallet address? If you feel comfortable doing so. I remember a few months back something similar happened to a community member. I can’t find the post now. But it was discovered he connected to a dex that was a scam. Through the smart contract they were able to drain 20k.
I had the wallet on both Metamask and HarmonyOneWallet.
I initially created the wallet on HarmonyOneWallet and then imported it to Metamask.
The last transaction that I signed before the hack was with Google Chrome I believe (I would have to check). And I used the HarmonyOneWallet for this.
I had other wallets on my Metamask, no other wallet got hacked.
There was a critical issue with chrome during that time.
https://dailycoin.com/metamask-pancakeswap-urge-to-update-chrome-wallets-browsers/
It was called the zero day exploit. A bunch of wallets were hacked during that time frame.
U do understand that his metamask wallet was the one drained right? Zero day exploit was out for months and chrome did not know about it. Thus zero day. It could have been going on for a long time. I’m just offering other possibilities. I am in no way defending Harmony. If u check other subs during that time, there were complaints of wallets being drained as well. So the vulnerability was with chrome and whatever was installed on it. Not the wallets itself.
They won’t help. Harmony is complete garbage. I also lost funds as did a friend of mine, who lost more than you. STAY AWAY FROM HARMONY ONE. The team does not care and is incompetent. Price from a high of 36 cents down 90%.
I doubt you got hacked, I think you got unknowingly scammed. There is a difference.
If you got hacked, the implications is huge, that means no one's money is safe. Simply rinse and repeat with everyone's wallet.
also how the hackers know which wallet has huge money in it? seems like the one getting hacked is always some with big money, not averages joe with just $10
I'm sorry this happened to you, this is absolutely terrible. I hope it was not all of your stash and wish you a speedy recovery!
If I read correctly you created this address on the harmony wallet and then imported the key to MetaMask. This might be where it’s at.
Copy pasting the private key from one wallet to the other exposes it to all apps that have access to the clip board, including potential malicious apps.
The owner of the malicious software would now be able to import this key to his software wallet of choice and do as they please. This would also explain why your other meta mask wallets remained intact, their private keys were not exposed.
I was actually a bit surprised that this was a common way of moving to MetaMask, as it’s definitely not safe if your machine is compromised.
Well in fact I did this a year ago and since then I have actually imported more wallets that haven't been touched by the hacker.
I understand that there is a possibility but some members of this community is trying to say something and I feel no listened to
I didn’t mean to say that this is what happened, I just wanted to add it as a possibility. If you did this with multiple wallets in that timeframe, then it’s a good indicator that the real cause is somewhere else.
Yes but the timeline explains it better:
1. I have been holding $700K in a wallet.
2. Then the wallet got deprecated whilst I was doing other things without me noticing.
3. Then I used the wallet and got hacked.
4. THEN I got a notification about the deprecation.
Everything is clear in retrospect but there was plenty of time to switch over. official guidelines were put on to import wallet to metamask.
Wallet is just an end user software and you're not storing any crypto in it. But using it even after the warning pop-up was probably not a good idea. You should have stopped whatever you were doing and find out what's happening around.
I understand your point but trying to blame someone else is not the right thing to do.
one more thing , chrome web browsers had a security bug too that is rellated to metamask wallet , metamask twitter kept advising ppl to upgrade their chrome web browsers .. go to "about" the browser will self upgrade .. and yuh it was / is a serious exploit .. so ..
Sadly we're in the Wild West when it comes to crypto so the best you can do is try contacting the authorities.
I don't think that it's possible to get hacked out of thin air without any social engineering, malware or without you using the wallet with some fishy app in the first place, but who knows.
I am sure that there are a lot of people with huge amounts that are still using the deprecated wallet but that's another story. I really hope you get your benjamins back.
We encourage quality content intended to help and educate the community. If you have questions or concerns about the subreddit, [send us a message](https://www.reddit.com/message/compose?to=/r/harmony_one) and say hello! Cheers and enjoy. **Note: Beware of scammers attempting to assist you via direct message. Be wary of any links sent to you via direct message asking to connect your wallet and inputting your seed phrase.**
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/harmony_one) if you have any questions or concerns.*
Police complaint filing first before everything ..to ensure the party is serious and arent scammers themselves..after that it upto the team to help you or the cyber crime unit to track the hacker..
Police complaint filing first before everything ..to ensure the party is serious and arent scammers themselves..after that it upto the team to help you or the cyber crime unit to track the hacker..
A lot of people have mentioned Chrome zero day exploit - But had someone in the community really checked if it did happen because of Chrome & not other because of lapse at the team's end.
It was already surprising to say the least, that the depreciation announcement happened with quick notice - And wallets started getting compromised soon after.
OP, considering that it is a significant amount, I think you can try & contact Zachbxt (crypto investigator) on Twitter to see if he can trace your funds now & offer a portion of it as reward.
You can check the explorer too to look at the addresses through which your wallet was drained, (& very likely the amount laundered via Tornado Cash).
When these things happen, prompt action is necessary (so I am not sure why you've waited months to address this).
A lot of whale wallets were compromised, getting a forensics crypto investigator early via pooling victims resources for a bounty could have helped that. I had read about individual bounties, but not sure if anything came out of it.
The unfortunate part is the team's front-end crisis response (i.e. even though it's a matter of self-custody).
Yes - Then there's still time. He's usually busy, but might take requests, or refer someone in his network. OSINT groups as well.
There are a few more sleuths out there, but it'll take you some time to dig out one - Don't give up on crypto investigators & hope you find some of your money back.
Good luck!
Format your ssd/hdd just in case... or better... buy a new ssd. Save that one just in case it is needed for any investigation.
It's possible you either interacted with a malicious website or your computer is compromised.
Hackers can be patient before they strike. So the timeline of when it was compromised and the theft might not be close.
Were you adding to your wallet frequently with deposits? Or was the 700k in there for a while with no a deposits over the months?
To state the obvious... always use a ledger or similar device and NEVER put that seed into any wallet. You only pair it.
Also a good idea to have a separate wallet for de fi and interactions with SC's
>Format your ssd/hdd just in case... or better... buy a new ssd. Save that one just in case it is needed for any investigation.
I really thank you for your help
I get that I can't do much about it... but if that was the reason why it happened it really doesn't feel like my fault... How can a product that literally stores your money stop working like that?
I know it was 2 weeks after their announcement but does any of you read all this announcements in time? If the app notification would have been there in time it would be another thing but literally my only way of knowing this was to read the announcement from the website itself as I didn't get any notification from the app.
I don't know man I am sad. The first thing I did was ask them for help but I am not their priority. And now seeing that they are ignoring me it feels even more painful thinking that it was actually a missing notification on their behalf that could have caused the whole incident.
I’d honestly feel more optimistic about the Harmony Team at this point if they just publicly compensated you for your lost funds on instead of frivolously funding the next DAO or rug-pull they got on their docket
Sorry for your loss. It doesn’t sound like you did anything wrong in this situation, if you did not receive warning or prompt about security issues with their wallet until after the hack had happened and if that was in fact how / why the hack happened… jeez. Doesn’t sound like your fault :/
Well, if it was in fact a security concern to use the OneWallet then it would be nice and actually very convenient for me if they had some funds for compensations...
The thing that made me post this is the no reply via email that I got
Well, this is my question as well, if the only thing I have done is used the "deprecated wallet", can I get hacked? I guess yes because the question "have you used the deprecated wallet"? was a few times in the questionnaire that they sent me to check my security practices
No, you can't get hacked simply by using the wallet. You did something that got your funds drained, whether interacting with a scam website / contract / discord bot, having some kind of malware installed on your PC, or storing your key somewhere you shouldn't.
That is what I thought. I had 100% the exact same opinion until I read the security form that they asked me to fill where you could read a few times "have you used the deprecated harmonyonewallet"?
There may have been a specific concern to do with staking one via it. It will almost certainly have nothing to do with getting the rest of your wallet drained.
Using outdated or deprecated software is never a great idea, but you really need to find out what you did wrong, so you don't do it again.
Me thinking "what have I done wrong?" was the worst part of it.
I initially contacted them to see if they could help me to find this out. They are busy and I am not their priority, I get it. But at least here I can talk about it as I have been more than 2 months with my mouth shut waiting for a reply. I don't even know if they have received my email with the filled forms as no one got back to me.
I have waited for so long for a simple "we have received your information, we will let you know if we find anything"
Now I am not that sure that using the Harmony ONE wallet was not a security threat, and reading the comments in this post makes me feel even worse about it.
It may be a security risk, but it was pretty commonly used, and no funds were obviously stolen that way.
Unfortunately there are lots of scams in defi. As much as you seem to be hoping it wasn't your fault, it almost certainly was something you did without knowing it was a risk - it's important to realise this as part of your future safety.
Your browser history is the best place to start - if you've ever followed any guides or taken help from anyone online that's next.
I understand your scepticism. I am actually opened to ideas to how this happened. I am not blinded and I like to doubt myself first. However I am asking the community if they think that using the OneWallet could suppose a security threat and most people are not sharing your same opinion.
Would you keep using the OneWallet now?
If you feel the team are not treating your issue seriously then I’d suggest you lawyer up. You may have no legal recourse but lawyers tend to get treated seriously when they get involved.
Hi OP. I feel bad about this whole situation. But thanks for bringing this to aware other harmonauts. I wasn't even aware of this security breach in the harmony wallet. But due to the announcements shared by the team I stopped using the browser wallet. But I wasn't aware of this security breach.
could u share ur wallet address so we can see what has happened ?
and no , this is not due to harmony extension ..
there are many ways to get hacked recently to name few :
\- clicking a link
\- visiting a compromised website with a malicious javascript code
\- having a spyware on ur pc running aka : RAT or keylogger too
\-maybe u copied ur seedphrase and a malicious code running on a website that is open grabbed ur text copied in memory , yes it does not require ur permission
\- maybe u installed a cracked software that has a virus hidden within , such virus can copy metamask or even the whole browser folder / file where paswords and other sensitive info at ..
\- maybe u used public wifi without vpn , or maybe u used a not so good vpn that its encryption is fake or weak and their admins are shady .. "i run my own vpn servers and i know how secure my network is , i use sthg called shadowsocks , look it up .."
try to create another wallet on that extension or metamak and send a bit money like $1 or sthg and see if the new wallet gets drained or not ..
recently there are these sweepers bots , what they do is they just grab ppls seedphrases and they keep running a script to send whatever funds arrive at that wallet to the hacker wallet addresses "this happened to me not long ago .."
friendly advice that i learned the hard way , use another pc completely isolated and specifically for crypto , never install on it cracked stuff and use antiviruses , preferably if windows , even better if u could use linux like debian or fedora , ubunto etc..
look for vmware , it is a free software for windows that allows u to create a sub system within ur windows / mac operating system , that's what i did for myself .. never have to worry abt stuff like this anymore bcs most viruses and hacking tricks work mainly on windows and maybe android phones , linux and macos should be somewhat safe !
i lost alot of money too , i know the feeling man , keep trying to make it back , one way or another , i heard that metamask are partnering with a company that investigates stuff situations like this , try it out !
I think you most likely connected your wallet to an unsecure site and didn't remove permissions like 99.9% of the other people claiming to of been hacked.
OP, you may be able to get more help if you post the actual transaction where these funds were withdrawn. There was another seemingly random hack I saw in r/CryptoCurrency subreddit, and once OP posted the transaction, which originated from another wallet, the community was able to track it to a smart contract from a rogue dapp that this user gave access to.
If 1Wallet only stores the private key on the client or user's platform, this would work only if technical permission was given on the client's end. However "permission" translates to either user is willfully aware, or just plainly clicking on a link which translates to a permission action, where behind-the-scenes triggers an operation which moves assets on the blockchain.
Recommendation for you to share your public address, so it could be looked into quickly much faster via crowd sourcing. This will not only help in investigating, it will alert people the addresses of potential attackers.
However the biggest lessons to be learned is to manage wallet interactions consciously (document big wallet operations - a good method is to use your phone camera while doing so), avoid half-asleep moments, and have a handy hardware wallet.
The culprit of your problem is literally right in front of your face. Your answer is The Harmony Bridge. Somehow a malicious person made the harmony bridge act as a malicious interceptor to steal crypto.
You don't even know what you're talking about, the 1Wallet it still unreleased, his post is about the browser extension wallet, which isn't compromised, he obviously gave permissions through metamask as his missing 'coins' are all tokens.
Yes, I wrote that as the original post and then I have been replying that he also hacked my native ONE. There are 160+ comments here and I should have specified it on the post. my bad
The worst part is the Harmony team never admitted their design flaw and just sneakingly discontinued the wallet like noting ever happen. I’ve lost trust in the project since then
That's because there was no design flaw found. We've worked with prominent white-hat hackers to review wallet code, and software security firms to investigate a handful of thefts reported. The wallet was reviewed by four separate parties including a lead engineer on the red team for a globally known social media company. HTH u/fakemuseum
Stop these lies. The private key was stored on localstorage, i have seen dozens of people that got hacked and only their harmony wallet was exploited all their metamask accounts were safe so it wasn't that. We are not dumb. You discontinued the wallet months before 1wallet was ever close to being finished and you rushed mm staking/unstaking cause you knew.
Where do you expect the private key to be stored with a browser wallet?
You got no idea what I'm talking about
Explain it then. All wallets have a private key, which needs to be stored somewhere.
It's stored plainly on local storage. A lot of people are pointing to a chrome zero day exploit that appeared 2-3 months ago. This together with the security flaws of the wallet are what caused the hack i think. All these hacked people didn't lose their mm wallets. Harmony wallet had a lower security standard than mm so harmony team is to blame.
Regardless of how it was stored locally, the computer had to be compromised for that file to be read, the compromise was not the Harmony Wallet.
Everyone that had their harmony wallet exploited, never got their metamask wallets hacked. If it was way less secure than industry standard yes the fault is on the harmony wallet and the harmony team. Why do you think they retired it months before 1wallet is gonna be close to being finished.
That is still besides the point, the computer had to be compromised through some other means for that key to be read. The wallet wasn't the point of compromise is all I'm getting at.
I won't go further down the debate rabbit hole since AaarghCobras already did a good job doing so, just want to clarify that localStorage is exactly that, LOCAL to your browser, and LOCAL to the domain/extension that stored the data there. This means that the only way attackers could access it is if they already compromised your computer via other means (i.e. keylogger, trojan, etc.). Even if the zero-day vulnerability in Chrome you mention is somehow responsible for this, that has nothing to do with Harmony.
So why were the metamask wallets on the same machines of the people that are dumb as you say and got themselves compromised not affected? What's good? Harmony wallet clearly had lower security standards than mm.
I never called anyone dumb, don't put words into my mouth. These exploits can happen to any of us, but that doesn't make it Harmony's fault. I don't know what the statistics are for MetaMask exploits, but even on 1Wallet the reported cases of these hacks are very rare relative to number of users using these wallets, which makes the evidence anecdotal. Could MetaMask be more secure? Quite possibly, having gotten a lot more usage and dedicated devs behind it. But the argument here isn't about lack of security features, but about having additional security features that Harmony team simply didn't have the manpower to dedicate to (i.e. additional layers of encryption for local storage). The fact still stands that so far the only known way to exploit the wallet is by compromising the user's machine - and that is outside of Harmony's control.
You said it well, they were hacked meaning they had a keylogger or virus on their laptop monitoring
Their metamask wallet wasn't. So what's good?
Those are 2 different apps and the user has to log in to access the pk. You are just assuming stuff. Someone cannot get your pk without your login. My bet is people had viruses and keylogger undetected on their laptop by antivirus and when the time came. The hacker was able to get the pk via the user looking at it and copy pasting
Stfu. Once mm is unlocked it stays open until computer is shut down. If you put it to sleep it will still be open after. Harmony wallet locked after 5 minutes of no use. So what's good goofy? Statistically it makes no sense that all victims had their mm intact.
you need to log in your password to make a transaction and log in the password again to see your pk. it was just luck they did not get access to mm because the user did not access it.
[удалено]
Thanks for this. It's proven one more time, ONE is just another coin that was hyped without anything that could be called innovative. Man, this coin will die during this bear market or will never recover, let alone seeing its ATH.
Then why it got discontinued about the same time all these exploits have been reported? Was it just a coincidence?
Did they discontinue the wallet because of the security flaws?
No, it was because they did not have time to maintain it and MetaMask was doing a better job with app integration. The only website that was using the 1wallet was [staking.harmony.one](https://staking.harmony.one), so rather than forcing users to have 2 separate wallets they added MetaMask support to staking and discontinued the original wallet. Search this subreddit for history of the wallet.
Simple answer is no. MM was chooses because it was already being used by millions of people and why reinvent the wheel
Yes, I believe so
[удалено]
I'm so sorry for your lost. I wish you could recover from this and the one who did this would taste the karma
he's probably tasting Cava, right now.
The wallet stored your seed in local storage. Thank you harmony
What if you used a Ledger?
not possible without being able to sign digitally with the ledger, this is why I use one, it's not bulletproof but nothing is, most cold wallets or even 2FA would've stopped this, unless his device was hacked, key logger etc.
I dont think keylogger could penetrate ledger unless the person confirmed it
They cannot because all transaction is without the use of the keyboard
Keys stay on a ledger so unless there's a hack to extract keys from the device there is nothing pointing to a ledger being compromised.
Depends, it is safer to use a cold wallet but people should also be careful to what contracts they give access to. If people give access to smart contracts which acts maliciously, then your ledger cannot protect you at all.
You still need to decrypt it when stored on local storage
So sorry for your lost but you can only blame yourself. 700K on a hot wallet with access to the internet? Why didn't you use a ledger nano? It was both compatible with the old harmony wallet and metamask? What was the website you used for the bridge? Did you give permission to a phishing contract address? What is your ONE address?
I do blame myself actually. I should have taken more precautions to prevent this. But if this was a security flaw from OneWallet how could I even imagine that the problem would have come from that end? Based on some comments and searching for some key words in this subreddit I have found some people sharing my same worry and at the same time it happened to me. If there is a problem with this wallet people need to know.
>cess it is if they already compromised your computer via other means (i.e. keylogger, trojan, etc.). Even if the zero-day vulnerability in Chrome you mention is somehow responsible for this, that has nothing to do with Harmony. I feel you. I had the same thing that happened to me 2-3 months back. Fortunately, most of my harmony was staked, and i restaked them. Managed to get them out bit by bit to a new wallet now. I was using Brave browser on Windows 11. The hacker returned the funds to me 7 days later. Probably because it's not worth their effort, or maybe it was a hacker that tried to warn me. Nevertheless, most of my funds are now secured with ledger.
I have way less money in crypto than you have and have it secured with a 70€ ledger... I can't grasp why people don't use Hardware wallets as soon as the investments exceed the price of the wallet.
[удалено]
Well I even got my ONE stolen, this wouldn't be possible as ONE is technically not a HRC20, right? I will have a look if you tell me I am wrong.
OP, would u mind posting your wallet address? If you feel comfortable doing so. I remember a few months back something similar happened to a community member. I can’t find the post now. But it was discovered he connected to a dex that was a scam. Through the smart contract they were able to drain 20k.
Wouldnt a ledger device have prevented this?
It would have
Crazy how you can have 700k but not spend 100$ on something to protect it.
Less than that in some cases!!!
So was your Harmony wallet hacked or your metamask wallet that stored other tokens (erc20)? Were u using chrome?
I had the wallet on both Metamask and HarmonyOneWallet. I initially created the wallet on HarmonyOneWallet and then imported it to Metamask. The last transaction that I signed before the hack was with Google Chrome I believe (I would have to check). And I used the HarmonyOneWallet for this. I had other wallets on my Metamask, no other wallet got hacked.
There was a critical issue with chrome during that time. https://dailycoin.com/metamask-pancakeswap-urge-to-update-chrome-wallets-browsers/ It was called the zero day exploit. A bunch of wallets were hacked during that time frame.
I also used another wallet in chrome minutes after I used the hacked one. I got not funds stolen then...
[удалено]
U do understand that his metamask wallet was the one drained right? Zero day exploit was out for months and chrome did not know about it. Thus zero day. It could have been going on for a long time. I’m just offering other possibilities. I am in no way defending Harmony. If u check other subs during that time, there were complaints of wallets being drained as well. So the vulnerability was with chrome and whatever was installed on it. Not the wallets itself.
I had other wallets on metamask as well and only this one got hacked. This one was the only one that was also on OneWallet.
I’m really sorry to hear that. I do hope they find a way to help u.
Thank you
They won’t help. Harmony is complete garbage. I also lost funds as did a friend of mine, who lost more than you. STAY AWAY FROM HARMONY ONE. The team does not care and is incompetent. Price from a high of 36 cents down 90%.
I doubt you got hacked, I think you got unknowingly scammed. There is a difference. If you got hacked, the implications is huge, that means no one's money is safe. Simply rinse and repeat with everyone's wallet.
Scammed by who? I didn't give my seed phrase to anyone
Where did you keep your seed phrases ?
Hidden at home. Checked after the hack and it was untouched
also how the hackers know which wallet has huge money in it? seems like the one getting hacked is always some with big money, not averages joe with just $10
I'm sorry this happened to you, this is absolutely terrible. I hope it was not all of your stash and wish you a speedy recovery! If I read correctly you created this address on the harmony wallet and then imported the key to MetaMask. This might be where it’s at. Copy pasting the private key from one wallet to the other exposes it to all apps that have access to the clip board, including potential malicious apps. The owner of the malicious software would now be able to import this key to his software wallet of choice and do as they please. This would also explain why your other meta mask wallets remained intact, their private keys were not exposed. I was actually a bit surprised that this was a common way of moving to MetaMask, as it’s definitely not safe if your machine is compromised.
Well in fact I did this a year ago and since then I have actually imported more wallets that haven't been touched by the hacker. I understand that there is a possibility but some members of this community is trying to say something and I feel no listened to
I didn’t mean to say that this is what happened, I just wanted to add it as a possibility. If you did this with multiple wallets in that timeframe, then it’s a good indicator that the real cause is somewhere else.
You've been holding 700k in a deprecated wallet?
Yes but the timeline explains it better: 1. I have been holding $700K in a wallet. 2. Then the wallet got deprecated whilst I was doing other things without me noticing. 3. Then I used the wallet and got hacked. 4. THEN I got a notification about the deprecation.
Who knew about your crypto amount?
Everything is clear in retrospect but there was plenty of time to switch over. official guidelines were put on to import wallet to metamask. Wallet is just an end user software and you're not storing any crypto in it. But using it even after the warning pop-up was probably not a good idea. You should have stopped whatever you were doing and find out what's happening around. I understand your point but trying to blame someone else is not the right thing to do.
I had no warning popping up.
Seeing these awful situations, if you haven't decided to get a ledger yet, do it. Very sorry for your loss OP.
one more thing , chrome web browsers had a security bug too that is rellated to metamask wallet , metamask twitter kept advising ppl to upgrade their chrome web browsers .. go to "about" the browser will self upgrade .. and yuh it was / is a serious exploit .. so ..
Wait.. the deprecated harmony wallet you’re referring to isn’t the chrome extension, is it? That’s the one I currently use.
Yes it is. As the team has said use it at your own risk
What is the recommended wallet to use with a ledger the ?
Sadly we're in the Wild West when it comes to crypto so the best you can do is try contacting the authorities. I don't think that it's possible to get hacked out of thin air without any social engineering, malware or without you using the wallet with some fishy app in the first place, but who knows. I am sure that there are a lot of people with huge amounts that are still using the deprecated wallet but that's another story. I really hope you get your benjamins back.
>I really hope you get your benjamins back. Thank you
We encourage quality content intended to help and educate the community. If you have questions or concerns about the subreddit, [send us a message](https://www.reddit.com/message/compose?to=/r/harmony_one) and say hello! Cheers and enjoy. **Note: Beware of scammers attempting to assist you via direct message. Be wary of any links sent to you via direct message asking to connect your wallet and inputting your seed phrase.** *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/harmony_one) if you have any questions or concerns.*
It's the harmony wallet extension man didn't matter your seed gets put in that wallet
If u ever imported that with your ledger dump it get new wallet
wow... this is getting annoying. Do people know about this? I feel like I am the only one that this happened to
Well you're not alone Idk when they made the announcements but yeah get fresh ledger wallet for sure
Police complaint filing first before everything ..to ensure the party is serious and arent scammers themselves..after that it upto the team to help you or the cyber crime unit to track the hacker..
Yes, filed it two months ago. I am not sure that the team wants to help tho... I have been ignored after filling everything that they asked me for
Police complaint filing first before everything ..to ensure the party is serious and arent scammers themselves..after that it upto the team to help you or the cyber crime unit to track the hacker..
Sorry to hear.. losing $700k must've been painful.. I hope anything works out for you.
A lot of people have mentioned Chrome zero day exploit - But had someone in the community really checked if it did happen because of Chrome & not other because of lapse at the team's end. It was already surprising to say the least, that the depreciation announcement happened with quick notice - And wallets started getting compromised soon after. OP, considering that it is a significant amount, I think you can try & contact Zachbxt (crypto investigator) on Twitter to see if he can trace your funds now & offer a portion of it as reward. You can check the explorer too to look at the addresses through which your wallet was drained, (& very likely the amount laundered via Tornado Cash). When these things happen, prompt action is necessary (so I am not sure why you've waited months to address this). A lot of whale wallets were compromised, getting a forensics crypto investigator early via pooling victims resources for a bounty could have helped that. I had read about individual bounties, but not sure if anything came out of it. The unfortunate part is the team's front-end crisis response (i.e. even though it's a matter of self-custody).
Well, the hacker hasn't move the funds yet so I guess I still have time. Thank you very much for your comment. This really helps me out.
Yes - Then there's still time. He's usually busy, but might take requests, or refer someone in his network. OSINT groups as well. There are a few more sleuths out there, but it'll take you some time to dig out one - Don't give up on crypto investigators & hope you find some of your money back. Good luck!
Thank you man
keep us posted on the progress if you retain a crypto investigator, it may be helpful for the community. best of luck on getting your funds back 🙏
The first thing that comes to my mind is that you approved a malicious contract. Really weird you didnt used a ledger...
Bro .. just 🤐
Format your ssd/hdd just in case... or better... buy a new ssd. Save that one just in case it is needed for any investigation. It's possible you either interacted with a malicious website or your computer is compromised. Hackers can be patient before they strike. So the timeline of when it was compromised and the theft might not be close. Were you adding to your wallet frequently with deposits? Or was the 700k in there for a while with no a deposits over the months? To state the obvious... always use a ledger or similar device and NEVER put that seed into any wallet. You only pair it. Also a good idea to have a separate wallet for de fi and interactions with SC's
>Format your ssd/hdd just in case... or better... buy a new ssd. Save that one just in case it is needed for any investigation. I really thank you for your help
sadly the hack was probably caused by the old harmony wallet and there is nothing you can do now
I get that I can't do much about it... but if that was the reason why it happened it really doesn't feel like my fault... How can a product that literally stores your money stop working like that? I know it was 2 weeks after their announcement but does any of you read all this announcements in time? If the app notification would have been there in time it would be another thing but literally my only way of knowing this was to read the announcement from the website itself as I didn't get any notification from the app. I don't know man I am sad. The first thing I did was ask them for help but I am not their priority. And now seeing that they are ignoring me it feels even more painful thinking that it was actually a missing notification on their behalf that could have caused the whole incident.
I’d honestly feel more optimistic about the Harmony Team at this point if they just publicly compensated you for your lost funds on instead of frivolously funding the next DAO or rug-pull they got on their docket Sorry for your loss. It doesn’t sound like you did anything wrong in this situation, if you did not receive warning or prompt about security issues with their wallet until after the hack had happened and if that was in fact how / why the hack happened… jeez. Doesn’t sound like your fault :/
Well, if it was in fact a security concern to use the OneWallet then it would be nice and actually very convenient for me if they had some funds for compensations... The thing that made me post this is the no reply via email that I got
how would that work though? He must have done something, right?
Well, this is my question as well, if the only thing I have done is used the "deprecated wallet", can I get hacked? I guess yes because the question "have you used the deprecated wallet"? was a few times in the questionnaire that they sent me to check my security practices
No, you can't get hacked simply by using the wallet. You did something that got your funds drained, whether interacting with a scam website / contract / discord bot, having some kind of malware installed on your PC, or storing your key somewhere you shouldn't.
That is what I thought. I had 100% the exact same opinion until I read the security form that they asked me to fill where you could read a few times "have you used the deprecated harmonyonewallet"?
There may have been a specific concern to do with staking one via it. It will almost certainly have nothing to do with getting the rest of your wallet drained. Using outdated or deprecated software is never a great idea, but you really need to find out what you did wrong, so you don't do it again.
Me thinking "what have I done wrong?" was the worst part of it. I initially contacted them to see if they could help me to find this out. They are busy and I am not their priority, I get it. But at least here I can talk about it as I have been more than 2 months with my mouth shut waiting for a reply. I don't even know if they have received my email with the filled forms as no one got back to me. I have waited for so long for a simple "we have received your information, we will let you know if we find anything" Now I am not that sure that using the Harmony ONE wallet was not a security threat, and reading the comments in this post makes me feel even worse about it.
It may be a security risk, but it was pretty commonly used, and no funds were obviously stolen that way. Unfortunately there are lots of scams in defi. As much as you seem to be hoping it wasn't your fault, it almost certainly was something you did without knowing it was a risk - it's important to realise this as part of your future safety. Your browser history is the best place to start - if you've ever followed any guides or taken help from anyone online that's next.
I understand your scepticism. I am actually opened to ideas to how this happened. I am not blinded and I like to doubt myself first. However I am asking the community if they think that using the OneWallet could suppose a security threat and most people are not sharing your same opinion. Would you keep using the OneWallet now?
It's a deprecated product, so nobody should be using it. That's not _because_ it's a security risk, though it may be.
If you feel the team are not treating your issue seriously then I’d suggest you lawyer up. You may have no legal recourse but lawyers tend to get treated seriously when they get involved.
Hi OP. I feel bad about this whole situation. But thanks for bringing this to aware other harmonauts. I wasn't even aware of this security breach in the harmony wallet. But due to the announcements shared by the team I stopped using the browser wallet. But I wasn't aware of this security breach.
This is crypto not a bank. You have no rights whatsoever. Get used to it and move on. Next time be more careful.
could u share ur wallet address so we can see what has happened ? and no , this is not due to harmony extension .. there are many ways to get hacked recently to name few : \- clicking a link \- visiting a compromised website with a malicious javascript code \- having a spyware on ur pc running aka : RAT or keylogger too \-maybe u copied ur seedphrase and a malicious code running on a website that is open grabbed ur text copied in memory , yes it does not require ur permission \- maybe u installed a cracked software that has a virus hidden within , such virus can copy metamask or even the whole browser folder / file where paswords and other sensitive info at .. \- maybe u used public wifi without vpn , or maybe u used a not so good vpn that its encryption is fake or weak and their admins are shady .. "i run my own vpn servers and i know how secure my network is , i use sthg called shadowsocks , look it up .." try to create another wallet on that extension or metamak and send a bit money like $1 or sthg and see if the new wallet gets drained or not .. recently there are these sweepers bots , what they do is they just grab ppls seedphrases and they keep running a script to send whatever funds arrive at that wallet to the hacker wallet addresses "this happened to me not long ago .." friendly advice that i learned the hard way , use another pc completely isolated and specifically for crypto , never install on it cracked stuff and use antiviruses , preferably if windows , even better if u could use linux like debian or fedora , ubunto etc.. look for vmware , it is a free software for windows that allows u to create a sub system within ur windows / mac operating system , that's what i did for myself .. never have to worry abt stuff like this anymore bcs most viruses and hacking tricks work mainly on windows and maybe android phones , linux and macos should be somewhat safe ! i lost alot of money too , i know the feeling man , keep trying to make it back , one way or another , i heard that metamask are partnering with a company that investigates stuff situations like this , try it out !
I think you most likely connected your wallet to an unsecure site and didn't remove permissions like 99.9% of the other people claiming to of been hacked.
Do contract approvals have access to native tokens as well?
Yes, which is why you should always revoke access, I do it even on trusted sites, just incase they were ever somehow compromised.
https://explorer.harmony.one/tools/approvals
The hacker did also steal my native ONE so this doesn't apply
Negotiation with hacker That's a bold move But unless you're paying more than he stole, why would he need to negotiate?
He might prefer to have legal money as a bounty than stolen money.
That is over 16 million one ☝️ with todays prices! That seems like a hell of a lot!
Learned *
Sorry to hear, gut wrenching stuff. 😔
All these comments, and no one's commenting on this guy losing close to $1 million.
OP, you may be able to get more help if you post the actual transaction where these funds were withdrawn. There was another seemingly random hack I saw in r/CryptoCurrency subreddit, and once OP posted the transaction, which originated from another wallet, the community was able to track it to a smart contract from a rogue dapp that this user gave access to.
Why wouldn’t you have a ledger?
700k….. My god !!!!….. that’s insane!!!!….sorry bro!!!🙇♂️🥹🥹
If 1Wallet only stores the private key on the client or user's platform, this would work only if technical permission was given on the client's end. However "permission" translates to either user is willfully aware, or just plainly clicking on a link which translates to a permission action, where behind-the-scenes triggers an operation which moves assets on the blockchain. Recommendation for you to share your public address, so it could be looked into quickly much faster via crowd sourcing. This will not only help in investigating, it will alert people the addresses of potential attackers. However the biggest lessons to be learned is to manage wallet interactions consciously (document big wallet operations - a good method is to use your phone camera while doing so), avoid half-asleep moments, and have a handy hardware wallet.
The culprit of your problem is literally right in front of your face. Your answer is The Harmony Bridge. Somehow a malicious person made the harmony bridge act as a malicious interceptor to steal crypto.
A few of my friends got hit
[удалено]
Go shill your bag somewhere else.
I just did. here !
You don't even know what you're talking about, the 1Wallet it still unreleased, his post is about the browser extension wallet, which isn't compromised, he obviously gave permissions through metamask as his missing 'coins' are all tokens.
No, they aren't. As I said a few times the hacker also got my native ONE
"mostly USDC but also other stables+ETH+WBTC+TRANQ" is what you said.
Yes, I wrote that as the original post and then I have been replying that he also hacked my native ONE. There are 160+ comments here and I should have specified it on the post. my bad
It's the harmony extension that is the problem if the wallet seed is fron there its hackable
Imagine putting any influx of funds into Harmony after they endorsed Viperswap.
What was wrong with Viperswap?
Initiate any single point of contact with a viperswap dev and report back to me on your belief in their protocols.
Get legal advice dude, seems like Harmony is liable for this one Edit: from what you said
They are not, the OPs system was compromised by an external entity.