So, I got hacked yesterday. I had 2 UTXOs chilling in a single-sig hot wallet. My seed phrase was just 12 words. I set up the wallet with Bluewallet originally.
Check out the transaction: https://mempool.space/tx/dc8460f585ec591a3a8ee264f2604e868dfada4efdcc30eb4d21f97692289d37
I have no clue who the thief is, but I really hope they end up losing everything they own.
I mean, I had a single-sig wallet. I didn't even connect through my own node. I messed up in a few ways, but stealing is just wrong...
By the way, I think something might be off with windice.io. I was sending some sats back and forth to play roulette. Maybe they're up to no good. Still, I'm taking the blame for this...
Please tell me that 12-word seed phrases are still secure. I need to believe that it was malware or something and that using 24 words wouldn't have changed anything. I really need to hear that.
Never thought I'd get hacked...
19 replies 143 views
Definitely a 24 seed phrase which is longer is more secure than 12 seed phrase since it has 256 bits of entropy compared to the 128 bits of 12 seed phrase. The probability of guessing the words accurately will be higher in 24 seeds than in 12 seeds. But still this doesnt eliminate the fact that both will face same faith if exposed to malware.
From your post it seems you either might have caught malware or you expose your seeds either through phishing attack or any other way.
Going forward I would advice you prioritize offline method of storing your keys and seeds, because without taking full control of them even if you have 200 seeds as recovery phrases the same thing will happen without proper storage.
Sorry for your loss.
It might be a malware. But it might be an offline attack, like someone to see your seed phrase backup. Or when you give them your device or something like that and password is not enabled.
I will recommend you wallet on an airgapped device, a hardware wallet or Electrum 2FA wallet and make sure the 2FA is not on the same device your wallet is.
Not more secure during online attack or if the seed phrase is seen offline. But passphrase can help against offline attack.
I also have a 2-of-3 multisig. All cosigners are 12 words long. They have all been generated using a hardware wallet which is airgapped. I am monitoring my wallet (as watch-only) connected to my own node.
I start to worry about this setup too now...
Having the 2-of-3 multisig on hardware devices is very safe and secure. One of the best options to go for.
It's not a hardware device actually. It's a seed signer, meaning it has no memory at all. My seed phrases are on paper on 3 different places. I am starting to think that I must create another wallet where each cosigner is 24 words long. Should I? Or am I ok?
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#7Apr 7, 2026, 03:59 PM
OP had less than 0.001BTC in a hot wallet. That's a totally acceptable amount to risk losing, and I assume OP has most of his funds in cold storage already.
The interesting part is the receiving address: bc1qs9gxwj6497ykmj5txdk7aax0c6psyr62fwcuv6: it received many more transactions, all within 24 hours. It looks like someone targeted many wallets at once.
Update: It gets weirder: many of those transactions are sending his own inputs to his own address: this transaction for example. I have no idea why.
I trust 12 seed words. You should look elsewhere, changing to 24 words will only give you a false sense of security.
Hello Loyce. It's not the amount... It's the fact I got hacked... I have both a multisig vault and a cold wallet with passphrase. That's where I keep my entire net worth. I really couldn't afford losing it. That's why you see me desperate and forgive me for that...
As I said, it's from the website where I sent some sats to play roulette, I think it's a scam.
Thanks, I really appreciate this answer. It's what I thought anyway, so...
12 word seed phrases for 2-of-3 multisig wallet created on a hardware wallet is very safe and secure, you can not compare that with single sig online wallet which is far more vulnerable if you compare them both.
Having the backup in this order in different places also makes the backup to be safe:
Seed 1, MPK 2
Seed 2, MPK 3
Seed 3, MPK 1
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#10Apr 8, 2026, 05:37 PM
I'm confused: you said you "originally" created the seed phrase in Bluewallet. Does that mean you imported your seed phrase elsewhere? Which wallet did you use, and how can the website you sent funds to have anything to do with that?
I had used Bluewallet all the way from the beginning till the end with this wallet. I created the seed phrase there = I created the wallet there and used it as a hot wallet.
As far as the multisig vault is concerned:
This is exactly how I have backed-up my wallet. In fact the only thing I have done using a device connected to the internet, it to monitor my wallet importing my xpubs to Sparrow which is connected to my personal electrum server.
jake.chainSenior Member
Posts: 280 · Reputation: 1307
#12Apr 8, 2026, 08:05 PM
12 words are more than sufficient. 24 words are harder to brute force, yes, but brute forcing 12 words is already impossible. The number of words makes no difference if an attacker compromises your back up.
If the seed phrases from your multi-sig set up have never touched an internet connected device, then they remain as safe as possible.
What you should really be focusing on is how your hot wallet was compromised. How did you store the seed phrase back up, and did you import it anywhere else? It could well be that the device which was hosting this hot wallet is infected with malware, meaning you will need to think about formatting it and reinstalling your OS.
seed_vaultFull Member
Posts: 71 · Reputation: 451
#13Apr 8, 2026, 10:20 PM
Do you mean you've sent funds to bc1qs9gxwj6497ykmj5txdk7aax0c6psyr62fwcuv6 before? That's where you're money went, did you log onto the roulette site to see if the funds are there? Are you sure you didn't send the funds while on a fortified hookah bender, and just forgot? Does anyone else have access to the device where you have the hot wallet?
Sounds correct. My device is actually my phone. I really can't understand what went wrong... My seed phrase has never been imported to any other software apart from Bluewallet on my phone.
Nobody has access to my seed phrase (nor my phone) apart from me.
I have never sent money to this address but windice.io makes you always deposit to the same address (which is not the one where my money went).
There is nothing suspicious with windice.
They gave you a deposit address and you sent bitcoin to that address. That's all. There is no way they can gain access to your private keys or seed phrase and make transaction from your wallet.
Hello! So, what do you think has happened?
I can assure you that nobody has ever seen my seed phrase. But the phone may be compromised. I just can't understand what I see in mempool. I have never seen the receiving address before.
mark_whaleSenior Member
Posts: 238 · Reputation: 968
#17Apr 13, 2026, 08:20 AM
I remember this casino, they even advertised themselves in this forum, I think around 2018-2019. Let me look up the links
But I don't think a site would access your private keys (seeds) or something like that. There is a possibility there was some security lapse that led to the leakage of your private keys (seeds) recently or way back, and you can't remember.
Their ANN: ♨️🎲 WINDICE.io 🎲 Contests 🏆 TvT 🔰 Progressive Faucet💰 Jackpots 🎁❤
Their former Signature Campaign: Windice.io Signature Campaign(CLOSED)
Yeah I guess they couldn't access my PK, but I still wonder how someone gained access to my wallet...
humbleledgerLegendary
Posts: 1027 · Reputation: 6554
#19Apr 14, 2026, 03:15 PM
You're contradicting yourself:
First, you say your Bitcoin was sent to the address above. Then you say it's from a website you've used, while you say you've never sent funds to that address. It doesn't add up. How do you know which website the address belongs to?
Hang on, I have been misunderstood, perhaps because english is not my native language.
So, I have a hot wallet on my BlueWallet application.
I have sent multiple time to an address that the website (windice.io) provided me, which was looking like this: 3J....... I don't show the exact address because I don't want to expose all of my transactions for privacy reasons.
So, my wallet had multiple transactions to the address above.
Then, suddenly, I have seen this transaction from my wallet: https://mempool.space/tx/dc8460f585ec591a3a8ee264f2604e868dfada4efdcc30eb4d21f97692289d37
The output address of this transaction is this one: bc1qs9gxwj6497ykmj5txdk7aax0c6psyr62fwcuv6
I don't own the keys that generate this address.
I hope I made myself clear and I am happy to add any more information if needed.
?Reply
Sign in to reply to this topic