Ian Coleman just stole me 2000$ worth of tokens

[ghost]

I was using my eidoo wallet since 1 year, but 2 weeks ago I needed to generate my private key (it doesn’t show on eidoo), so I used this tool https://iancoleman.io/bip39/

When I wake up I saw my whole wallet was emptying.

It can only be you Ian, nobody had access to it except you.

[Xor-el]

@Ni0ctib , Hi and sorry for your loss but the first rule in using any BIP39 mnemonic phrases tool is never to use it online. For all we know, @iancoleman might not be the shady one here, he might be a victim of a compromised server. Also the probability that @iancoleman will implant a malicious code on the GitHub version of this tool is very slim because it's opensource and someone would have spotted this malicious change.

[iancoleman]

Sorry to hear about this.

I can assure you I do not have access to any funds from users of this tool. I'd like to help you understand what might have gone wrong.

Did you generate the mnemonic using this tool or somewhere else? Did you enter the mnemonic anywhere other than this tool? What operating system are you using and have you done a virus scan and checked for rootkits and keyloggers? Have you entered private keys anywhere? Looks like eidoo is a mobile wallet, would someone have had access to your mobile?

If you have proof of your accusations please present it, or you can help find the cause of your issue since I'm quite confident it wasn't this tool that caused it.

[ghost]

I saw a thread on reddit redirecting to your website, please take a look : https://amp.reddit.com/r/eidoo/comments/7is255/can_you_get_your_private_key_from_the_eidoo_wallet/

I always took precautions with my mnemonic, and the only time I copy paste it was for generating the PK, using your tool. Then I copied in a note on my iPhone (no jailbreak), nobody have access to it, even the note is locked with a password.

But you’re right, I can’t accuse you without proofs, and I’m sincerely sorry if this isn’t you, but it’s quite a coincidence otherwise I wouldn’t be there.

[iancoleman]

Did you use the tool on a computer or on your phone? Is the note app native or third-party? Is there any way the clipboard content after copy/paste could have been accessed?

Just for curiosity, what did you need the private key for?

Once again, sorry to hear that something went wrong. It sounds like you're a careful user so it sucks that something has gone wrong.

[ghost]

I used the tool on my iPhone with the native note app and I took care to copy something else just after paste it in Trust wallet.

I just wanted to use my wallet with Trust, more convenient than Eidoo imo.

If the one who stole me reads me, you can keep 10%, send the rest and I’ll forgive you. It may seems funny but believe me, this solution is better than to remain always on guard.

[thomasvaughan]

@Ni0ctib Please keep in mind that a GitHub issues page is for reporting bugs, missing features etc., not crimes. If you think there's a bug that has been exploited by an [unknown] criminal, then you are right to report the apparent bug. But please think carefully about how best to report such bugs discreetly. There are two reasons for this. First, if a crime has been committed, the work of the police may be hindered by too much publicity. Second, if an unknown vulnerability has been exploited, you don't want to advertise it to other criminals. Responsible disclosure does pose some dilemmas, but when the code is already publicly auditable, there's a strong case for tipping off the developer quietly so that a fix (if required) can be written before public disclosure.

[hatgit]

Perhaps also examine all the apps installed and what their permissions are and try to narrow down a list of apps that have permissions that would enable them to view clipboard or keystroke related data if the leak/exploit was from the phone.

[iancoleman]

Another thing that would be helpful to investigating this would be the timing.

How long was it between these events?

• using the bip39 tool to extract the private key
• the actual transaction (ie on the blockchain) that stole your funds
• your discovery that funds are missing

If there was substantial time between extracting the private key and the funds actually being transferred then there is a question of whether there was some time consuming brute-force method from the attacker to break the note encryption, or some similar time consuming factor. Not a big clue but might help shed some light.

Also the timing might relate to a particular app update.