Become an in-demand blockchain MASTER: https://dappuniversity.com/bootcamp Subscribe to this channel: ...

Become an in-demand blockchain MASTER: https://dappuniversity.com/bootcamp Subscribe to this channel: ...

guys i was a victim of a crypto hack where my wallet was compromised by an attacker and all my money was stolen and i was completely pwned because of one really dumb mistake and i'm gonna tell you exactly what happened this video give you all the details so that you don't do the exact same thing because i see stories like this all the time where people are losing insane amounts of money because they fail to protect their crypto you know this happened to me personally and it's one of the reasons i'm so big about crypto security and talk about it so much on this channel because i've had to learn these lessons the hard way and i want to keep you from doing the same so before we get into that if you're new around here you know hey i'm gregory and on this channel i turn you into a blockchain master so if that's that you're interested in then smash that like button down below for the youtube algorithm and subscribe to this channel and if you learn how to master blockchain step by step start to finish then head on over to university dot com forward slash boot camp get started today all right so let's jump into this let's talk about this story about how i got hacked how my wallet was compromised and how all my money was taken from me looking back on this this is kind of an embarrassing story to tell you the truth that i really don't like to tell because i'm always thinking to myself especially like knowing what i know now with all the experience that i have like how how stupid could you be but then when i think about it like i see lots of other people making these same types of mistakes and it's not because they're stupid it's just because they don't really know any better in most cases and so that was definitely my story because this was several years ago in the early phases of my development career when i made a critical mistake simply because i was super green and didn't know any better all right so let's talk about exactly how this happened so again this was in the very early days of my blockchain development career when i really just got into the space and was building my first projects and you have to understand that like back then you didn't exactly have the same type of resources that you have available now to understand how this technology works like we're really having to figure out a lot of things from scratch so you know i built this project uh where essentially there was a blockchain protocol that had a token associated with it as well okay and this token had a you know pretty significant function in the ecosystem so we built this protocol we built this token and we put it out there live on the blockchain this was a really big deal because again you know while you might see how straightforward this stuff is now because you know everybody's done it we have all these d5 protocols out there all these nfts where you can see oh yeah you just go launch new protocol launch your token like this was all this is all brand new and so there's so many things to figure out once we had something out there live on the blockchain this was this is really amazing and so sitting there you know watching this thing actually grow and get some type of adoption was was huge and so you know once it was out there we would watch this project on a day-to-day basis we closely monitor all the activity associated with it and then one morning i woke up to see that the funds held in the treasury wallet you know the reserves of the actual cryptocurrency associated with the project had moved okay and that's not exactly the type of thing you want to see you know first thing in the morning because you know it's like one minute all the funds are there the next minute they're gone to a brand new address that you've never seen before and so after an extensive investigation we found out that it indeed was a hat okay so an attacker would gain access to a wallet that was able to move the funds out of this treasury to their own wallet and control them okay and upon further investigation we were trying to figure out you know how exactly did that happen it's because the you know attacker was able to obtain access to a private key associated with this wallet and they to access this because it was you know stored in you know just wait for it cloud storage you know womp womp and so if you're an experienced developer and you're like me like you listen to the story and you're like oh my gosh like how on earth could somebody make that mistake but then again like i was saying this was many many years ago my very early phases of my development career and it's the same type of mistake that see lots of other people making all the time so i sort of just forgive myself for that one and the other thing is this didn't really have that big of a long-term impact in the project because it was very early we were able to essentially rebuild the project from scratch and not have to really worry about this we're able to fork it essentially without the transactions where the you know the attacker was able to compromise the funds it didn't really compromise the long-term vision of the project so it was all well and good in the long run so let's jump into exactly you know what went wrong here and how other people are doing the same types of things and how you can protect yourself because that's ultimately why i'm making this video again i don't love telling this story but it's so i can help you all because i see a lot of people doing the exact same thing so let's start off with you know your private key uh for your cryptocurrency account okay so if you're using the blockchain whether you're just making transactions inside of a metamask account or you're just holding cryptocurrency or if you're developer like me and you're having to put smart contracts on the network and actually interact with you know projects through some scripts or something like that you typically have to you know generate a private key so that you can you know interact with an account so you know you can see a list of public key uh private key pairs here or account in private key pairs this is with hard hat okay this is a development blockchain uh it's generally not best practice to show private keys on screen uh just like i'm talking about in this video for the exact same reasons but these are development accounts okay so definitely if you're watching this video don't try to store any cryptocurrency in these accounts okay i just want to use this as an example to talk about what public keys and private keys are so basically you know your this is your account address you're probably familiar with this this is the private key okay so your account address is a is a is a representation of your public key and it's like your username in the blockchain and you know this private key here is a password so basically you can always generate your public key from the private key or your account from the private key and if you have the private key you really have the keys to the kingdom like that's what it's for it's about digital signatures you you can sign any transaction you want to on behalf of the person who represents this account to authorize any transaction on the blockchain that's how the blockchain verifies that it's you okay so essentially uh this is what was compromised in my project someone was able to gain access to a private key that was then able to you know make uh unauthorized transfers of funds out of this project and many other people are suffering the same types of attacks where they store their private keys somewhere and someone gets access to them and is able to take all their money out of their wallet so let's talk about the different ways that this happens so for developers this is a huge issue so if you're watching this channel and you are a blockchain developer you're trying to become one um then you have a special issue which is basically what happened to me okay uh where you know you're gonna have to use private keys for you know projects you have to put smart contracts on a blockchain you might just sign transactions to use an application that's already deployed and so private key storage uh is huge here so whether you're putting the smart contracts in the blockchain you typically have to have some sort of environment uh you know files like a dot emv file inside your project where you save a private key to sign transactions this is not the only way to do it but it's a really common way to do it okay maybe in hard hat or truffle and then what happens is a lot of times people will commit this code accidentally and push up to the cloud maybe to a public github repo and so like there's always bots watching for this stuff so that's rule number one is if you ever have a emv file make sure it's always in your git ignore okay because if you push that up to github then there's always bots watching for that to completely clean you out another good ground rule here is if you ever have to use a private key for a development project like this a good ground rule is to have one private key for project so you know if you accidentally made a mistake where you committed an emv file or a private key to source code source history excuse me somewhere then you wouldn't be able to compromise all your projects it would be one project okay and another good ground rule is that every development account that you shoot that you use you should never store any real amount of cryptocurrency that you need for like trading or long-term storage because if somebody ever compromised your developer account then you know they could take your money because you see the fundamental problem with this is if you have a emv like this this is just what's called plain text because anybody who looked at this file could see uh the private key like if they were watching this video for example if they obtained access to screen sharing and they saw this or they just got your computer somehow they if they just see this file then they can they know your private key and they can you know drain your wallet so how do you take you know steps to to go beyond that well lots of people are going to use emb files anyway okay it's not the biggest deal in the world if you follow the best practices like i was talking about a minute ago basically a single use private keys and then also uh not storing real money in it but if you're talking about the next level where you're having to run maybe an application in the cloud like i was talking about before or you need to authorize transactions maybe on a scheduled basis then you don't you don't necessarily want to have private keys like langer and plain text on servers because that's the sort of issue that i was talking about in the subject this video is basically private key stored in the cloud so how can you make protections against that well essentially you can encrypt private keys you know so they're not just stored in plain text either inside a database or inside some sort of file uh in the cloud okay you can use like a json key store where someone has to password uh protect the the the file itself with they're gonna make it a transaction they have to have an additional uh password in order to do that the whole idea is somebody found that keystore file they don't just instantly have access to kingdom you know they have an additional layer of authentication required in order to make transactions all right another major issue that i see all the time is basically people backing up their crypto wallets um with their seed phrase or their private keys and storing that information somewhere digitally that's completely unencrypted unprotected this is an absolute no-no okay so you might have seen something like this like a piece of paper where you're writing your down your recovery seed phrase okay so again your seed phrase is just a string of human readable words that helps you regenerate a list of wallets okay just like metamask for example like it's got to see phrases you can back that up uh or even even the private keys themselves and here's a mistake i see people all the time they're like writing down their seed phrase or their private keys into a text file and saving on their computer or they're putting it in like dropbox or like notion or evernote or something like that and putting it in the cloud okay that's an absolute no-no because if somebody again compromises your computer and that stuff is stored in plain text and they obtain access to that text itself okay then they can just clean you completely clean you out um or if they you know hacked your dropbox or if they you know hacked your notion or evernote or whatever it is they can instantly get that information because especially with cloud services like dropbox and others that i was talking about people are notorious for not uh using unique passwords per website so you can see a website like this like have ibmpone.com you can enter into your email address and see if your login information has been compromised on any website so the whole idea is like if you stored stuff in dropbox okay and then you also have a gmail account or whatever or and you have a facebook account and then let's say you also bought something on a really sketchy ecommerce website one time and you had to create a username and password and then that ecommerce website got hacked and they were able to figure out your password and it's the same password for your dropbox well guess what now they can log into your dropbox because you put in the same data to this really you know sketchy site that had horrible security okay and then they can log into your dropbox and then find out where you save you know your crypto private keys and you you think that someone has to spend a bunch of time doing this but a lot of this is completely automated because the hackers are very fast and efficient and doing this type of thing they can instantly just scrape stuff and just log into accounts and start like you know crawling through them to see if they can find information they can instantly drain that's how they do that type of thing and so that's why you never want to write down your seed phrase and story in plain text in the cloud or your private key either for your actual crypto wallets you're holding you know coins or nfts inside of okay so another big thing is me i see people like taking pictures of these types of things and storing them on their iphone or their android and not realizing that those photos are automatically backed up into your icloud or whatever you know syncing service you use for your android device okay automatically without them really knowing it and so that's another you know point of failure we've seen icloud hacks happen in the past so they're not immune from this type of thing either so definitely don't take pictures of it and think that's going to offer you better sense of security either so the general rule of thumb for you know private keys and c phrases either offline or some type of encrypted backup and so that leads me to the final thing to talk about here which are hardware wallets okay so hardware walls can be a really good option for this because you know private key never has to leave the hardware wallet device itself that's the whole benefit of it so you're never having to like write down a private key or it's not inside of a metamask account and you have to have this hardware layer of authentication or to sign transactions nobody could ever just you know get that private key and then do something unauthorized without having the hardware now of course if they have the private key associated with the device they can do that but the whole idea of the hardware wall is it's completely stored on there okay so you know i i think there's also an additional downside of our wallets where it gives people a false sense of security but if you understand exactly what they do and how they work and what they're for then this can give people a significant additional layer of protection but you know if you take your seed phrase for your harvard wallet and you store it in the cloud like i was talking about before that's not going to give you any protection at all okay so you definitely want to back them up in an appropriate way i'm not necessarily recommending any specific hardware wallet uh you know there's some options you can see here but you know implementing a hardware wallet with the right you know strategies can help uh mitigate some of these problems i'm talking about all right so that's the story of how i was hacked okay and the stupid mistake that i made you know really early on in my development career and you know what i learned from this and again i love telling this story but the reason i do it is so that i can help you all avoid the same types of mistakes uh because i see lots of the people doing the exact same type of thing so if you like this video as always smash that like button down below for the youtube algorithm subscribe to this channel if you haven't already that really helps these videos out so the more people can learn about blockchain and if you're as fast with this technology as i am you want to get your hands dirty how can you get started today you go to my youtube home page you can find those free courses there they like you to meet courses but they're totally free and if you'd like those and you want to take the next step or hey maybe you'll take a massive stroke entirely actually to master blockchain step by step try to finish over at dap university.com for slash bootcamp you'd have to be expert to get started today i've helped people with zero coding experience become real world blockchain developers in a matter of months so that's all i've got as next time thanks for watching dap diversity