Unauthorized authorization on public WiFi: a $5,000 security cost

The Smart Ape

Translated by: Luffy, Foresight News

Link:

Disclaimer: This article is a reprint. Readers can find more information through the original link. If the author has any objections to the reprint, please contact us, and we will make modifications according to the author’s requirements. Reprints are for information sharing only and do not constitute any investment advice or represent Wu Shuo’s views and positions.

A few days ago, my family and I stayed at a high-end hotel for three days to celebrate the year-end holiday. But on the second day after check-out, my cryptocurrency wallet was completely looted. I was completely baffled—I hadn’t clicked any phishing links, nor had I signed any malicious transactions.

I spent several hours investigating and even hired experts to help. Finally, I figured out the entire theft process. It all started with the hotel’s public WiFi, a brief phone call, and a series of foolish mistakes I made.

Like most crypto enthusiasts, even while staying with family at a hotel, I brought my laptop, planning to handle some work during downtime. My wife repeatedly advised me to completely disconnect from work during these three days. Looking back, I really should have listened to her.

So, like others, I connected to the hotel’s public WiFi. The network required no password—just access through a mandatory authentication portal.

I went about my work as usual, avoiding risky actions: I didn’t create a new wallet, didn’t click on unfamiliar links, and didn’t use suspicious decentralized apps (dApps). I was just browsing social platforms like X, checking my wallet balance, and scrolling through Discord and Telegram.

At that moment, I received a call from a friend in the crypto industry. We discussed market trends, Bitcoin, and some recent developments in the crypto sector.

But I never expected that someone nearby was eavesdropping on our conversation and immediately realized I was a crypto professional. That was my first mistake. The person not only identified that I was using the Phantom wallet but also deduced I held a significant amount of tokens.

Because of that, I became his target.

Public WiFi networks are characterized by all devices sharing the same network, and the visibility between devices is far greater than you might think. There’s no real security isolation among users. This creates an opportunity for hackers to launch man-in-the-middle attacks. In such attacks, hackers lurk between you and the internet, much like someone secretly opening and reading or tampering with your mail before it reaches you.

While browsing websites on the hotel WiFi, I visited a site that appeared to load normally but was secretly embedded with malicious code. I was completely unaware at the time. If I had installed certain security tools beforehand, I might have detected something abnormal, but I hadn’t.

Normally, some websites request users to sign certain content with their wallets. At that point, Phantom wallet would pop up a prompt for approval or rejection. Usually, users trust the website and browser and approve directly. But that day, I really shouldn’t have done that.

I was in the process of swapping tokens on Jupiter Exchange, a decentralized trading platform, when malicious code took the opportunity to tamper with the process. Instead of executing my intended swap, it triggered a wallet authorization request. I could have caught the malicious intent by carefully reviewing the transaction details, but since I was actively trading on Jupiter, I didn’t suspect anything.

What I signed that day was not a transfer of assets but a permission authorization agreement.

That’s why the wallet was compromised days later.

The malicious code was clever. It didn’t directly ask me to transfer SOL tokens, which would have been too obvious. Instead, it issued vague requests like “Authorize Access,” “Approve Account Permissions,” or “Confirm Session.”

In essence, I authorized another unknown address to operate my wallet.

I approved this request because I believed it was a normal step in Jupiter’s platform operation. At the time, the Phantom wallet prompt was full of technical jargon, with no indication of transfer amounts or any real-time transfer alerts.

By then, the hacker had all the conditions needed to steal my assets. They waited until I left the hotel before transferring out my SOL, various tokens, and all my non-fungible tokens (NFTs).

I never imagined this could happen to me. Fortunately, this wallet was not my main wallet, just a hot wallet used for daily operations, not a long-term storage wallet. Still, I made many mistakes, and I believe I am mainly responsible.

First, I shouldn’t have connected to the hotel’s public WiFi. I should have used my phone’s mobile hotspot instead.

Second, I was too relaxed. I even discussed crypto in a public place like the hotel lobby without considering someone nearby might overhear. My father always warned me never to let outsiders know I was involved in crypto. The consequences could have been much worse—some people have been kidnapped or even murdered for holding cryptocurrencies.

Another fatal mistake was approving that wallet authorization request without careful verification. I trusted it was a legitimate Jupiter platform request, so I didn’t analyze its details thoroughly. Here’s a reminder: no matter what application you’re using, always scrutinize any wallet authorization request carefully. These requests can be intercepted and tampered with by hackers, and the sender may not be who you think it is.

Finally, I lost about $5,000 worth of assets. Although it could have been worse, I am still very upset about this incident.