Due to recent events within our community, it seems sensible to remind investors and users that they must remain careful and vigilant with security protocols when dealing with their cryptocurrency assets.
To cut the story short, one scammer managed to recurrently steal $35000 worth of assets from two users (21000 MAG). Their modus operandi for stealing collateral funds consisted of spoofing the identity of admins on Slack Channel while offering to help users with the setup. They would target people not well acquainted to security, deceiving them through technical jargon and have them reveal their collateral address private key (see excerpt below).
I will start to say that – exceptionally – it was decided to fully refund the value stolen to the users. We will not be able to do this again and decided to write up a series of security guidelines that we strongly encourage you to read.
The Weakest Link May Be You
As famous cryptography expert Bruce Schneier reminds us: “security is only as strong as the weakest link”.
This may not be the greatest selling speech but this is honest and true. An attacker will never try to break strong cryptography (AES, ECDSA, X11…) to hack into your wallet or steal directly from the blockchain. He will find the weakest points. In our case, it was a bit of social engineering to exploit the lack of knowledge of the unsuspecting users.
Takeaway It is important to learn and understand the underlying concepts behind the blockchain and cryptocurrencies – your investment depends on it.
A Key Is Compromised Forever
A cryptocurrency wallet is a misnomer as it does not contain your coins. In fact, it contains the keys to your funds. I am mentioning this important point because we asked the victims to give us an address so we can send them the refund. One of them gave us the same address (from which the funds were stolen). It would be like placing new valuable items in the same room without changing the door keys after a thief obtained a copy.
Takeaway Be aware that anyone who can access your private key can always move your funds and there is no way back. If it gets compromised, stop using it – create a new one.
Always Encrypt Your Wallet
Your machine may get compromised because of a software exploit (even unrelated to crypto), other people may get access to it. Encrypting your wallet ensures that anyone gaining access to the machine would also require a password to perform any operation involving signing (i.e. spending coins).
Takeaway Create that additional layer of security and never forget the password as it would not be possible to recover your funds without it!
Never Share Your Private Keys
When you create a new “receive” address, a key pair is generated using strong cryptography. The pair consists of a public and a private key. The public key is safe to share with whoever needs to send you funds. The private key is absolutely confidential and should never be shared to anyone. The GUI does not show the private key nor does it provide any mean to access it. However, there are RPC and console commands that can reveal these private keys: dumpwallet and dumpprivkey.
Takeaway Official admins of magnetwork.io will never ask you to run such commands. If anyone asks you, please report that person immediately.
Masternode Private Keys Are Important
Similarly, the masternode private key is used for operations that involve signing such as voting and should not be shared to anyone as it would allow an attacker to spoof your masternode identity on the network. Keep in mind that masternodes perform services and get banned if proven malicious.
Takeaway Keep your masternode private keys safe, never share them with anyone.
Be Careful When Sharing Configuration Files
If you need to share the wallet configuration files (i.e. magnet.conf and masternode.conf) you should always remove the masternode private key (masternodeprivkey), the RPC user (rpcuser) and RPC password (rpcpassword).
Takeaway Always verify the information you are copying and pasting online. Once online, confidential information is very hard to remove.
Magnet Is Not Magnetcoin
Please make sure you use addresses and wallet from the Magnet network. Double check always.
We had several cases of users trying to mine Magnet from a magnetcoin address or sending funds across. We are not affiliated to this coin and Magnet runs on a completely different blockchain.
Takeaway Double check the network you are dealing with.
Move Your Masternode Earnings
It is recommended to regularly move your earnings to a different address than that of the masternode public key. Keeping the collateral funds there obviously (moving them would disable the node). This would limit the damage should an attacker get access to these very public and coveted addresses.
Takeaway Don’t put all your hard-earned-crypto-eggs in one basket.
Check Slack Admin Roles
Slack is a wonderful tool for setting up a professional community however it is important to check the roles whenever you receive a DM from someone pretending to be an admin.
Takeaway Before engaging to a direct discussion, look for: Admin of Magnetwork.io
Hope this helps to provide a better, more enjoyable crypto trading and investing experience.
Trade and invest safely!