@Ledger and @Trezor are safer and more trusted than MM. Ice cold paper airgapped machine storage is even moreso.
But your random no-name mobile wallet, the port tracker that wants your full admin exchange API keys, and the rotting DeFi food you keep throwing $ at are WAY WORSE.
Flashy new wallet that's never endured a bull run? Yeah, no thanks lol.
Entering your private key directly into a website/dapp? Fuck off.
Centralized "recover with your phone number" shit? Hope you are bribing all the $1/hr support agents in the Philippines to NOT sim swap you!
Its FAR more likely that you will lose funds via your actions. If I had to bet on MetaMask or you, I would always bet against you. Sorry.
...fake google ads, fake apps, impersonators, a/b/c/d/e/f tested spear phishing messages, websites asking you to paste your key, screenshotting your key, not backing up your key, and accidentally uploading your key to github or sharing it on a screenshare are ALL more likely.
The reason you shouldnt put all your assets in MM is bc the less places a key is, the less often you touch it, the less likely it is to emptied. Make a paper or hardware wallet, put majority in it, and just dont take it out.
But Tay! What do I do when I need more money in my MM?
I dunno. Consider contributing to the ecosystem instead of paying miners and throwing eth at anon devs who are hot to abscond with all your assets on a bed of lies?
Tbh, its absurd that MM catches any heat considering the destructive bullshit yall engage in. 🙄
And before you get all defensive and argue-y, read and do all the shit in the following two articles. It'll be far more productive for everyone. 😘💖
tbh if i was the dude managing Hyperliquid's 4 validators (or those fucking ghetto ass binaries on gh) I would be shitting my pants right now.
Hyperliquid dudes dont seem worried at all though so im sure its fine. 🫠
lol @ all you retards who think the risk is USG forcing Hyperliquid to freeze AAAAAAAAAAHHAHAHHHAHAHAHAHAHAHHAHHAHAHHAHAHHAHAHAHAHHAHAHHAHAHHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHHAHAHAHAHAHAAHAHHAHAHAHHAHAHAHHAHAHAHA
Yall, DPRK doesn't trade. DPRK tests.🤦♀️
my offer from 2 weeks ago still stands @HyperliquidX
i'm still happy to do it async or via a call. i can even give you one of my super nice happy colleagues if you don't like me.
but a massive amt of harm will come to people if you don't harden your ass asap.
At some point prior to July 2024 the actual hackers landed a backdoor onto something that gave them some access to the WazirX multisig signers and/or their signatures.
We don't know what or who was compromised and it doesn't really matter.
Initial toehold was likely gained by tricking someone at WazirX or Liminal into installing malware -> escalated from there.
This access allowed the hackers to intercept/insert invisible, malicious payloads for signing in a way where none of the 3+ signers were able to notice.
With the recent sophisticated hacks fresh on everyone's mind, there's been a lot of talk about ✨fancy stacks and setups.✨
Yes, you should evaluate how—and with what—you sign txns.
But building a custom UI for your LAN Qubes OS AWS KMS everyday is not really the answer 😅
Background on the referenced hacks (feel free to skip):
1. Funds were stolen from each org's multisig.
2. Keys themselves were not compromised.
3. In Radiant and WazirX and maybe DMM, the keys backing the multisig were actually only on hardware wallets + actually controlled by distinct parties.
DMM Bitcoin - $305m in May
The least amt is known about DMM, including whether keys were cold vs hot. Early theories said address poisoning. It def wasn't that. Attached is rampant speculation (likely all wrong)
See also: x.com/mononautical/s…
Also, note, any organization that can implement / enforce EDR, etc. should do so. Full stop. End of conversation.
However, the crypto industry generally considers this a non-starter for all sorts of philosophical + practical reasons.
Crypto folks (hopefully) already know that Lazarus is one of the most prevalent threat actors targeting this industry.
They rekt more people, companies, protocols than anyone else.
But it's good to know exactly how they get in. Bc another smart contract audit won't save you.
For example, one long-time fave method:
- Contact employee via social/messaging app
- Direct them to a Github for a job offer, "skills test," or to help with a bug
- Rekt individual's device
- Gain entry to company's AWS
- Rekt company (and their users)