The Insidiousness of Cyber ​​Threats: How Fake Cold Wallets and Malicious Drivers Are Emptying Crypto Assets and What to Do to Protect Yourself

Cryptocurrency Theft via Compromised Cold Wallets: A Detailed Incident Analysis by SlowMist

On June 15, cybersecurity company SlowMist released an alarming report about a serious incident involving the theft of cryptocurrency through compromised cold wallets. In this article, we will take a detailed look at all the details of this incident, analyze the causes and consequences, and provide recommendations for cryptocurrency users.

Description of the incident

SlowMist reported that the private key was compromised at the wallet generation stage. This means that the attackers had access to the private keys before the user even started using the device. As a result, the funds were withdrawn just a few hours after the first transaction, which indicates a carefully planned attack and high speed of the hackers.

Features of compromised cold wallets

The company warns that cold wallets that are sold at a reduced price or positioned as “factory” or “discounted” are often counterfeit. Their low cost is, in fact, a trap designed for gullible users. Such devices can be pre-infected with malware that transmits private keys to attackers.

Victim’s story and expert comments

User X, who goes by the pseudonym Hella and previously worked for Bitmain co-founder Jihan Wu, reported that a close friend of his had been affected. Talking to him, according to Hella, gave him “goosebumps” because he was talking about a carefully planned Trojan implanted in the device.

Hella noted that the stolen assets were quickly “merged” through Huione Group, a Cambodian conglomerate known for illegal payment processing operations and darknet trading. He strongly recommended purchasing cold wallets only through trusted and official channels.

Technical analysis and the impossibility of refunding funds

SlowMist analyst 23pds confirmed in a post on Platform X (former Twitter) that the company was able to track the transactions for the withdrawal of stolen funds, but it is no longer possible to return them. He emphasized that saving on a cheap wallet can lead to the loss of all savings.

Quote from 23pds:
“Don’t put your entire fortune on a device that costs a few hundred dollars less. That’s not saving. That’s wasting your entire life.”

Why are these schemes hard to prevent?

SlowMist notes that such attacks are difficult to prevent because devices often pass through a chain of third parties, including packagers and distributors, who may not be aware that the equipment is infected. Fraudsters plant malware during the manufacturing or packaging stage, making it extremely difficult for users to protect themselves.

Similar cases in the industry

• May 19 : A Chinese printer manufacturer distributed malware along with official drivers, resulting in the theft of more than $953,000 in Bitcoin.
• April 1 : Kaspersky has reported thousands of counterfeit Android smartphones being sold online with pre-installed malware aimed at stealing users’ cryptocurrency wallets and sensitive data.

Recommendations for cryptocurrency users

1. Buy cold wallets only from official and trusted manufacturers.
   Avoid offers with suspiciously low prices.
2. Check the device immediately after receiving it.
   Use tools to check the integrity of the firmware and the absence of third-party software.
3. Don’t keep all your funds on one device.
   Separate your assets to minimize the risk of loss.
4. Be careful about the sources of purchase.
   Avoid buying through unverified intermediaries and third-party sites.
5. Stay up to date with security news and updates.
   Follow official channels from vendors and cybersecurity companies.

What precautions should you take when buying cold wallets?

The incident of cryptocurrency theft via compromised cold wallets is a serious warning for all participants in the cryptocurrency market. It demonstrates how important it is to carefully choose devices for storing digital assets and not to skimp on security. Only by following strict precautions and using proven products can you protect your funds from attackers.

If you have crypto assets, don’t put off security measures for later – your financial security depends on your vigilance and informed choices.

When purchasing a cold wallet for cryptocurrency, it is important to take a number of precautions to minimize the risks of theft and loss of funds. Key recommendations include:

• Buy the device only from official and trusted manufacturers . Never buy a hardware wallet second-hand or through dubious channels, as a used device may be infected with malware or contain compromised firmware 1 5 .
• Check the integrity of the packaging and security elements . Hardware wallets usually have holographic stickers or other security features. If the sticker is damaged or looks like it has been peeled off, it is better to refuse the purchase and inform the manufacturer about it 1 .
• Keep your seed phrase offline and in a safe place . Do not store it electronically or share it with others. It is recommended to have multiple copies in different safe places, such as paper or metal media, and use a safe or bank cell 2 7 .
• Set a strong PIN and use additional security measures (such as a passphrase) to prevent unauthorized access if your device is lost or stolen 2 5 .
• Connect your wallet to your computer or phone only when you need to make a transaction , and keep the device offline the rest of the time to avoid infection with malware 2 .
• Use only official software and update your device firmware regularly . This helps eliminate vulnerabilities and improve security 2 6 .
• Before confirming transactions, carefully check the recipient addresses , especially if the device has a screen – the address must match what is displayed on the wallet 2 .
• Avoid storing all funds on one device , it is better to distribute assets between several wallets to reduce the risk of complete loss 7 .
• Be vigilant against scams and social engineering . Never give your seed phrase or private keys to any third party, even if they claim to be from support 2 5 .

Taking these precautions will greatly increase the security of storing cryptocurrency in cold wallets and protect your assets from common threats, including counterfeit devices and malware.

How SlowMist Detected and Tracked a Private Key Compromise

SlowMist discovered the compromise of the private key of the cold wallet by monitoring and analyzing anomalous activity on the blockchain and transactions associated with the device. In particular, SlowMist specialists observed a rapid withdrawal of funds just a few hours after the first transaction, which is a sign of a hack and indicates that the private key was already compromised at the wallet generation stage 1 .

To track down the attackers, SlowMist used blockchain transaction analysis techniques to track the movement of stolen assets across addresses and identify the final withdrawal points. The company’s analysts were able to determine that the stolen crypto assets were quickly “merged” through the Huione Group, a conglomerate associated with illegal operations and darknet trading 1 .

Additionally, SlowMist warns of the risks associated with counterfeit cold wallets, which may contain malware introduced during manufacturing or packaging, which may also have been identified through supply chain and device behavior analysis 1 .

Thus, the key methods for detecting and tracking compromises have become:

• monitoring suspicious activity and fast transactions in the blockchain;
• analysis of the routes of movement of stolen funds;
• identifying links with known illegal structures;
• technical analysis of devices and firmware for malware.

These measures allowed SlowMist to quickly identify the incident, assess the extent of the damage, and warn users about the risks of purchasing unverified cold wallets 1 .

Why Low-Price Fake Devices Are Dangerous for Crypto Owners

Fake cold wallets with low prices pose a serious threat to crypto owners for several reasons:

• Compromise of private keys at the generation stage . Such devices may be pre-infected with malware or have built-in vulnerabilities that allow attackers to gain access to private keys before the wallet is transferred to the user. This leads to instant theft of funds after the first transaction.
• Lack of security and quality guarantees . Counterfeits do not undergo strict quality control and do not have official support, which makes it impossible to update the firmware and eliminate vulnerabilities.
• Trap for gullible users . Low price is often used as a bait to attract inexperienced or saving users who are unaware of the risks and lose all their savings.
• Impossibility of returning stolen funds . As SlowMist notes, funds stolen through such devices are almost impossible to return, making the loss total and irreversible.
• Malware distribution through the supply chain : Counterfeit devices can reach customers through third parties and packagers who are unaware of the infection, making it difficult to detect and prevent attacks.

Thus, buying cheap fake cold wallets is not a way to save money, but a direct risk of losing all your crypto assets, which is confirmed by real cases of theft and warnings from security experts.

How Attackers Use the Darknet to Drain Stolen Assets

Attackers use the darknet as a key tool for draining stolen crypto assets and their subsequent legalization in the following main areas:

• Cashing and laundering funds through specialized services . There are services on the darknet for cashing and laundering stolen money for a certain percentage. Attackers transfer stolen cryptocurrencies to such services, which convert them into fiat money or other assets, hiding the origin of the funds 1 4 .
• Using darknet markets and marketplaces to sell stolen data, accounts, and cryptocurrency. Here, criminals can quickly exchange stolen assets for other digital or real goods, including anonymous proxies, fake documents, bank cards, etc. 1 2 4 .
• The use of front men (drops) to transfer and distribute stolen funds, making it difficult to track and link transactions to specific criminals 1 .
• Anonymity and encryption . The Darknet is built on technologies that provide a high level of anonymity (for example, Tor), which allows criminals to hide their identity and location when conducting financial transactions 6 .
• Complex transaction chains . Attackers use multiple intermediate addresses and cryptocurrency mixers to obscure their tracks and make it difficult for law enforcement to investigate thefts 1 4 .
• Links to other illegal activities : Stolen assets are often integrated into wider criminal schemes, including drug trafficking, document forgery and malware distribution, making the darknet a hub for the criminal economy 1 3 .

Thus, the darknet provides criminals with an infrastructure for the quick and anonymous sale of stolen crypto assets, which significantly complicates their return and the investigation of crimes.

What lessons can be learned from cases of malware distribution via official drivers

There are several important lessons to learn from cases of malware being distributed via official drivers that can help improve cybersecurity and reduce the risk of infection:

• Malware can disguise itself as legitimate software, including official drivers . This means that even downloading programs from official sites does not always guarantee safety if the developers or suppliers of the software are compromised or attacked by intruders 1 2 .
• It is necessary to strictly observe the rules of cyber hygiene : download software only from verified and official sources, avoid opening suspicious files and attachments, especially if they are received by email or instant messengers from unknown senders 2 5 .
• Regularly updating your operating system, drivers, and antivirus software is critical . Outdated software often contains vulnerabilities that attackers exploit to inject malicious code 2 4 .
• Using reliable antivirus solutions with up-to-date signature databases helps not only detect but also prevent malware penetration . It is important to enable firewall and network traffic control functions to limit malware access to the network 2 4 .
• Malicious programs can embed themselves in OS drivers and run with administrator privileges , which makes them especially dangerous because they gain broad access to system resources and can bypass standard protection mechanisms 1 .
• It is necessary to limit user rights and avoid working with administrator rights unless absolutely necessary to minimize the ability of malware to spread and cause damage 1 .
• User awareness and education are key to preventing attacks . People need to understand the risks, be able to recognize phishing attacks and suspicious files, and know how to respond to potential threats 2 .
• Monitoring and analyzing software behavior helps identify suspicious activity and respond to incidents in a timely manner . Using sandboxes and isolated environments to test new drivers and software reduces the risk of infecting production systems 2 7 .

Thus, cases of malware distribution via official drivers highlight the need for a comprehensive approach to security: from technical protection measures and updates to user awareness and control over access rights. Ignoring these lessons can lead to serious consequences, including data theft, system disruption and financial losses.

What are the key lessons to learn from malicious driver cases?

The key lessons that can be learned from malicious driver distribution cases are as follows:

• Drivers operate in kernel mode and have a high level of privileges , so vulnerabilities in them can lead to the compromise of the entire operating system and give attackers complete control over the computer 1 . This requires special attention to the security of drivers at the stage of their development and testing.
• Driver security must be considered from the very beginning of the design . Developers should apply the principle of least privilege, restrict access to drivers, carefully validate input data, and use defense mechanisms to prevent time-of-check-time-of-use (ToCToU) attacks 1 .
• It is necessary to use automated code analysis tools and perform security audits to identify and fix vulnerabilities before a driver is released 1 .
• Malicious drivers can even be distributed through official channels if the manufacturer or software provider is attacked or compromised. Therefore, it is important for users to download drivers only from official sites and to stay up to date with security updates 6 .
• Outdated or vulnerable drivers create a BYOVD (Bring Your Own Vulnerable Driver) threat , where an attacker uses a legitimate but vulnerable driver to bypass system security and inject malicious code 5 .
• Keeping your operating system, drivers, and antivirus software up to date is critical to protecting against driver-related exploits 6 .
• Users and administrators must follow basic cybersecurity rules : avoid downloading software from untrusted sources, use antivirus software with up-to-date databases, restrict access rights, and control the installation of drivers 6 .
• Monitoring and controlling access to system resources, including using Windows security features (such as controlled folder access), helps reduce the risk of successful malicious driver attacks 3 .

Thus, cases of malicious driver distribution highlight the need for a comprehensive approach to security: from responsible driver development and testing to users being careful about download sources and timely software updates. Ignoring these lessons can lead to serious consequences, including complete system hacking and data theft.

1. https://learn.microsoft.com/ru-ru/windows-hardware/drivers/driversecurity/driver-security-checklist
2. https://frolov-lib.ru/books/av/ch03.html
3. https://support.microsoft.com/ru-ru/windows/%D0%B7%D0%B0%D1%89%D0%B8%D1%82%D0%B0-%D0%BE%D1%82-%D0%B2%D0%B8%D1%80%D1%83%D1%81%D0%BE%D0%B2-%D0%B8-%D1%83%D0%B3%D1%80%D0%BE%D0%B7-%D0%B 2-%D0%BF%D1%80%D0%B8%D0%BB%D0%BE%D0%B6%D0%B5%D0%BD%D0%B8%D0%B8-%D0%B1%D0%B5%D0%B7%D0%BE%D0 %BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C-windows-1362f4cd-d71a-b52a-0b66-c2820032b65e
4. https://lib.itsec.ru/articles2/Oborandteh/tehnologii_zashiti_vredonosnih_programm
5. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%91%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C_Windows
6. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%92%D1%80%D0%B5%D0%B4%D0%BE%D0%BD%D0%BE%D1%81%D0%BD%D0%B0%D1%8F_%D0%BF%D1%80%D0%BE%D0%B3%D1%80%D0%B0%D0%BC%D0%BC%D0%B0_(%D0%B7%D0%BB%D0%BE%D0%B2%D1%80%D0%B5%D0%B4)
7. https://compress.ru/article.aspx?id=18053
8. https://skillbox.ru/media/code/vredonosnoe-po-tipy-ugroz-i-primery-atak/
9. https://ibs.ru/media/klassifikatsiya-vredonosnogo-po/
10. https://habr.com/ru/companies/otus/articles/861488/

1. https://frolov-lib.ru/books/av/ch03.html
2. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%92%D1%80%D0%B5%D0%B4%D0%BE%D0%BD%D0%BE%D1%81%D0%BD%D0%B0%D1%8F_%D0%BF%D1%80%D0%BE%D0%B3%D1%80%D0%B0%D0%BC%D0%BC%D0%B0_(%D0%B7%D0%BB%D0%BE%D0%B2%D1%80%D0%B5%D0%B4)
3. https://ibs.ru/media/klassifikatsiya-vredonosnogo-po/
4. https://learn.microsoft.com/ru-ru/security-updates/security/20212726
5. https://skillbox.ru/media/code/vredonosnoe-po-tipy-ugroz-i-primery-atak/
6. https://hyperpc.ru/blog/service/virus
7. https://cyberleninka.ru/article/n/kompyuternoe-kriminalisticheskoe-issledovanie-vredonosnogo-programmnogo-obespecheniya
8. https://op.vlsu.ru/fileadmin/Programmy/Specialitet/10.05.04/Metod_doc/2016/Metod_Vredprogvks_100504_29122016.pdf
9. https://www.f6.ru/blog/miners-free-libraries/
10. https://st.drweb.com/static/new-www/files/Borba_s_virusami_2012.pdf

1. https://www.forbes.ru/tekhnologii/461629-cto-takoe-darknet-i-naskol-ko-on-bezopasen
2. https://habr.com/ru/companies/bastion/articles/915892/
3. https://stakhanovets.ru/blog/darknet-kakie-ugrozy-zhivut-v-teni-chast-1/
4. https://www.securityvision.ru/blog/darknet-chto-eto-kak-im-polzuyutsya-prestupniki-chego-sleduet-osteregatsya/
5. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%A0%D0%B0%D1%81%D1%86%D0%B5%D0%BD%D0%BA%D0%B8_%D0%BF%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D1%82%D0%B5%D0%BB%D1%8C%D1%81%D 0%BA%D0%B8%D1%85_%D0%B4%D0%B0%D0%BD%D0%BD%D1%8B%D1%85_%D0%BD%D0%B0_%D1%80%D1%8B%D0%BD%D0%BA%D0%B5_%D 0%BA%D0%B8%D0%B1%D0%B5%D1%80%D0%BF%D1%80%D0%B5%D1%81%D1%82%D1%83%D0%BF%D0%BD%D0%B8%D0%BA%D0%BE%D0%B2
6. https://syntheticdrugs.unodc.org/syntheticdrugs/ru/cybercrime/detectandrespond/investigation/darknet.html
7. https://stanishevski.ru/blog/darknet-part-three
8. https://yandex.ru/q/question/kak_khakery_ispolzuiut_ukradennye_dannye_46c808f1/
9. https://finance.rambler.ru/money/48297505-faktor-riska-chem-opasen-sliv-dannyh-bankovskih-kart-v-darknet-i-kak-ih-zaschitit/
10. https://m.pln24.ru/allworld/348268.html

1. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%9C%D0%BE%D1%88%D0%B5%D0%BD%D0%BD%D0%B8%D1%87%D0%B5%D1%81%D1%82%D0%B2%D0%BE_%D1%81_%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%B2%D0%B0%D0%BB%D1%8E%D1%82%D0%BE%D0%B9
2. https://yellow.com/ru/news/%D0%B2%D0%B7%D0%BB%D0%BE%D0%BC-%D0%BD%D0%B0-15-%D0%BC%D0%B8%D0%BB%D0%BB%D0%B8%D0%B0%D1%80%D0%B4%D0%B0-%D0%B2-bybit-%D0%BA%D0%B0%D0%BA-%D1%85%D0%B0%D0%BA%D0%B5%D1%80%D1%8B-%D0%BF%D0%BE%D0%BB%D1%83%D1%87%D0%B8%D0%B B%D0%B8-%D0%B4%D0%BE%D1%81%D1%82%D1%83%D0%BF-%D0%BA-%D1%85%D0%BE%D0%BB%D0%BE%D0%B4%D0%BD%D1%8B%D0%BC-%D0%BA%D0%BE%D1%88 %D0%B5%D0%BB%D1%8C%D0%BA%D0%B0%D0%BC-%D0%BF%D0%BE%D0%B4-%D1%83%D0%B3%D1%80%D0%BE%D0%B7%D0%BE%D0%B9-%D0%BB%D0%B8-ethereum
3. https://www.bitget.com/ru/news/detail/12560604618315
4. https://www.itsec.ru/news/archive/2025/03
5. https://maxi-cart.com/sitemap/
6. https://www.itsec.ru/news/archive/2024/10
7. https://polpred.com/news/?person_id=20625§or=14
8. https://overclockers.ru/news/lenta/03-10-2023
9. https://duckdice.io/forum/topics/270-novosti-kriptorynka-v-russkoyazychnoy-vetkeobzoryprognozyanalitika?page=296
10. https://overclockers.ru/news/lenta/27-09-2023

1. https://www.kaspersky.ru/resource-center/definitions/what-is-a-hardware-wallet
2. https://finance.mail.ru/card/kholodnyy-hoshelek-dlya-kriptovalyuty-725/
3. https://cryptocloud.plus/blog/chto-takoe-holodnyy-koshelek-dlya-kriptovalyut
4. https://vc.ru/crypto/1881838-holodnyi-koshelek-dlya-kriptovalyuty-vidy-plyusy-minusy-i-top-6-variantov
5. https://zonebitcoin.co/ru/%D0%B0%D1%82%D0%B0%D0%BA%D0%B8-%D0%BD%D0%B0-%D1%85%D0%BE%D0%BB%D0%BE%D0%B4%D0%BD%D1%8B%D0%B9-%D0%BA%D0%BE%D1%88%D0%B5%D0%BB%D0%B5%D0%BA/
6. https://www.binance.com/ru/square/post/1078818
7. https://blog.mexc.com/ru/vidi-kriptokoshelkov/
8. https://cryptocloud.plus/blog/holodnyy-koshelek-cool-wallet-kak-aktivirovat
9. https://bitpapa.com/ru/blog/quick-start/holodniy-koshelek-dlya-kriptovalyuti-kak-i-kogda-ego-mozhno-ispolzovat
10. https://www.bitget.com/ru/blog/articles/cold-wallet-for-cryptocurrency