OCR Hack! Good reminder of why not to take pictures of Seed Phrases!

Posted byadmin

Hak5 made a great YouTube Video about an OCR Hack via a Food App that stole mnemonic seed phrases. This blog is the results of a small amount of connected research on how wallet addresses are then found after seed phrases are discovered!

If hackers were able to extract 12- or 24-word mnemonic phrases from images using OCR (Optical Character Recognition) through a compromised smartphone app like a food delivery app, they would likely use multiple techniques to link those mnemonics to specific wallet addresses. Here’s how they could go about it:

1. Extracting Wallet Addresses from Mnemonics

Once they have a mnemonic phrase, they can:

  • Use standard derivation paths to generate the corresponding wallet addresses. Most wallets follow BIP39, BIP44, or other derivation standards.
  • Check transaction histories on blockchain explorers to determine if the addresses have funds or activity.

2. Linking Wallets to IPs and Devices

To connect those wallets to specific users, hackers might use several methods:

a. Monitoring IP Addresses via App Traffic

  • If the food delivery app had access to network data, it could capture outgoing IP traffic from the smartphone.
  • If the user accessed their cryptocurrency wallet from the same device, their IP address could be linked to a blockchain transaction.

b. Analyzing Browser and App Activity

  • If the victim ever accessed a blockchain explorer (e.g., Etherscan, Blockchain.com) using their phone’s browser or app, hackers could intercept and log visited wallet addresses.
  • If the delivery app had permissions to monitor clipboard data (some apps do), it might capture wallet addresses copied and pasted by the user.

c. Correlating Multiple Wallets to One User

  • If the same device was used to log into multiple wallets, hackers could group mnemonic phrases together and infer they belong to the same person.
  • If the app had access to GPS or device metadata, it could link multiple compromised wallets to a single physical location.

d. Social Engineering & Phishing

  • If the delivery app had access to email or phone numbers, they could check if the user had registered an account on crypto exchanges (e.g., Coinbase, Binance).
  • They could use this info for phishing attacks, tricking users into revealing more wallet details.

e. Cross-Referencing with Leaked Databases

  • If hackers already had access to data breaches (e.g., past email/password leaks), they could search for linked crypto exchange accounts and cross-check known wallets.

3. Draining the Wallets

Once they have the wallet addresses and mnemonic phrases, hackers could:

  • Sweep funds automatically by importing the seed phrase into a new wallet and transferring everything to their own addresses.
  • Front-run transactions by detecting pending transactions and replacing them with higher gas fees.

Defensive Measures

If you suspect such an attack is happening:

  • Never store mnemonics as images or in plaintext on a smartphone.
  • Use a hardware wallet to prevent online attacks.
  • Monitor IP logins on exchanges for unusual activity.
  • Reset wallets and transfer funds if there’s any risk of exposure.

Certain smartphone apps can access clipboard data without explicit user permission, though both iOS and Android have made efforts to restrict this due to privacy concerns. Here’s how it works:

1. Android Clipboard Access

  • Before Android 10: Any app running in the background could access clipboard contents without requiring special permissions.
  • Android 10 and later: Google restricted clipboard access, so only the currently focused app (the app in use) can access clipboard data. However:
    • Some keyboard apps (like Gboard, SwiftKey) still have clipboard access.
    • Some accessibility apps (like screen readers) may have broad permissions that allow clipboard access.
    • Apps with Accessibility Service permissions can monitor clipboard activity.
    • If a malicious app exploits a system vulnerability, it could bypass these restrictions.

2. iOS Clipboard Access

  • Before iOS 14: Any app could read clipboard data, even in the background, without user knowledge.
  • iOS 14 and later: Apple added a clipboard access notification, so users now see a popup when an app reads clipboard data. However:
    • Some third-party apps (like TikTok, LinkedIn, and Reddit) were caught reading clipboard data unnecessarily before Apple enforced these restrictions.
    • Apps with Universal Clipboard (Handoff feature) enabled (used between macOS and iOS) could read clipboard data across devices.

3. How Hackers Exploit Clipboard Access

If a malicious or compromised app can access clipboard data, it can:

  • Steal copied crypto wallet addresses (many people copy-paste their receiving addresses when making transactions).
  • Replace wallet addresses with the hacker’s address (clipboard hijacking attack).
  • Steal copied passwords or OTPs if a user copies them from a password manager or SMS.
  • Monitor frequently copied text to gather sensitive information.

4. How to Protect Yourself

  • Avoid copying seed phrases – Store them physically, not digitally.
  • Use a hardware wallet to eliminate clipboard-based risks.
  • Manually double-check wallet addresses before sending crypto (attackers can swap them).
  • Disable Universal Clipboard on Apple devices if you don’t need it.
  • Use a secure clipboard manager that clears sensitive data automatically.

In addition, if a hardware wallet’s seed phrase is compromised, the best course of action depends on how cautious you want to be. Here are the options and considerations:

1. Resetting the Seed Phrase While Keeping Wallet Addresses

Some hardware wallets allow you to reset the seed phrase but keep the same wallet addresses, but this is generally not recommended for security. Here’s why:

  • Most wallets derive private keys from a single seed phrase (BIP39/BIP44).
  • Resetting a device with a new seed phrase creates an entirely new wallet with new addresses.
  • If the hardware wallet allows “key sharding” (Shamir Backup, for example), it might let you create a recoverable structure without exposing a full mnemonic, but this doesn’t reset a compromised key.

Risk of Keeping the Same Addresses:

  • If an attacker already has the old seed phrase, they can still access past funds even if you move them.
  • If the wallet’s addresses were previously used, they are still linked to past transactions, even if accessed through a VPN or Tor.
  • VPN/Tor only masks your current location, not your past activity.

2. The Most Secure Solution (Full Reset and Tumbler)

If you want the highest level of security, follow these steps:

  1. Buy a new hardware wallet – The old one is now unsafe.
  2. Generate a brand-new seed phrase – Never reuse the old one.
  3. Use a crypto tumbler/mixer (or CoinJoin for privacy-focused coins like Bitcoin) to break the link between old and new addresses.
    • Why? Blockchains are public, and forensic analysis can track fund movements.
  4. Transfer funds to a freshly generated wallet on the new signing device.
  5. Use a VPN and/or Tor when interacting with the blockchain to avoid linking your new address to an IP.
  6. Never reuse addresses – Use a wallet that supports new addresses for each transaction (Wasabi, Samourai, or other privacy wallets).

Alternative: Passphrase-Encrypted Wallets (Hidden Wallets)

Some hardware wallets (Ledger, Trezor, Coldcard) allow you to create a hidden wallet using an extra passphrase on top of the seed phrase. This:

  • Generates a separate set of addresses from the same seed.
  • Helps if your mnemonic is compromised but the attacker doesn’t have your extra passphrase.

Caution: If the attacker has the base seed phrase, they might brute-force common passphrases.

Final Recommendation

If your seed phrase is compromised, the safest approach is:

  1. Move your funds using a new device.
  2. Use a tumbler/mixer for privacy.
  3. Generate a fresh seed phrase on a separate signing device.
  4. Use privacy tools (VPN, Tor, new addresses) going forward.