Hardware Wallet vs Malware. Demo of Electrum Phishing & Clipboard Malware
Howto Export a Single Private Key from Ledger Nano, Trezor or Keepkey (Without Exposing Them All)
Summary of Steps to Extract a Single Private Key from a Ledger Wallet
Or more accurately, extract a single private key from your 24 word recovery phrase…
- Decide on the wallet/account/address you want to move the funds to… (znm1AkRXQcJwmnxfBv2PioSVFHQErWraSM3)
- Retrieve your copy of your 24 word recovery phrase
- Create an “Air Gapped” PC environment (eg: Tails Linux)
- Download a tool to convert your 24 word seed to a set of private keys
- Identify the public address that contains the coins you want, copy to a USB stick. (or use pen and paper) (znbfDn49M3btwcXi1SvYpnjPushXMA6ySzh)
- Load up your “Air Gapped” environment
- Import your 24 word key into a wallet (Web wallet can be fine)
- Copy the private key you want
- Import that private key into a wallet
- Move the funds to a the next available address (or wallet) on your hardware wallet
- Ideally, stop using that pubic address from now on, consider it compromised, or at least only as secure as any other software wallet…
Process in Detail…
By using the steps just here I can show you how to do that in a way that’s reasonably secure.
So what we’re going to do is we can decide first of all where
we want to send the funds to.
So I created a new wallet on the ledger “Horizen 2” and the reason why I do that is that you will find that if you have say, an account on your ledger that has you know, hundreds and thousands of transactions in there that are all “dust” (very small) transactions it will lag ledger live terribly it’ll sit there synchronizing for ages. The whole thing will be terribly slow even after you’ve moved money out of it and so look if you wanting to transact regularly with the account you’re mining into, that might cause you issues… Or if you want everything to be fast, you might just want to create a new account on your ledger so you just say add accounts and move it all into that so what we’re going to do is we want to move it all to that account that was horizon 2, which if you recall before, was this address so we’ll just copy that stick it there for now…
So that’s where it’s going to go.
So this scenario is when we simply would stop using the original one that was full of dust and full of lag so – so we want to move the funds..
Second step is to retrieve your 24 word recovery phrase so hopefully have it written down on paper somewhere. I really hope you don’t just have it sitting in notepad like this example one here, because again, that 24 word key if someone has that, they can get the lot.
So to retrieve this 24 word recovery phrase now what you’re going to want to
do here is create an air-gapped PC environment because before you just go
punching this 24 word key into a computer, you want to make sure that computer is offline so it’s not connected to the internet, so that some malware or whatever on there isn’t just gonna send your 24 word key immediately to some one who’s dodgy who’s gonna steal all your coins.
You also want to not just unplug your computer from the internet to do this, just because you never can quite be sure that the environment you’re running on your PC is entirely clean.
So the best way to avoid that is to create an air-gapped PC environment. The easiest way to do that is just a download a live CD.
TAILS Linux is a good example of something like that. So that’s basically
just a distribution of Linux that you can download.
You could download a live CD of Ubuntu or any other Linux distribution like that where you basically download, it copy it onto USB, following their instructions
and then boot that in either an old computer you might have lying around
maybe not a laptop or any other device but, make sure you unplug it’s
physical network cable when you do that and don’t just immediately connect it to
your Wi-Fi as soon as it’s booted into this Linux environment, because what you
really need for this process is a clean environment, like a completely fresh live CD install of something that has a web browser in it. That’s all you need.
TAILS is a good one to use, or if you’re familiar with Ubuntu just download Ubuntu live CD, boot into that and you can use it as your air-gapped PC environment.
I’m not gonna go over how to do that just because there’s plenty of demos that say
how to do it. Before you shut down your main windows. or whatever environment using, you want to download a converter that can let you convert your 24 word recovery seed into a whole bunch of private keys.
There is this “Ian Coleman” one which is great, and, again I’m accessing it in my
browser right now, but if you go to the website scroll it along the page, you can
actually just go to his github, and it tells you how to use it offline, so you can actually just go there go the releases page and you basically download one HTML file and that does everything it needs to do.
So that HTML file will sit on your air-gapped PC.
So basically you open that on your air-gapped pc.
Just like this, so you’d save that onto a USB stick, along with your live CD basically.
So that what happens is you boot into your air-gapped environment you open up this mnemonic code converter in the browser that’s what you’re gonna do
the other thing you going to want to do before you… I guess… I’m sort of assuming here in these instructions that are going to be using the same PC and having to reboot away from your normal desktop environment we also want to make sure you know the public address to contain the coins that you want so in this example,
we needed to know that that 0.1 ZEN that we have available in Ledger Live here
corresponds to this, so you can see, whereas two corresponds to this address right here so it’s important to know that because you need to to know which public key you want to get, because each address, has one public key and one private key and you need to get the right one because they will only work with the right one,
so you need to note that down.
So I’ll just for the sake of clarity say in this case that was this address here
so you then stop, so you wouldn’t have typed in your 24 word recovery key
anyway, here on your internet connected computer you would shut down your computer, load up into your air-gapped environment and you’d be here…
So we can assume that this is your air-gapped thing, so it’s running the standalone mnemonic code converter you would then type your 24 word recovery seed in,
rather than copying and pasting it because you shouldn’t have it even on a USB just just sitting in a file so you type in there it…
Load up, select the coin you want, ZenCash and again this will work for basically
any Bitcoin fork So if you’re mining Vertcoin using p2pool and have tons of dust you often can get the same issue.
Then we can see the public address, so we would then copy the private key, or write it down with a pen and paper if you want, that’s another option…
You just write down or you could just save it in a text file on the USB with your live CD and then you can shut down and turn off your air-gapped environment once you have that private key because you don’t want it, you don’t need any of the other private keys and you don’t want to connect this thing to the internet until you shut it down and it’s all been cleaned so then you you’ve got your private key from your air gapped environment.
You would jump to myZenWallet and again, myZenWallet is something it just runs in your browser you can actually just download it directly from the ZenCash (Horizen) official github. Again it’s just something that runs in a browser
the other option you do have is you can use the swing wallet so if you go to the Zen wallets website and download the official full client you can import single private keys into it, however you need to understand that the entire blockchain will have to sync before you can send your funds…
So what you’d do if you download the swing while that would be to download it let the full blockchain sync and only when that is has happened you would you import
your private key and then send your funds basically straight away but frankly, the the browser-based one works very well and you don’t need to sync the whole chain either but if you are all about privacy and stuff then the swing will give you a better result in that regard so again we starting from scratch if you’d have your private key you’ve written down on a piece of paper but we’re cheating just because it’s just a demo you would then go to this online web wallet or the one
that you’ve downloaded sort of the downloaded version of it… But it’ll all look the same…
Click Settings paste private key, then unlock it, and there’s the funds
so you’d grab them, send them from there say yes we want to send them to here
so that was the address we had earlier, we’ll want to send a lot just all in one go
yes I’d like to send these ZEN and send Ah yes, not enough hang on a minute sorry I didn’t have 0.1 ZEN but 0.01 ZEN…
Yep there we go so just type it stick in the amount out so we can see the 0.01 you will have to do your own manual fee calculation I think let’s just try it without it…
and there we go successfully sent. so if we jump into
ledger we will actually in a sec, see that appearing
it’s on the blockchain now so we can just click there there are 0.01
There we go so now it’s appeared so we can see even though I didn’t send that in ledger even though my Ledger Nano isn’t even connected we can see that the 0.01 Zen has left the account and we can see it’s arrived here in Horizen 2 so what we could do then if that had nothing in it anymore we were certain we’re not mining to there and we don’t want this to lag we could remove that account altogether just delete basically or you could just leave it there so it’s up to you how you want to do it
so even simply just moving the funds into the next available address on your existing horizon account will generally fix all the unspent outputs as well but
again how that all performs will depend very much on the client that you’re using and my experienced ledger in that space has not been great and that’s half the reason why they tell you not to mine straight to your ledger but anyway it doesn’t you don’t lose your funds or anything like that, it just sometimes mean a few extra steps to get back and Ledger you don’t like it because it loads their servers down when you’ve got all these don’t unspent outputs transactions that their client they’re nice to go back and check
So yeah there you go so that’s how you do it and it’s pretty straightforward the other thing though that I should again emphasize is once you have done this once you have exported a private key from your hardware wallet and sort of imported it into a software wallet or web wallet or any other Internet connected thing you should consider that that address is now compromised or at least only secure as some other software wallets so it’s no longer protected in the same way all your other hardware wallet that stuff would be…