This article will focus on the three main aspects of purchasing, using, and storing hardware wallets, sorting out common risks, analyzing typical scams with real case studies, and providing practical protective advice to help users effectively safeguard their cryptocurrency assets. (Background: Douyin sold cold wallets 'stolen for $6.9 million', SlowMist analysis: private keys leaked during generation) (Additional Background: Attention cold wallet users! ESP32 chip exposed vulnerability 'can steal Bitcoin private keys'. How to check if the device is at risk?) In the previous issue of the Web3 security introduction and pitfall avoidance guide, we discussed clipboard security. Recently, a victim contacted the SlowMist security team, stating that they purchased a tampered cold wallet on Douyin, resulting in approximately 50 million yuan of cryptocurrency assets being stolen. This issue focuses on a tool that many people generally trust but has many misconceptions during use — hardware wallets. (https://x.com/SlowMist_Team/status/1933799086106538101) Hardware wallets have always been regarded as a reliable tool for protecting cryptocurrency assets due to the offline storage of private keys. However, as the value of cryptocurrency assets continues to rise, the methods of attack on hardware wallets are also continuously upgrading: from counterfeit hardware wallets, fake firmware updates/verification, phishing websites, to meticulously designed social engineering traps. Many users inadvertently fall into traps, ultimately leading to the complete plundering of assets. Devices that seem secure actually harbor backdoors; emails that appear official actually come from attackers. This article will revolve around the three main aspects of purchasing, using, and storing hardware wallets, sorting out common risks, analyzing typical scams with real case studies, and providing practical protective advice to help users effectively safeguard their cryptocurrency assets. Risks in the purchasing phase There are mainly two types of scams related to purchasing: Fake wallets: The device looks normal, but the firmware has been tampered with; once used, the private keys may silently leak. Genuine wallets + malicious guidance: Attackers exploit users' lack of security knowledge by selling 'initialized' devices through unofficial channels or inducing users to download counterfeit companion applications, and then completing the extraction through phishing or social engineering methods. Let's look at a typical case: A user bought a hardware wallet from an e-commerce platform and found that the instruction manual looked like a scratch card upon opening the package. The attacker activated the device in advance, obtained the mnemonic phrase, then repackaged the hardware wallet with a counterfeit manual and sold it through unofficial channels. Once the user followed the instructions to scan the code to activate it and transferred assets to the wallet address, the funds were immediately transferred away, falling into the standard theft process of a fake wallet. These scams target users who are first exposed to hardware wallets. Due to a lack of relevant background knowledge, users do not realize that 'factory default mnemonic phrases' are themselves a serious security anomaly. (https://www.reddit.com/r/ledgerwallet/comments/w0jrcg/is_this_a_legit_productbought_from_amazon_came/) In addition to this 'activation + repackaging' trick, there is a more covert and sophisticated form of attack: tampering at the firmware level. The firmware inside the device is implanted with a backdoor while appearing completely normal. For users, this type of attack is almost undetectable, as firmware verification and disassembly validation are not low-cost and are not skills that everyone possesses. Once users store assets in such devices, the hidden backdoor is quietly triggered: attackers can remotely extract private keys, sign transactions, and transfer assets to their own addresses. The entire process is silent, and by the time the user realizes it, it is often too late. (https://x.com/kaspersky/status/1658087396481613824) Therefore, users must purchase hardware wallets through official brand websites or authorized channels to avoid choosing non-standard platforms for convenience or low prices. Especially for second-hand devices or newly-acquired items of unknown origin, they may have already been tampered with or initialized. Attack points during the usage process Phishing traps in signature authorization Although hardware wallets can isolate private keys, they cannot eliminate phishing attacks brought by 'blind signing'. Blind signing refers to signing on a blank check — users confirm a series of difficult-to-identify signature requests or hash data without clearly knowing the transaction details. This means that even under the protection of a hardware wallet, users may still unknowingly authorize a transfer to a stranger's address or execute a smart contract with malicious logic. Blind signing attacks often lure users into signing through cleverly disguised phishing pages, and in recent years, hackers have stolen a large amount of user assets through this method. As DeFi, NFT, and other smart contract scenarios continue to expand, signature operations are becoming increasingly complex. The way to cope with this is to choose a hardware wallet that supports 'what you see is what you sign', ensuring that every transaction detail can be clearly displayed on the device screen and confirmed item by item. (https://www.ledger.com/zh-hans/academy/%E4%B8%BB%E9%A2%98/ledgersolutions-zh-hans/10-years-of-ledger-secure-self-custody-for-all) Phishing from 'official' sources Attackers are also adept at leveraging situations to commit fraud, especially under the banner of 'official'. For example, in April 2022, some users of the well-known hardware wallet Trezor received phishing emails from the domain trezor[.]us, while the actual official domain of Trezor is trezor[.]io. Additionally, the phishing email contained the following domain: suite[.]trẹzor[.]com. This 'ẹ' looks like a normal English letter, but it is actually Punycode. The real identity of trẹzor is actually: xn--trzor-o51b. Attackers also exploit real security incidents to enhance the success rate of deception. In 2020, Ledger experienced a data breach where approximately 1 million user email addresses were leaked, and one subset contained information on 9,500 customers, including names, mailing addresses, phone numbers, and product purchase information. After obtaining this information, attackers impersonated Ledger's security and compliance department, sending phishing emails to users claiming that their wallets needed to be upgraded or undergo security verification. The emails would induce users to scan a QR code, redirecting them to a phishing website. (https://x.com/mikebelshe/status/1925953356519842245) (https://www.reddit.com/r/ledgerwallet/comments/1l50yjy/new_scam_targeting_ledger_users/) Additionally, some users received express packages that even used shrink wrap for the device's outer packaging. The package contained a counterfeit Ledger Nano X wallet and a counterfeit letter with official letterhead, claiming it was a replacement for users in response to the previous data breach incident, to replace users' '...

#NFT