Malicious firmware can embed secret data into a public Bitcoin transaction, which the attacker can then use to extract a person’s seed words.
Security researchers have discovered a troubling new method that hackers can use to extract private keys from a Bitcoin hardware wallet even with only signed two transactions, which they’ve named “Dark Skippy.”
The vulnerability potentially affects all hardware wallet models — though it can only wor if the attacker tricks the victim into downloading malicious firmware.
A previous version of the method required the victim to post “dozens” of transactions to the blockchain. But the new “Dark Skippy” version can be performed even if the victim only posts a couple of transactions to the blockchain. In addition, the attack can be executed even if the user relies on a separate device to generate seed words.