"Crypto Asset Security Sharing Series" Today, there are 3 OK X cases in the target and scope
@okxchinese account asset theft cases, and the amount is huge (around 1 million yuan).
Combined with the 1 million USD theft caused by Binance @binancezh’s Chrome extension two days ago (which was finally properly resolved), we have to sigh that crypto hackers have been enjoying a great time in recent times.
PS: The first article "Frequently Asked Questions about Crypto Wallet Asset Security" If you install and use the malicious plugin Aggr, hackers can collect your cookies and use the collected cookies to access logged-in user accounts, conduct transactions, withdraw funds, and even impersonate users to conduct social engineering attacks. In this way, hackers do not need passwords or 2FA and can control your account. In the case of the victim, since the information is stored in 1password, the hacker has no way to bypass 2FA and take his assets. But he can use his cookies to hold his account and make profits through counter-trading.
In the OKX theft cases today, hackers seemed to have taken control of user accounts and were able to force transactions and asset withdrawals, rather than earning profits through theft. The reasons behind this are still under investigation, and the victims did not enable 2FA secondary verification.
In addition to phishing attacks in the crypto community (clicking on phishing links intentionally or unintentionally), the conference participants summarized some tips:
1. Use mobile apps instead of web apps to avoid browser plugins or click on phishing links.
2. Do not randomly download plugins, click on unfamiliar links, or download security software, such as Scam Sniffer
3. Be sure to enable 2FA two-factor authentication, such as SMS, email, Google Authenticator, etc. Every login and important operation (such as withdrawing funds) requires two-factor authentication to ensure that even if the user's cookies are stolen, the account can be easily accessed.
4. Remember to cancel the signature in time after completing the interaction (for example, when the gas is low). It is best to only allow the dapp to use the minimum amount of funds during the interaction, and do not approve the other party to use all the funds.
5. It is best to use Apple devices as they are more secure.
6. Do not trust private messages on Telegram, Discord or Twitter. For example, you may be inexplicably pulled into a group that looks very similar to the official one on Telegram (I have personally been pulled into a highly imitated RNDR official group)
7. Beware of social engineering scams, such as links sent by group members (which may be unintentional)
8. To identify whether a Twitter post is an official one, check the number and quality of your common followers, check the unique Twitter account name after the @, and make sure you know where the tweet ends. Often, fake accounts will add a fake tweet with a phishing link at the end of the official tweet.
9. Do not click on small project links such as pledge and lottery (fishing for small profits)
10. To build an interactive platform, do not search for the URL on Google. Use the official Twitter or Coingecko to mark the website, and cross-certify through multiple channels (official Twitter accounts may also be hacked and have phishing links attached by hackers)
11. Don’t put all your assets in one place, whether it’s a centralized exchange (not your key not your coin), or a hot wallet that doesn’t create private keys off-grid, such as MetaMask, OKX Web3 wallet)
12. When using private keys, especially for large assets, never connect to the Internet and do not interact with the network. Store a small amount of funds in the hot wallet for interaction and hot separation.
13. Understand the mnemonic phrase. With the mnemonic phrase, you can restore your wallet and the assets in it during liquidity. Never enter the mnemonic phrase during liquidity.
14. Continuing from the previous point, authenticate and keep the mnemonic, do not copy and paste, do not take photos and upload them to the cloud for backup, and do not lie on it alone (do not be seen by others, cameras, social engineering), write the mnemonic and save it, or even carve it on a steel plate (waterproof and fireproof). Take the OKX Web3 wallet as an example. If you uninstall and delete the app/change your phone, you need the mnemonic to restore the wallet. Forgetting the mnemonic means losing all your assets.
15. When creating a wallet, it is safest not to touch the Internet. Hot wallets such as MetaMask OKX are all connected to the Internet and can be used with wallets.
16. If it is a large whale company, it is best to have multiple wallets for different companies, and separate the interactive wallet and coin wallet. It is best to use the interactive wallet in combination with the hot wallet.
17. Continuing from the previous point, how to choose a wallet company: off-grid mnemonic setting, good tracking record, endorsement by well-known investors, public team, active founders, open source code, etc.
18. Develop the habit of making transactions. Transfer small amounts of money into a wallet to see if it can be transferred. If you are unable to sign and transfer out due to inadequate settings, your assets will be reduced to zero and only paper wealth will remain.
19. When transferring money, be careful to check each digit of the address. Do not just look at the first and last digits, or copy and paste the address from the history record/whitelist. It is easy for hackers to overwrite previous records with 0 gas transfer records, and then lure you to transfer money to the hacker's address.
Core logic: Don't click on random links, don't just believe that it can provide you with more information. What if you click on a phishing link? See if the fraud sniffer can prevent it, see if the interaction amount customized for dapp can be controlled and maintained, and see if it is usually revoked: So, if you really want to buy something cheap, you can consider buying one. After all, cheap is not affordable. Therefore, the real essence is not how to prevent being hacked or phished, because it is impossible to always guarantee 100% of the time. The real essence is that if you are unfortunately hacked, you can try to control and reduce the loss through good habits in daily life, and whether you can always stay at the table.#诈骗 #BTC走势预测 #ETH🔥🔥🔥🔥 #热门事件 Brothers, like + follow, I will continue to update market analysis, high-quality potential currencies, first-hand cutting-edge information, and share the stories of netizens to avoid pitfalls
