Dark Skippy method can exploit Bitcoin hardware wallets

Security researchers recently disclosed a new type of malicious attack that allows hackers to access hardware wallets and user private keys after two signed transactions. The researchers dubbed the attack Dark Skippy that works if a hacker tricks a user into downloading a malicious firmware.

Nick Farrow, Lloyd Fournier, and Robin Linus published the disclosure detailing the information about Dark Skippy. Nick Farrow and Lloyd Fournier are co-founders of the upcoming hardware wallet firm Frostsnap. Robin Linus is involved in the Bitcoin protocols BitVM and ZeroSync.

The report explained how every signing device inserts random values known as nonces for every signed BTC transaction. Weak nonces can allow attackers to decipher private keys from the signatures through ‘nonce grinding.’ 

Dark Skippy attacks depend on a similar technique. An attacker introduces malicious firmware to the signing device. The malicious firmware generates weak nonces every time the device signs a transaction. 

An attacker can use techniques like Pollard’s Kangaroo Algorithm to compute the seed phrase and access a victim’s wallet. Dark Skippy is faster and requires fewer signed transactions compared to older nonce grinding techniques.

Researchers suggest mitigating measures for Dark Skippy

Nick, Robin, and Lloyd offered mitigation measures to deal with Dark Skippy. The researchers explained that most signing devices have hardware security defenses to prevent the loading of malicious firmware. Some include securing device physical access, employing hardware security techniques, buying legit signing devices, and more.

Nick tweeted about suggested protocol-based mitigations used in the past, including anti-exfil and deterministic nonces. The three researchers presented new mitigation measures that could coexist with partially signed Bitcoin transactions (PSBT) signing workflows in their report.

The two suggested measures include mandatory adaptor signatures and mandatory nonce proof-of-work. The measures aim to disrupt the Dark Skippy attacks like new PSBT fields.

The Frostsnap co-founder still insisted on mitigation discussions and implementations to deal with the new threat. The researchers also asked readers and industry experts to provide feedback on the mitigation measures provided in the report. 

Bitrace warns about new QR code scams 

Bitrace recently tweeted about a new scam that tricks users into authorizing wallets. A recent crypto wallet theft victim contacted the company requesting assistance. The victim explained that their funds were all stolen after testing a transfer of 1 USDT through a QR code. The victim revealed that they couldn’t understand how someone robbed them after only scanning a QR code.

The data analytics company explained that QR code scams were a new scam type involving a QR code transfer test. The scammers first suggest an over-the-counter transaction to unaware victims. The bad actors then offer lower rates than other crypto market services. 

The company also revealed that scammers offer TRX as a fee for long-term cooperation and make a USDT payment to gain trust. The scammer then requests a small payment test to access a victim.

Bitrace tested the scam using an empty wallet and the QR code the victim provided. The company said the scan led them to a third-party website requesting a repayment amount. Once the victim confirms the transaction, scammers steal the wallet authorization. The cybercriminals then transfer all the funds from the victim’s wallet.