Author: The Smart Ape
Compiled by: TechFlow TechFlow
A few days ago, my family and I went to a very nice hotel for our year-end holiday. A day after leaving the hotel, my wallet was completely empty. I was baffled because I hadn't clicked on any phishing links or signed any malicious agreements.
After hours of investigation and with the help of experts, I finally figured out the truth. It all stemmed from the hotel's Wi-Fi network, a brief phone call, and a series of foolish mistakes.
Like most cryptocurrency enthusiasts, I brought my laptop, thinking I could work a bit during my family vacation. My wife insisted I not work during those three days, and I really should have listened to her.
Like other guests, I connected to the hotel's Wi-Fi network. This network didn't require a password; I could simply log in through a captive portal.
I worked in the hotel as usual, without taking any risks: I didn't create a new wallet, click on any strange links, or visit any suspicious decentralized applications (dApps). I simply checked X (Twitter), my balance, Discord, and Telegram, etc.
At one point, I received a call from a friend in the crypto community. We talked about market trends, Bitcoin, and other cryptocurrencies. Unbeknownst to me, someone nearby was eavesdropping on our conversation and realized I was involved in cryptocurrency. This was my first mistake. Through our conversation, the other person learned that I used a Phantom wallet and that I held a significant amount of it.
This led him to target me.
In public Wi-Fi networks, all devices share the same network, making device visibility more abundant than you might imagine. There are virtually no real safeguards between users, creating opportunities for "man-in-the-middle attacks." An attacker acts as a middleman, quietly inserting themselves between you and the internet, much like someone secretly reading and altering your mail before it reaches its destination.
While browsing the web on the hotel Wi-Fi, one website appeared to load normally, but in reality, malicious code had been injected into the back of the page. I didn't notice anything unusual at the time. If I had installed some security tools, I could have detected these issues, but unfortunately, I didn't.
Normally, websites might ask your wallet to sign off on certain actions. Phantom Wallet will pop up a window where you can choose to approve or decline. Generally, you'd sign off because you trust the website and your browser. However, I shouldn't have done that that day.
While I was performing a token exchange on the @JupiterExchange platform, malicious code triggered a wallet request, replacing my normal exchange operation. I could have discovered this was a malicious request by carefully examining the transaction details, but because I had already completed the exchange on the Jupiter platform, I didn't suspect anything.
That day, I didn't sign any transaction to transfer funds; instead, I signed an authorization. This is precisely why my assets were stolen a few days later.
The malicious code didn't directly ask me to send SOL (Solana), because that would be too obvious. Instead, it asked me to "authorize access," "approve the account," or "confirm the session." In simple terms, I was essentially giving another address permission to act on my behalf.
I approved it because I mistakenly thought it was related to my actions on Jupiter. The message that popped up in my Phantom wallet at the time looked very technical; it didn't show any amount or prompt me to transfer the funds immediately.
And that was exactly what the attacker needed. He waited patiently until I left the hotel before making his move. He transferred my SOL, withdrew my tokens, and moved my NFTs to another address.
I never imagined something like this would happen to me. Fortunately, it wasn't my main wallet, but a hot wallet used for specific operations, not for holding assets long-term. Even so, I still made many mistakes, and I believe I bear the primary responsibility for them.
First of all, I should never have connected to the hotel's public Wi-Fi. I should have used my phone's hotspot instead.
My second mistake was talking about cryptocurrency in the hotel's public area, which likely allowed many people to overhear our conversation. My father had warned me never to let anyone know I was involved in cryptocurrency. I was lucky this time; some people have even been kidnapped or worse because of crypto assets.
Another mistake was approving the wallet request without fully scrutinizing it. Because I was convinced the request came from Jupiter, I didn't analyze it carefully. In fact, every wallet request should be carefully reviewed, even those from applications you trust. Requests might be blocked, even if they didn't actually originate from the application you assumed.
Ultimately, I lost about $5,000 from a secondary wallet. While this wasn't the worst-case scenario, it was still incredibly frustrating.
