Seed phrase: a risky solution?

A seed phrase (mnemonic code) is a group of random 12, 18 or 24 words in English. This code is one of the basic steps in generating a tree of private and public keys for your crypto wallet. The keys provide you with the full access to all your coins and tokens in different blockchains, and allows you to perform any transactions with them.

You need a seed phrase to recover control of all your crypto if your wallet is lost, broken, or stolen. Everything here seems to be convenient, simple and logical. There's just one big BUT! Someone else can use your seed phrase and gets access to your crypto, as blockchains don't care who enters a seed phrase.

Crypto users have come up with many ways to protect a seed phrase. They encrypt it, add an extra word to it, divide it into parts, and store it in different places. However, all these methods have a major disadvantage: they are inconvenient. Humans are mostly careless and energy-efficient (i.e. lazy). Therefore, a lot of crypto owners just write it down on a piece of paper. They do not think that the piece of paper with the cherished words can easily get damaged, lost, or fall into the wrong hands. There are also those who e-mail a seed phrase or store it as an iCloud text file. It's even more reckless. There are a lot of examples when a seed phrase was compromised.

Leak of seed phrase

  • The actor Bill Murray raised 119,2 ETH  (equivalent of $185k) for charity as part of an NFT auction. Only hours after the charity had been completed, the hacker was able to access Murray’s personal wallet. The attacker successfully managed to steal all of the proceeds from the charity NFT auction ($185k) and made off with the proceeds. Following that, the hacker attempted to steal some of Murray’s NFTs, of which he has many. The hacker was able to gain access to the wallet thanks to his seed phrase being compromised.
  • On August 3, 2022, an incident happened on Solana which led to more than 9,000 wallets being hacked. SOL and SPL tokens were transferred out of hacked wallets to attacker wallets. Assets drained in total were more than $8 million. The massive Solana wallet hack had occurred after centralized servers stored unencrypted seed phrases sent by Slope Wallet’s mobile app, making them visible to anyone with access to the server, showed a preliminary finding from blockchain audit firm OtterSec.
  • In November, 2022, Bo Shen, the founding partner of venture capital firm Fenbushi Capital, shared on Twitter the news of hackers stealing as much as $42 million in crypto from his personal wallet. According to Shen, the theft occurred on November 10, with most of the stolen funds— $38 million—being the USDC stablecoin. Blockchain security firm SlowMist said its analysis showed that hackers managed to compromise Shen’s wallet seed phrase.
  • In 2020, Alistair Milne, entrepreneur, investor and cryptocurrency enthusiast, launched a contest on Twitter to crack the seed phrase from his wallet with 1 BTC. He planned to post hints —  the first words of the seed phrase — on Twitter from time to time. But his seed phrase was solved earlier than he expected. Developer John Cantrell figured out the seed phrase using a brute-force method after Milne posted the first 7 words. John Cantrell created a program to test several millions seed phrases per hour, trying to find the right one. To the surprise of many people, it took him only 30 hours and John Cantrell became the happy owner of 1 BTC.
  • In January 2020, a Ledger cold wallet user reported losing the equivalent of $16,000 worth of ZCash cryptocurrency. He installed the Ledger Secure extension on his Google Chrome browser. Ledger Secure has nothing to do with Ledger. Instead of performing useful actions, the program simply transmits the user's seed phrase to the attacker if the user has already entered it on the computer.

We have shown you the famous cases where a compromised seed phrase resulted in a crypto leak. But the number of such cases is steadily increasing. By the end of 2022, the total theft of digital assets from various blockchain platforms amounted to $3.5 billion, according to the Chainalysis report. Another anti-record was set, both in terms of the volume of stolen funds and the number of incidents.

Criminals stop at nothing when it comes to stealing cryptocurrency. They can gain access to the seed through social engineering, account hacking, or house check. And you may not even be aware that the seed phrase has been in the hands of attackers for a long time and they are just waiting for the funds to appear in your wallet's address.

How to protect your crypto

To avoid such cases, choose a cold wallet model in which the private key backup is not based on a seed phrase. Like the Tangem Wallet, for example, which completely avoids the risks associated with seed phrases. Instead, the key is cloned to other cards of a pack. If your wallet is lost or stolen, your assets are still with you, as you will still have 2 or 3 additional wallet cards. One card acts as the main crypto wallet, the second card can be securely hidden, the third card can be left in a safe or given to family members. Even if the main card is lost or stolen, it's not a problem: it's password-protected. Cracking the password is not possible by brute force: entering the password incorrectly delays the next attempt, and so on for up to 45 seconds.

If you can't do without the seed phrase, protect it in the safest way possible. There are various autonomous devices designed to store the seed phrase, the security of which will still be your responsibility. And follow the basic rules of crypto hygiene:

  • Never store your seed phrase online.
  • Never enter your seed phrase into any online application without your due diligence.
  • Never give anyone your seed phrase.
  • Don't lose your seed phrase.

That's, seems, to be all. It's up to you to decide which wallet to use, with or without a seed phrase. In any case, the security of your crypto is your responsibility.