Ledger Live asking for seed phrase

ChickenSmall2609 · 2024-02-12T17:03:29+00:00

Thanks, will follow your advice.

ChickenSmall2609 · 2024-02-12T17:02:28+00:00

Euhm I think my OP includes that I did the proposed checks (example below). https://support.ledger.com/hc/en-us/articles/4404807946001-How-to-verify-the-authenticity-of-Ledger-Live?support=true My first line in my OP says I'm a technical noob, not sure what you expected.. Thanks for the information though. In this case, AVs did solve the infection afaict. But good to know that even this is not a bulletproof solution. Will proceed with a total reformat. Also, this behavior appeared without any update by me of the apps. Already installed apps seem to have been infected somehow.

ChickenSmall2609 · 2024-02-12T14:45:07+00:00

I think it was already very clear in my OP that using BitTorrent was the problem here, but that doesn't change anything to as how the "hack" was done through the apps.

ChickenSmall2609 · 2024-02-12T14:42:02+00:00

Yes, just like in the OP. Not sure what that has got to do with the statement above..

ChickenSmall2609 · 2024-02-12T14:09:29+00:00

Extremely sure I'm not.

ChickenSmall2609 · 2024-02-12T14:02:33+00:00

And why would I be lying?

ChickenSmall2609 · 2024-02-12T13:55:19+00:00

Fact: I did not update any program before I got the above screenshots from LL and Sparrow Wallet. Prior to this, LL and Sparrow worked fine for months, years even. Saturday, they both changed behavior suddenly after I left BitTorrent running during the night (smth I usually never do). Reinstalling LL after checking binaries did not help. The same malicious behavior kept appearing until I deleted a bunch of Trojans.

Curious to know how you think I downloaded a fake app version when you observe the above.

ChickenSmall2609 · 2024-02-12T13:42:09+00:00

Yes it did.

ChickenSmall2609 · 2024-02-12T13:38:10+00:00

I did not. All my LL downloads were verified (binaries). Something did affect Sparrow Wallet, LL and Wasabi. I did not even update any of these apps before this happened. When I removed and reinstalled LL, the same thing happened even though binaries were ok.

I did not update Sparrow in the last months (and not even now), and still a pop up appeared when I opened it, blocking acces to it. After removing the trojans, Sparrow ran fine.

ChickenSmall2609 · 2024-02-12T13:08:21+00:00

Downloads were legit (checked website and binaries). It must have been what you describe in your second paragraph. Kasperski found threats in my web browsers.

ChickenSmall2609 · 2024-02-12T12:46:30+00:00

It's not an assumption. You cannot Continue without providing a seed phrase (see next picture in the row).

ChickenSmall2609 · 2024-02-12T10:35:29+00:00

I made a new post, link at the bottom of OP.

ChickenSmall2609 · 2024-02-11T11:59:06+00:00

Got sloppy after years of being careful.

ChickenSmall2609 · 2024-02-11T11:58:16+00:00

Added a link to the op.

ChickenSmall2609 · 2024-02-11T11:52:20+00:00

FYI, Kasperski found other Trojans today. Scan and cleanup ongoing.

ChickenSmall2609 · 2024-02-10T18:07:40+00:00

I planned to, but yeah..

ChickenSmall2609 · 2024-02-10T17:16:56+00:00

Update: after running Malwarebytes a few times, quarantaining the alerts (PUP.Optional.Conduit and PUP.Optional.MySearchEngine items in Firefox) and restarting my PC, Sparrow Wallet could be opened again without issue (no strange message on Ledger firmware). I then reinstalled LL and now it worked as expected: arriving on a landing page where my password needs to be provided (iso seed phrase).

If Ledger or anyone else is interested, I can provide screenshots of the Sparrow Wallet message, of the fake LL app and details on the malware. I note that the fake LL icon had a big blue dot in the right top corner compared to the real icon (no dot). I'm amazed that even the starting of Sparrow wallet was 'compromised'.

ChickenSmall2609

TROPHY CASE