TheDinarian
News • Business • Investing & Finance
Criminals have recently been found creating modified Trezor wallets
May 16, 2023
post photo preview

(Dinarian Note: This is why it's worth paying a few extra dollars at the manufacturers website, versus buying a used-refurbished unit on the secondary markets.These theives are getting smarter and smarter unfortunately...)

Full review of a fake cryptowallet incident. It looks and feels like a Trezor wallet, but puts all your crypto-investments into the hands of criminals.

Easy to steal and cash out, сryptocurrency is one of the most attractive digital assets for attackers. Accordingly, serious investors often use hardware cryptowallets to protect their crypto-investments. Such a wallet stores private keys away from vulnerable computers and smartphones and makes it much safer to sign transactions. But unfortunately, owning a hardware wallet doesn’t guarantee the safety of your funds, as one of our clients has learned the hard way.

Hack symptoms

Attackers worked stealthily: on a fateful day in the transaction history of a cryptowallet there appeared an operation in which a large sum of money was transferred to someone else. However, no transactions were performed on that day by the victim at all. Moreover, the cryptowallet wasn’t even plugged into a computer!

Aaand… It's gone!

Aaand… It’s gone!

Dissecting the wallet

The victim had purchased the rather popular hardware wallet Trezor Model T. It uses fully open-source code — both software and hardware-wise — and is based on the popular STM32F427 microcontroller.

The Trezor Model T vendor has undertaken a wide range security measures that, in theory, should reliably protect the device from attackers. Both the box and the unit housing are sealed with holographic stickers, the microcontroller is in flash memory read-out protection mode (RDP 2). The bootloader checks the digital signature of the firmware and, if an anomaly is detected, displays an unoriginal firmware message and deletes all the data in the wallet. Accessing the device and confirming transactions require a PIN code that — even though it doesn’t protect the master access key (a base for generating the mnemonic seed phrase) — is used to encrypt the storage where it’s kept. Optionally, in addition to the PIN, you can protect your master access key with a password as per the BIP-39 standard.

Do not use me, I am unsafe!

At first cursory glance, the wallet we examined appeared to be exactly the same as a genuine one, and showed no signs of tampering. The unit was bought from a trusted seller through a popular classifieds website, and the holographic stickers on the box and the wallet itself were all present and undamaged. When started-up in update mode, the wallet displayed firmware version 2.4.3 and bootloader version 2.0.4.

Fake wallet update mode screen

When handling the wallet, nothing felt suspicious either: all the functions worked as they should, and the user interface was no different from the original one. However, mindful of the theft that had occurred via it, we delved deeper. And that’s where our interesting discoveries began.

Right off the bat, we found that the vendor had never released bootloader version 2.0.4. The project change history at GitHub concisely states that this version was “skipped due to fake devices”. After such an intriguing statement, we just had to reach for the scalpel and begin our dissection, of course…

What on earth is version 2.0.4?

What on earth is version 2.0.4?

The housing was difficult to open: its two halves were held together with liberal quantities of glue and double-sided adhesive tape instead of the ultrasonic bonding used on factory-made Trezors. Even more curiously, inside there was an entirely different microcontroller showing traces of soldering! Instead of the original STM32F427, the unit had an STM32F429 with fully deactivated microcontroller flash-memory read-out protection mechanisms (RDP 0 instead of RDP 2 in genuine Trezors).

It looked perfectly genuine from the outside; however… (left — original, right — fake)

           It looked perfectly genuine from the outside; however… (left — original, right — fake)

Thus, the fake cryptowallet theory was proved true: it was a classic supply-chain attack in which an unsuspecting victim buys an already-hacked device. But the actual cryptocurrency stealing mechanism was still unclear…

Trojan firmware

We won’t repeat the commonplace truths about cryptowallets that we covered earlier, but we’ve just one little reminder for you: a cryptowallet contains your private key, and whoever knows that key can sign any transaction and spend your money. The fact that the attackers were able to conduct a transaction while the offline wallet was stashed in its owner’s strongbox means that they either copied the private key after it was generated, or… they knew it all along!

Thanks to the deactivated flash-memory read-out protection, which our attackers decided not to turn on after the new microcontroller was soldered in, we easily extracted the wallet firmware and, by reconstructing its code, discovered that the attackers indeed knew the private key in advance. But how?

The original bootloader and wallet firmware received only three modifications:

First, the bootloader-checks for protection mechanisms and digital signatures were removed, thus getting rid of the “red screen” problem during the firmware originality check at startup.

Second, at the initialization stage or when resetting the wallet, the randomly generated seed phrase was replaced with one of 20 pre-generated seed phrases saved in the hacked firmware. The owner would begin using it instead of a new and unique one.

Third, if the user chose to set an additional master-seed protection password, only its first symbol (a…zA…Z0…9 or ! for any special character) was used, which, together with the no-password option, gave just 64 possible combinations. Thus, to crack a given fake wallet, only 64*20=1280 variants were to be considered.

The fake cryptowallet would operate as normal, but the attackers had full control over it from the very beginning. According to the transaction history, they were in no hurry, waiting a whole month after the wallet was credited for the first time before they grabbed the money. The owner had no protection whatsoever: the game was lost from the very moment the money first arrived in the Trojan wallet.

How to prevent the fake device threat

It’s not easy to tell a fake cryptowallet from a real one without special knowledge and experience. The main safeguard is to buy your wallet directly from the official vendor and choose models with special versions of protected microcontrollers (even original Trezors aren’t ideal in this sense: there are other brands’ wallets with better protected chips and extra protection mechanisms).

It should be remembered that even an authentic and unmodified wallet can be vulnerable to a number of threats. The priority measures include the use of a password (if supported by your wallet), and, of course, protection for all computers and smartphones.

Link

 

 

community logo
Join the TheDinarian Community
To read more articles like this, sign up and join my community today
0
What else you may like…
Videos
Podcasts
Posts
Articles
🚨NEW: Watch @BoHines sit down with @CryptoAmerica_

Watch @BoHines sit down with @CryptoAmerica_ to discuss key details of the White House crypto report including anticipated new DOJ guidance, as well as fresh commentary on the @rstormsf trial, and the nomination of @BrianQuintenz to lead the @CFTC.

00:28:43
Why Invest In XRP?

Because Ripple Is EVERYWHERE!

This is on Wall Street... NY

00:00:06
👉"You're gonna be told that there is a craft on its way to Earth.

"That 100 fxxxing percent is the lie you are going to be told."

Jeremy Corbell in January 2025

00:02:38
👉 Coinbase just launched an AI agent for Crypto Trading

Custom AI assistants that print money in your sleep? 🔜

The future of Crypto x AI is about to go crazy.

👉 Here’s what you need to know:

💠 'Based Agent' enables creation of custom AI agents
💠 Users set up personalized agents in < 3 minutes
💠 Equipped w/ crypto wallet and on-chain functions
💠 Capable of completing trades, swaps, and staking
💠 Integrates with Coinbase’s SDK, OpenAI, & Replit

👉 What this means for the future of Crypto:

1. Open Access: Democratized access to advanced trading
2. Automated Txns: Complex trades + streamlined on-chain activity
3. AI Dominance: Est ~80% of crypto 👉txns done by AI agents by 2025

🚨 I personally wouldn't bet against Brian Armstrong and Jesse Pollak.

👉 Coinbase just launched an AI agent for Crypto Trading

🚨 Hedera $HBAR , $XDC Network, and $QNT have been chosen by SWIFT to join this year's Sibos 2025 as discovered exhibitors. Seems SWIFT chose these tokens, which are all DLTs, were chosen specifically for the event, signifying key institutional interest in these ecosystems. This is very good news.

Op: Realallincrypto

post photo preview

‼️JUST IN JULY 2025 REPORT REVEALS PUBLICLY TRADED COMPANY IMMUTABLE HOLDINGS WILL BEGIN STRATEGICALLY ACCUMULATING HBAR TOKENS‼️

Massive signal.💎

Corporate treasuries are actively seeking ISO 20022 compliant assets as the foundation of their long term digital asset strategy.🔑

“The Company believes HBAR is a high-quality digital asset with long-term potential, distinguished by the Hedera network's enterprise-grade performance, low transaction costs, carbon-negative operations, and growing adoption among enterprise and public sector applications.”✅

“HBAR = a compelling candidate for long-term digital asset treasury management.”✅

Documented below.📝👇

Op: Smqkedqg

Remember, Harvard revealed that the Road Map to the Digital Dollar INVOLVES XRP AND XLM.🎯

Documented.📝💨

Op: Smqkedqg

post photo preview
post photo preview
PYTH: We'll Always Have Coldplay

Welcome back to The Epicenter, where crypto chaos meets corporate cringe.

But surprisingly, crypto has not been the most chaotic corner of the internet as of late.

That honor goes to the startup Astronomer, whose CEO’s cheating scandal broke the web in a glorious meme-fueled media frenzy. The company’s damage control? Hiring Gwyneth Paltrow as a “temporary spokesperson.” Do we think they’re grasping at straws or setting a new standard for PR?

Meanwhile, the markets didn’t blink. BTC is still flexing near its all-time highs. Michael Saylor’s bringing a bitcoin-adjacent money-market product to Wall Street. A pharma company just earmarked $700M to stack BNB, and analysts are calling time of death on the four-year crypto cycle. It’s a steady boom now, kittens.

A few things that are also worth noting: Winklevoss vs. JPMorgan, Visa’s take on stablecoins, and Robinhood’s Euro drama that defies the chillness of eurosummer.

Let’s get into it 👇

⛓️ The On-Chain Pulse: What’s Happening on the Front Lines of Finance

This week’s biggest news in crypto and all things digital assets

🗣️ Word on the Street: What the Experts are Saying

Stuff you should repost (or maybe even cough reword and take credit for)

Meme of the Week

🏦 Kiss my SaaS: What’s Changing the Game for Fintech

Things you should care about if you want to impress your coworkers

Closing Thoughts

From meme-fueled PR stunts to Bitcoin-backed money-market funds, this week reminded us that markets move fast—and headlines move faster. With Wall Street automating itself, fintechs beefing with banks, and even your smartphone becoming a miner, anything is possible. Stay curious, stay cynical, and as always—stay sharp and stay liquid. We’ll see you back here in two weeks.

— The Epicenter, powered by Pyth Network

 

🙏 Donations Accepted 🙏

If you find value in my content, consider showing your support via:

💳 PayPal: 
1) Simply scan the QR code below 📲
2) or visit https://www.paypal.me/thedinarian

🔗 Crypto – Support via Coinbase Wallet to: [email protected]

 

Read full Article
post photo preview
4 Fintech Companies 💸& Things To Know About 🤔

The fintech revolution is reshaping the way we manage, invest, and move money, breaking down traditional barriers and empowering individuals worldwide. As financial technology continues to evolve at a rapid pace, a select group of innovative companies are leading the charge by offering groundbreaking solutions that redefine banking, payments, and digital assets. Whether you’re a savvy investor, an industry professional, or simply curious about the future of finance, discovering these trailblazing fintech companies is essential to understanding today’s dynamic financial landscape.

 

  1.  Alina Invest - The AI Wealth Manager for GenZ Women

Alina is aimed at women under 25 who identify as beginner investors. They're an SEC-registered investment advisor that charges $120/year for membership. The service "buys and sells for you" and gives up notification updates of recent transactions like a wealth manager would.

👉 Getting people to invest early is crucial to building long-term wealth. One thing that holds them back is a lack of confidence and experience. Being targetted "for beginners" and people who live on TikTok should appeal. I love the sense of "we're buying and selling for you." Funds always do that, but making it an engagement mechanic is very smart. The risk here is that building a wealth business will take decades for the AUM to compound. But the next generations, Wealthfront or Betterment, will look something like Alina.

2. Blue layer - The Carbon project funding platform

Bluelayer allows Carbon project developers to take from feasibility studies to issuing credits, tracking inventory, and managing orders. Developers of reforestation, conservation, direct air capture, and other projects can also directly report to industry registries. 

👉 Carbon investing and tax credits are heavily incentivized but need transparent data. By focusing on the developers, Bluelayer can ensure the data, reporting, and credits lifecycle is all managed at the source. This is smart.

3. Akirolabs - Modern Procurement for enterprise

Akiro is a "strategic" procurement platform aiming to help enterprise customers identify risks, value drivers, and strategic levers before issuing an RFP. It aims to bring in multiple stakeholders for complex purchasing decisions at multinationals. 

👉 Procurement is a great wedge for multinational corporate transformation. Buying anything in an enterprise that uses large-scale ERPs is a nightmare of committees and spreadsheets. Turning an oil tanker-sized organization around is difficult, but the right suppliers can have a meaningful impact in the short term. That only works if you can buy from them. Getting people on the same page with a single platform is a great start.

4. NeoTax - Automated Tax R&D Credits

NeoTax allows companies to connect their engineering tools to calculate available tax advantages automatically. Once calculated, the tax fillings are clearly labeled with supporting evidence for the IRS.

👉 AWS and GCP log files and data are a goldmine. Last week, I covered Bilanc, which uses log files to figure out per-account unit economics. Now, we calculate R&D tax credits. The unlock here is LLM's ability to understand unstructured data. The hard part is understanding the moat, but time will tell.

In an era where technology and finance are increasingly intertwined, these four fintech companies stand out as catalysts for positive change. By driving progress in digital payments, asset management, lending, and decentralized finance, they are not only making financial services more accessible and efficient—they are also paving the way for a more inclusive and empowered global economy. Staying informed about their innovations can help you seize new opportunities and take part in the future of finance.

 

👀Things to know 👀

 

PayPal issued low guidance and warned of a “transition year.” The stock is down 8% in extended trading despite PayPal reporting a 9% growth in revenue and 23% EBITDA. Gross profit is down 4% YoY. PayPal's total revenues were $29Bn for the year

Adyen reported 22% revenue growth and an EBITDA margin of 46% for the full year. Adyen's total revenues were $1.75bn for the full year. The margin was down from 55% the previous year, impacted by hiring ahead of growth.

🤔 PayPal’s Braintree (unbranded) is losing market share in the US, while Adyen is winning it. eCommerce is growing ~9 to 10% YoY, and PayPal’s transaction revenue grew by 6.7%. The higher interest rate environment meant interest on balances dragged up the total revenue figure. Their core business is losing market share. Adyen is outgrowing the market by ~12%.

🤔 The PayPal button (branded) is losing to SHOP Pay and Apple Pay. The branded experience from Apple and Shopify is delightful for users; it’s fast and helps with small details like delivery tracking. That experience translates to higher conversion (and more revenue) for merchants.

🤔 The lack of a single global platform hurts PayPal, but it helps Adyen. In the earnings call, the new CEO admitted their mix of platforms like Venmo, PayPal, and Braintree are holding them back. They aim to combine and simplify, but that’s easier said than done.

🤔 Making a single platform from PayPal, Venmo, and Braintree won’t be easy. There’s a graveyard of payment company CEOs who tried to make “one platform” from things they acquired years ago. It’s crucial if they’re going to grow that they get their innovation edge back. Adyen has one platform in every market.

🤔 PayPal’s UK and European acquiring business is a bright spot. The UK and EU delivered 20% of overall revenue, growing 11% YoY. Square and Toast don’t have market share here, while iZettle, which PayPal acquired in 2018, is a strong market player. Overall though, it’s yet another tech stack and business that’s not part of a single global platform.

The two banks provided accounts to UK front companies secretly owned by an Iranian petrochemicals company. PCC has used these entities to receive funds from Iranian entities in China, concealed with trustee agreements and nominee directors. 

🤔 This is the headline every bank CEO fears. Oof. Shares of both banks have been down since the news broke, but this will no doubt involve crisis calls, committees, appearing in front of the regulator, and, finally, some sort of fine.

🤔 The "risk-based approach" has been arbitraged. A UK company with relatively low annual revenue would look "low risk" at onboarding. One business the FT covered looked like a small company at a residential address to compliance staff. They'd likely apply branch-level controls instead of the enterprise-grade controls you'd see for a large corporation. 

🤔 Hiring more staff won't fix this problem; it's a mindset and technology challenge. In theory, all of the skill and technology that exists to manage risks with large corporate customers (in the transaction banking divisions) are available to the other parts of a bank. In practice, they're not. Most banks lack a single data set and the ability for compliance officers in one team to see data from another part of the org. Getting the basics right with data and tooling is incredibly hard and will involve a multi-year effort. 

🤔 These things are rarely the failure of an individual or department; the issue is systemic. While two banks are named in this headline, the issue is everywhere. Banks need more data and better data to train better AI and machine learning. That all needs to happen in real-time as a compliment to the human staff. Throwing bodies at this won't solve the visibility issue teams have.

 🙏 Donations Accepted 🙏

If you find value in my content, consider showing your support via:

💳 PayPal: 

1) Simply scan the QR code below 📲
2) or visit https://www.paypal.me/thedinarian

🔗 Crypto – Support via Coinbase Wallet to: [email protected]

Or Buy me a coffee: https://buymeacoffee.com/thedinarian

Your generosity keeps this mission alive, for all! Namasté 🙏 Crypto Michael ⚡  The Dinarian

 

Read full Article
post photo preview
What is XAH and Xahau?

If you're new to XRP, you may have noticed some of us discussing another network named 'Xahau'.

It's Like XRP ... But Different

The Xahau network was created in 2023, and its starting point was the open-source code for the XRP Ledger. A small team of researchers and entrepreneurs decided to add smart contracts to the network code.


The XRP Ledger has no smart contract capabilities, by default.

To integrate smart contracts, the team decided to use an architecture that includes 'WASM' or 'web assembly' code. Each account can have up to 10 'hooks' installed that are triggered for transactions that match specific criteria. They can run before or after a transaction is processed. This enables a variety of use cases that do not involve the need to change the network's core code.

Hooks

A 'hook' is what is known as a smart contract that can be triggered in relation to a specific account and its transactions.

The term arises from the programming world, where it generally means "code that runs based on triggering conditions." In Xahau's case, it indicates code that is run before, or after, a transaction is processed.
 
Each hook must be installed on a specific account by the party that controls the account - i.e., the secret key holder.
 
What Can XAH Do That XRP Cannot?
 
The primary benefit from the use of hooks, is that the core network code does not need to be changed every time a new use case is identified. This means that additional use cases can be addressed immediately, with no requirement for intervening steps, such as:
  • Community review
  • Community approval
  • Amendment voting
All of those steps are eliminated with the use of hooks; new use cases can be addressed as fast as the code can be developed.
 
To read more about how hooks enables Xahau to handle more use cases than even the XRPL, you can read this article:
 
Key Differences From XRP
 
Other unique differences from the XRP Ledger include:
  • Much smaller supply ~612 million coins vs. 100 billion coins
  • XAH hodlers are rewarded at 4% of their account balance. There are no rewards for XRP.
  • Governance participants are incentivized
  • Payment channels available for user-created tokens (IOUs)
  • URI tokens instead of NFT tokens
Who's Who of Xahau?
 
The list of those that are either founders, or closely associated with the founding organizations, is extensive. Here are the names of three organizations mentioned in the whitepaper, or their current moniker:
  • Xaman (a.k.a. XRPL Labs)
  • Gatehub
  • InFTF (Inclusive Financial Technology Foundation)
There exists a long list of impressive developers, architects, and technologists among the Xahau inner circle. But the three names that people associate most prominently with the leadership of the Xahau network are Wietse Wind, Richard Holland, and Denis Angell. The links to their 'X' accounts are:
 
Friend Or Foe?
 
This topic is one of the most contentious.
 
While Ripple, the company with the largest stake of XRP, showed interest in hooks early on, they ultimately decided to advocate for a different approach; the use of an EVM-based solution (Ethereum Virtual Machine) to handle smart contracts on the XRP Ledger. This decision was met with consternation by the Xaman team that had worked with them for several years to advocate for the use of hooks.
 
You can read more about the 'business politics' part of this topic here:
 
So how do Xahau fans view the relationship between XRP and XAH?
 
The Xahau team - and many of its community members - advocate for the use of a 'dual-chain' solution to implement smart contracts. This can be accomplished by the use of 'listener' software, along with native Xahau hooks.
 
A proof of concept, developed by Denis Angell, has demonstrated that bi-lateral communication can work with a simple approach.
 
From an economic standpoint, every chain that has its own digital asset is a competitor; but the simple way to think about Xahau, is that a 'bunch of XRP geeks' decided to implement smart contracts on their own version of the XRP Ledger.
 
The team emphasized transparency along the way, and initially received support from the primary XRP stakeholder, Ripple. They published Xahau as open-source code that could, in theory, be back-engineered and integrated with the XRP Ledger. You can clearly observe the team's idealistic mindset in early marketing mistakes, where they named their digital asset 'XRP Plus' in an effort to emphasize the way that they viewed their creation. While this resulted in confusion - and even suspicion - in its early days, the team quickly pivoted, and named their digital asset 'XAH', which became its ticker symbol.
 
Synergy effects between the two camps speak to a genuine camaraderie, with many Xahau developers being open and willing to help with changes to the core XRP Ledger protocol. You can find many examples of this open dialogue on the 'X' platform.
 
How To Purchase XAH
 
If you wish to speculate by buying XAH directly, it is available in a variety of convenient locations, depending on where you are located. If you're in a country that is supported by Bitrue, you can directly purchase or trade XAH by using that exchange.
 
On January 20th, 2025, Bitmart announced that it supports trading of XAH for customers in their list of supported countries; And in late March, another major exchange announced that they would be supporting XAH trading pairs: Coinex.
 
If you're located in the United States, you can purchase XAH directly from a vendor known as 'C14'. The xApp for C14 is located in the Xaman wallet.
 
XRP Ledger geeks can also purchase XAH IOUs on the XRPL Dex and then convert them to 'real' XAH using a Gatehub bridge. This is available in countries that Gatehub supports.
 
Which XAH Accounts Should I Follow?
 
On the 'X' platform, there exists two major community groups for XAH fans:
In addition to the Xahau notables I've already mentioned in this article, my advice is to take a look at who is posting in the above two communities. There are many impressive leaders and entrepreneurs included. You should be able to find multiple 'X' accounts that reflect your interests.
 
Xahau Development Roadmap
 
Xahau leaders have published a roadmap for 2025 that lists their various goals for the ecosystem:
 
To read a detailed explanation for each item, refer to this: Xahau Roadmap Super Thread
 
One of the most incredible waypoints listed is 'JavaScript Hooks Implementation.' 🤯
JavaScript!
 
With the 'JavaScript Hooks Implementation', Xahau is making history; it will enable anybody that knows JavaScript to easily create and install a smart contract. While networks like Ethereum are impressive early movers, they require developers to learn a new language and syntax.
 
Xahau will soon open 'crypto smart contracts' to a group of developers that number in the tens of millions.
 
Project L-10K
 
Project L-10K is one of the most important items in the pipeline. L-10K refers to the effort to boost the throughput of Xahau consensus to over 10,000 transactions per ledger! This will benefit hosted projects such as Evernode, and future issued assets. Heading up the effort is Richard Holland, who provided a progress update to the community in late May of 2025:
 
To learn more about this ambitious effort, you can watch his full presentation here:
The Future Of Defi And Payments
 
Once you've seen the extensive list of use cases that XAH easily handles, it's truly inspiring. Xahau is everything that you love about XRP, plus a long list of more things to love. ❤️
 
Be an early adopter of XAH and the Xahau network! Join the community groups listed and follow the accounts that seem to reflect your own interest - speculator, developer, or crypto fan. You have a place in our community, no matter what your background or interests are. Welcome to the future of crypto Defi and Payments
 
Sources:
 
 
NOTE: Payment channels for IOUs is currently in amendment status for the XRP Ledger, authored by Denis Angel here:
 
 

🙏 Donations Accepted 🙏

If you find value in my content, consider showing your support via:

💳 PayPal: 

1) Simply scan the QR code below 📲
2) or visit https://www.paypal.me/thedinarian

🔗 Crypto – Support via Coinbase Wallet to: [email protected]

Or Buy me a coffee: https://buymeacoffee.com/thedinarian

Your generosity keeps this mission alive, for all! Namasté 🙏 Crypto Michael ⚡ The Dinarian

 
 
Read full Article
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals