Phantom Wallet Hacked, No Idea How

Cirrus123 on 23/07/2025 - 00:00
Last edited 23/07/2025 - 00:01

Long story short I've had a few wallets, metamask, hardware etc. Never had anything stolen, never had my passcodes found or anything.

A few days ago i checked my phantom wallet via browser addon and it was cleared out. There were two withdrawals the night before.

I had the phantom app on my phone as well, and has been there for over a year.

I was testing out and installing some google play games on my phone at around the exact time the theft occurred. Best i can surmise, the games or ads on the games somehow accessed my phantom wallet, but i have no idea how.

The other tidbit is because i never use the phantom wallet app, i hadn't opened it in like a year. But when i ran it on my phone after all that time, it logged me right in without any passcode or anything. I therefore further believe that somehow that's how they accessed it.

Does anyone with some knowledge or experience have any hypotheses?

Financial Cryptocurrency Wallet

Comments

  • WoodYouLikeSomeCash on 23/07/2025 - 00:42
    +1

    Clearly user error, most likely due to installing malicious applications. Always use a cold wallet for storing crypto.

      • WoodYouLikeSomeCash on 23/07/2025 - 03:32

        Who cares? If you do not know how to properly secure your crypto just use an exchange with 2FA for withdrawals.

      • CodeXD on 23/07/2025 - 07:43
        +6

        I don't want useless general advice

        But you still posted it on a general forum?

        • 7ekn00 on 23/07/2025 - 07:47
          +5

          With a general question of "how x?" - lol

          Nobody can examine the phone or the account, so, without generalising, how are we even meant to answer :P

      • montorola on 23/07/2025 - 10:15
        +4

        Lol @ your rudeness

  • EightImmortals on 23/07/2025 - 06:18
    +3

    One of my bros lost all his crypto a few years back due to something similar. He has his ledger passkey stored on an encrypted cloud storage service (I don't remember which one), woke up one morning and they were all gone. Still not sure how. Crims are clever these days.

    • Jimothy Wongingtons on 23/07/2025 - 08:07
      +3

      Friend of mine had his in his Gmail… and used the same password for all his social media/online services. I was speechless.

      • jv on 23/07/2025 - 09:51
        +1

        Hey Google, what's my passkey.

    • Protractor on 23/07/2025 - 09:59

      Inside job?

    • JIMB0 on 23/07/2025 - 10:19

      Probably someone with inside info.

      • Baysew on 23/07/2025 - 11:59
        +1

        Kit Walker

      • EightImmortals on 23/07/2025 - 12:51

        Not sure, he only has the 2 girls at home, both under 10. His best guess is that someone got into his password manager, it's an offline PWM but he had the database backup in the cloud. Just guessing at this point though.

    • WoodYouLikeSomeCash on 24/07/2025 - 07:40
      +1

      Probably a swapped ledger, this was common back then (and still somewhat now) especially when purchasing through resellers whereby the hardware itself is modified so they can withdraw funds without the passphrase.

      • EightImmortals on 24/07/2025 - 10:41

        He reckons he got it from ledger direct.

  • BoltThrower on 23/07/2025 - 06:54
    +6

    Telegram bot you gave permissions to or injected browser scripts?
    Vanity address you generated and stored the private key in a file?
    Screenshotted your seed phrase?
    Malicious airdrops or NFTs?
    Visited a bad website which hijacked your browser extensions?
    Clicked on a bad transaction which granted full access to your account?
    Stored in an online notebook and your password was easy to guess or used the same PW for multiple services?
    Left your phone and someone unlocked it?
    Used a public WiFi? De-Authed and connected to a spoofed WiFi?
    Neighbour saw you dig a hole where you buried your embossed steel plate?
    Abducted by aliens and they read your mind?

    • 7ekn00 on 23/07/2025 - 07:51
      +4

      Visited a bad website which hijacked your browser extensions?

      This is the most likely since people still use chrome after they booted anti-ad scripts (which had a side effect of helping with ads with malicious intent)!

  • Muppet Detector on 23/07/2025 - 08:25
    +4

    Phantom wallet cleaned out?

    Kit Walker probably got a new wallet.

    • DashCam AKA Rolts on 23/07/2025 - 17:18
      +1

      Has O.P. looked in the back of the Skull Cave?

      • Muppet Detector on 23/07/2025 - 18:20
        +1

        If there was ever anything there, presuming she hasn't spent it (yet), Diana's got that stashed away somewhere by now.

        • DashCam AKA Rolts on 23/07/2025 - 18:28
          +1

          Spent it all on a bling collar for Devil.

  • stratbargain on 23/07/2025 - 08:50
    +2

    So you've formatted your computer and phone and changed all of your passwords, 2fa etc I assume since?

  • Banks on 23/07/2025 - 09:06
    +5

    There are multiple 0-days out there that are active in the wild at any time. You should be using a separate computer to conduct your crypto transactions.

    If you are still using your main browser to browse the web and conduct your crypto transactions, you are playing with fire. It only takes one malicious ad to take out all your money.

    People will only learn the hard way and it will happen again and again.

    There was recently a 0-day which was actively exploited, and those infostealer logs were most likely sold recently as mentioned by another user on OzBargain who confirmed their information was in those logs. It should be noted that once those logs are collected, that your crypto generally is not drained immediately as it was in the past because Phantom and Metamask now have encryption as default, but this means the adversary needs to look through the logs for your wallet password which you would have been typing in day to day to open your wallet.

    As far as I am aware, with these two pieces you can basically control a wallet without knowing the passphrase.

    Similarly, you should use a separate phone for your crypto. The question remains are you also using internet banking on your phone too, if so then that could be at risk too.

    • Autonomic on 24/07/2025 - 00:58

      Currency of the future

  • askbargain on 23/07/2025 - 09:16
    -2

    Your fault for touching shitcoins

  • skid on 23/07/2025 - 09:18

    What do you have in the phantom app when you go to: Settings > Connected Apps. Anything fishy?
    As Banks said above, it might be a vulnerability. One was reported Dec 2024 which is pretty recent.
    Apart from that, the phantom wallet API looks like it uses standard security architecture.

  • DingoBilly on 23/07/2025 - 09:29
    +3

    It's almost impossible to say.

    In 90%+ cases I came across, it was the user making an error. Clicking a bad link, giving their password out, not having proper 2fa Etc.

    Could be as simple as you reused the same password in the games as you did for the wallet.

    It's extremely unlikely the games were relevant, but not impossible.

    Without specifically going on your phone and into your phantom wallet, it's impossible to say at end of day, but again - whenever friends said they got hacked it always turned out that they had done something incorrect themselves.

    Also - this is why crypto is so shit. People don't want government control until they lose their money. Then all of a sudden - why are there no consumer protections in place? Can someone retrieve the money for me? Etc.

    Annoying people have very little understanding of the space.

  • plmko on 23/07/2025 - 10:32
    +1

    I bet it was something simple like you got redirected to a spoof website and you typed in your passwords thinking it was the official one.

  • bobbie34567 on 23/07/2025 - 11:00

    google passwords got hacked recently? same password used for wallets?

  • TheBilly on 23/07/2025 - 11:49

    I don't know whats worse… Loosing all my crypto this way …. or loosing it on a high level trade with a market crash… It is lose either way

  • kaos on 23/07/2025 - 12:08

    here's a story from a few days ago. Basically a programmer installed what he thought was a legit VS Code add-on and it did the needful and drained his wallet.
    Your story could be similar-

    https://www.bleepingcomputer.com/news/security/malicious-vsc…

    • kahn on 23/07/2025 - 12:24
      +1

      Legit VS Code? That's a tough one, but my money's on Legit because I suspect he won't quit.

  • tenpercent on 24/07/2025 - 10:53
    -2

    Claim a loss against your capital gains?

Login or Join to leave a comment
Login Join