[4.6.1] Bug: <describe issue>STX Token Transfer SENT which I did NOT do

[STX-Stargem]

Bug found testing Hiro Wallet build undefined, 4.6.1.

[STX-Stargem]

Here's the TRX id: 0x6829fa018ff0642fbc90255a8d3901e38f7f763c89c8fad629a2cbec01efaa63 Where did my tokens go? Why did that happen? Please HELP! URGENT!

[314159265359879]

I see you are using a very old version of the wallet, please update to the latest version: 4.10.1

It looks like you fell victim to a phishing scam and shared your secret key with a scammer.

[STX-Stargem]

Hi Werner or Support,

Thank you for your email. Although I did not share any secret key, is there a way to recover my STX? Or any recourse or action I could / should take? Please advise me asap. I'm in panic mode.

Does this link show their other phishing victims then? https://explorer.hiro.so/address/SP2KW0M6MBSSAV1BFDKH56VFNZK73Z36C0N369K9M?chain=mainnet Isn't there anything Hiro network can do to stop this?

Awaiting your prompt response, Gemma

Op vr 14 jul 2023 om 14:45 schreef Werner @.***>:

I see you are using a very old version of the wallet, please update to the latest version: 4.10.1

It looks like you fell victim to a phishing scam and shared your secret key with a scammer.

— Reply to this email directly, view it on GitHub https://github.com/hirosystems/desktop-wallet/issues/1214#issuecomment-1636261111, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBIMVUDOSFJV6F3TFKRYB73XQGHVNANCNFSM6AAAAAA2JS5S5E . You are receiving this because you authored the thread.Message ID: @.***>

[314159265359879]

Please email me at wallet at hiro.so

[STX-Stargem]

Thanks, Werner, for your reply. With the link I sent earlier, couldn't Hiro do something to stop and avoid further phishing within the network? That they can infiltrate the system, send STX to my account w/o me accepting it, and then notifiying I won more STX. I did not even confirm anything other than clicked on the "Received" TRX line out of curiosity, thinking it must be from STX. This is clearly a flaw in Hiro wallet. Phishers must not have ability to access and inflitrate to steal STX from wallet holders. Why can't developers control this, esp. since it'd be the same wallet address(es) doing it and recover all the losses wallet holders are victimized of. Thus, my question: what can the platform do to resolve & recover the stolen tokens? About updating to latest version, a notification of this requirement should be more obvious --even with a warning if it makes a difference--, esp. since I use the wallet purely to HODL & not make any other TRX, except when I check every few months.

[314159265359879]

@STX-Stargem I am really sorry you experienced this. Phishers/scammers succeed in accessing your account when a user gives them their seed phrase or sign a transaction for them.

We have since added a fix to the wallet to no longer show these memo's https://github.com/hirosystems/desktop-wallet/issues/1192. However you do not benefit from this when you use outdated wallet software. The wallet should display a message in the top bar when there is a newer version of the wallet available. We can look into options to make the notice to update more noticeable. I will discuss this with the team. Thanks for the suggestion.

We have a thread to report the scammers' address involved and a transaction: here. I also advise you to file a police report locally, if you see the receiving address send funds to an exchange you could inform that exchange and update the post on that github issue.

These wallets are non-custodial, we do not have access to your funds, and can't refund them.

[STX-Stargem]

I submitted a report on chainabuse and will report to local police. Could you tell me (a fast, straightforward way) how to find out where the scammer addresses are sending stolen tokens to which exchange? That would be good to inform the exchange(s) concerned.

[314159265359879]

Hi again @STX-Stargem,

You would monitor the receiving address, the scammers address on an explorer like this one: https://explorer.hiro.so/address/SP2KW0M6MBSSAV1BFDKH56VFNZK73Z36C0N369K9M?chain=mainnet

When it transfers out, check for a memo on the transaction. When there is a memo the address is likely an exchange and possibly traceable to a person by that exchange.

Common exchange addresses can be found on stacksonchain.com and here is a short list.