The vast majority of attacks in Web3 are of the phishing/social engineering variety, not a rootkit worm getting full access to the contents of your hard disk & memory.

Here are a few instances of real-world attacks:

In the following case, the author enters his seed phrase into a form claiming to be an airdrop for Olympus DAO after seeing a notification pop up on Discord:

Engaging in a screen sharing session with a scammer:

Signing a malicious API message:

A scammer claims an NFT trading contract doesn’t work, send the victim to a phishing site that looks similar:

A scammer reaches out in a private direct message on Discord, pretending to be an admin:

Spend a few minutes on any of these threads, and you will inevitably find a well-intentioned reply of the sort: “Next time, use a hardware wallet.”

The problem is that hardware wallets provide a false sense of security. Let us take each case one-by-one:

1. Hardware wallets can have seed phrases, you can still be coaxed into revealing this phrase to a scammer.
2. Perhaps a hardware wallet would stop an immediate screen share divulging your private keys with a single click, but why wouldn’t a scammer convince the victim that their hardware wallet is broken in some way & coax the private keys out through an equivalent method? The victim, in this case, clicked straight through an explicit warning that his private keys would be revealed. A similar scenario could be sending a picture of your hardware wallet with the seed phrase on the display, which is possible in many wallets, or exporting the keys to a Metamask wallet.
3. The last three cases are all the same: Signing a malicious message can happen on any wallet, hardware wallet or not. If you are on a phishing website, there is no hardware wallet that can save you. Recently, frontends like BadgerDAO have been hacked, so even double-checking the browser URL isn’t an airtight solution. If you click ‘confirm’ without thoroughly vetting what contract you are interacting with, it’s still game over.

In all of these cases & many more, a hardware wallet is just a stumbling block for a scammer. We can anticipate more scammers becoming familiar with hardware wallets like Ledger & Trezor, and coaching victims into revealing their seed phrases. Hardware wallets may be able to protect from malware & side-channel attacks, but it’s important to note: these attacks are extremely sophisticated and rare in 2021. Malware nowadays is often of the ‘cryptolocker’ variety, encrypting your disk and requesting a ransom to decrypt it, not memory-scraping Metamask while unlocked (where we have over 25 years of operating system know-how to stop such an attack from succeeding), or reading the encrypted Metamask database on disk (which would be useless without a password). At the time of this writing, it is not clear to me that there has ever been an operating system root-level attack in the wild to which an ordinary in-browser Metamask wallet would be vulnerable and a hardware wallet would not. Side-channel attacks require the resources of a nation-state, not your average Discord/Telegram scammer. On the other hand, we have at least one case of customer mailing addresses being leaked in the Ledger hack of 2020. Although this doesn’t directly affect the device itself, scammers now have over 200K potentially very lucrative to-be-victims in their Rolodex.

To make an analogy: malware & side-channel attacks are like the sound of a mouse underneath your floorboards, while social engineering & phishing attacks are like the sound of a city-wide Air Raid siren going off in your room.

So what to do?

Just like how you should be more worried about dying in a car crash on the way to the airport than on the plane: start paying attention to how smooth-talking social engineering scammers will exploit your emotions & psychology to persuade you into making a critical error.

• Don’t be “quick to please” when you’ve been asked to sign a transaction or message. In one of the Bored Ape thefts above, the scammer allegedly replied: “hey your link isn’t working.” The scammer uses your sense of politeness against you, the implication being: you have messed up in some way and provided the wrong link (in this case, to nfttrader.io), and that you’ve wasted valuable minutes of your counterparty’s time. Therefore, stop being rude and click on the scammer’s link instead! Understandable, but deadly. Always slow down & stall for time. If the counterparty is impatient, that’s a dead giveaway you are being scammed. “Urgent” is code for: “please move quickly, so you can make a mistake.”

  https://twitter.com/SnarkMaster3000/status/1469186142465519621

• Do research the contract address on Etherscan. Does the transaction history of this contract look like what you expect? Is it a popular contract with millions of daily transactions, or does it seem underwhelming? Does the contract have the type & magnitude of assets you would expect under its control, be it Ether or other ERC-20 tokens? (Unless you are directly sending assets into your counterparty’s wallet, whatever personal address they provide to establish a ‘valid’ identity is meaningless, in the Twitter thread above, the scammer supplied someone else’s legitimate address.)

• Don’t be lulled into a sense of safety by using a hardware wallet. You’ve only added security to your signature pen, you are not, in any way, prevented from signing your assets away.

• Do use a hardware wallet as part of a holistic security methodology, where you are triple checking what contract you are interacting with. The frontend website is just a pretty facade to interact with the backend smart contract, copy & paste the contract address into Etherscan and verify before proceeding.

• Don’t reply to direct messages on Discord/Telegram/Twitter if they purport to be an admin trying to help, 95% of the time, they’ve impersonated a legitimate moderator’s profile picture & likeness. Ask yourself: why can’t this interaction be done in the main chatroom? Go back to the main chatroom and ask the moderators directly if they would ever DM you. (they will probably reply: “No, it’s a scam”)