Posted on Leave a comment

What is Cryptocurrency Security: 5 Steps to Safely Invest in Cryptocurrency

Technology has changed the way people work, communicate, shop and even pay for goods. Companies and consumers don’t always prefer cash anymore, and this behavior is giving way to contactless payments. With the quick wave of a smartphone, consumers can pay for items at digital registers. Now, a new payment system is emerging: cryptocurrency.

Probably everyone heard about Bitcoin by now. It was the first cryptocurrency to go mainstream, but others are growing in popularity. There are more than 2,000 different types of cryptocurrencies, and more are developed every day.

Research suggests most people have heard of cryptocurrency but don’t fully understand what it is. So, what is it, is it secure and how do you invest in it? To help, we’ll answer those questions. Think of this as Cryptocurrency Investing 101.

What Is Cryptocurrency?

Cryptocurrency is a digital payment system that doesn’t rely on banks to verify transactions. It’s a peer-to-peer system that can enable anyone anywhere to send and receive payments. Instead of being physical money that is carried around and exchanged in the real world, cryptocurrency payments exist purely as digital entries to an online database that describe specific transactions. When you transfer cryptocurrency funds, the transactions are recorded in a public ledger. You store your cryptocurrency in a digital wallet.

Cryptocurrency got its name because it uses encryption to verify transactions. This means advanced coding is involved in storing and transmitting cryptocurrency data between wallets and to public ledgers. The aim of the encryption is to provide security and safety.

How Secure Is Cryptocurrency?

Cryptocurrencies are usually built using blockchain technology. Blockchain describes the way transactions are recorded into “blocks” and time stamped. It’s a fairly complex, technical process, but the result is a digital ledger of cryptocurrency transactions that’s hard for hackers to tamper with.

In addition, transactions require a two-factor authentication process. For instance, you might be asked to enter a username and password to start a transaction. Then, you might have to enter an authentication code that’s sent via text to your personal cell phone.

While securities are in place, that doesn’t mean cryptocurrencies are un-hackable. In fact, several high-dollar hacks have cost cryptocurrency startups heavily.

Tips to Invest in Cryptocurrency Safely

Investments are always risky, but some experts say cryptocurrency is one of the riskier investment choices out there, according to Consumer Reports. However, digital currencies are also some of the hottest commodities. If you’re planning to invest in cryptocurrencies, these tips can help you make educated choices.

Research Exchanges

Before you invest one dollar, learn about cryptocurrency exchanges. These platforms provide the means to buy and sell digital currencies, but there are thousands exchanges to choose from. Do your research, read reviews and talk with more experienced investors before moving forward.

Know How to Store Your Digital Currency

If you buy cryptocurrency, you have to store it. You can store it on an exchange or in a digital “offline wallet,” for example they are reputable brand such Ledger or Trezor like we providing on this site . While there are many different kinds of wallets, each has its own benefits, technical requirements and security. As with exchanges, you should investigate your storage choices before investing.

Diversify Your Investments

Diversification is a key to any good investment strategy, and it holds true when you’re investing in cryptocurrency too. Don’t put all of your money in Bitcoin, for example, just because that’s the name you know. There are thousands of options, and it’s best to spread your investment around to several currencies.

Prepare for Volatility

The cryptocurrency market is a volatile one, so be prepared for ups and downs. You’ll see dramatic swings in prices. If your investment portfolio or mental wellbeing can’t handle that, cryptocurrency might not be a wise choice for you.

Cryptocurrency is all the rage right now, but remember, it’s still in its infancy. Investing in something that’s new comes with challenges, so be prepared. If you plan to participate, do your research and invest conservatively to start.

Posted on Leave a comment

Beware phishing scam that targets wallet users

Customers of Ledger, the hardware cryptocurrency wallet, are being targeted by a phishing attack posing as an email from Ledger support. Even we at Bitstore Malaysia also getting this attempt on daily basis.

The fake email ostensibly informs users their Ledger assets may be compromised or Your Hardware Wallet has been disabled as head subject. It states, “We‘re sorry to inform you that due to the new KYC (Know Your Customer) regulations, you‘re required verify your identity:.” This claim is false; while the email form looks professional, it is a phishing attempt to steal customers data. 

Based on analyst from our threat intelligence team, the email contain a link that will phish user to giving their recovery phrase on the cloud document provided or a link to download fake Ledger Live application.

Security best practices

  • Reminder: Anyone with access to your 24-word recovery phrase can take your assets.
  • Never enter your 24-word recovery phrase anywhere else than on your Ledger device.
  • Ledger will never ask you for your 24-word recovery phrase.
  • Only use official contact form at

The email is so convincing that even wary users might be fooled. Ledger confirmed that, for the last week, a phishing attack has been targeting Ledger cryptocurrency wallet customers. 

Ledger phishing email

In a statement, a Ledger spokesperson said an internal task force has been deployed to investigate the latest phishing attack. 

“The investigation is ongoing and at this time we cannot give any additional information but one thing is for certain: Ledger will never ask you for your 24-word recovery phrase, which is a blatant sign of a phishing scam,” said the spokesperson. “Ledger encourages customers to exercise caution as phishing attacks become more sophisticated and to alert Ledger’s customer support team and consult for more information on the detection of scams.”

Phishing attacks are common and attackers are increasingly sophisticated, creating emails that resemble official company correspondence. They rely on a person making a mistake and clicking on a link that could compromise his or her security. 

Pro tip: Bookmark verified sites where you normally would input sensitive information and only access them through that bookmarked link.

Posted on 1 Comment

Beware Malicious Google Chrome Extensions That Hijacking Cryptocurrency Wallets

Google has ousted 49 Chrome browser extensions from its Web Store that mimicked as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies.

The long list sum 49 browser add-ons including Ledger wallet, potentially the work of Russian based cybercriminals, were identified (find the list here) by researchers from MyCrypto and PhishFort.

“Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files,” explained Harry Denley, director of security at MyCrypto. “Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.” Additionally all of the extensions have the same functionality but their branding changes based on who they are targeting.

Moreover, an analysis suggests Ledger is the most targeted brand — without speculating, it’s hard to say why.

  • Ledger — 57% of malicious browser extensions in dataset
  • MyEtherWallet — 22% of malicious browser extensions in dataset
  • Trezor — 8% of malicious browser extensions in dataset
  • Electrum — 4% of malicious browser extensions in dataset
  • KeepKey — 4% of malicious browser extensions in dataset
  • Jaxx — 2% of malicious browser extensions in dataset
For instance, MEW CX, the malicious add-on targeting MyEtherWallet, was found capturing the seed phrases and transmitting them to an attacker-controlled server with an intention to drain the victim’s wallet of digital funds.

Some of the extensions, Denley said, came with fake five-star reviews, thus increasing the chances that an unsuspecting user might download it.

Data stealing extensions have been a regular occurrence on the Chrome Web Store, leading Google to purge them as soon as they’re discovered. Back in February, the company removed 500 malicious extensions after they were caught serving adware and sending users’ browsing activity to C2 servers under the control of attackers.

If you suspect you have become a victim of a malicious browser extension and lost funds, it’s recommended you file a report at CryptoScamDB.

For Ledger user please bear in mind that only download Ledger Live application through their official site here.

Posted on Leave a comment

Bitcoin Ransomware Surge in 2019

A decade ago, if a dekstop computer got infected with malware the main symptom probably was an intrusive browser toolbar of some kind. These days if your mobile or desktop computer is infected what gets installed is likely to be “ransomware” — malicious software that locks your most prized documents, songs and pictures with strong encryption and then requires you to pay for a key to unlock the files.

What is ransomware?

Ransomware — malicious software that encrypts the victim’s files and holds them hostage unless and until the victim pays a ransom in Bitcoin — has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services.

The role of bitcoin

Since 2013, when Bitcoin first entered the mainstream, it has been used as a payment option for ransomware. While Bitcoin has proven popular for this purpose, the unique properties of the cryptocurrency cut both ways — creating a double-edged sword for attackers.

Irreversible transactions are useful for cybercriminals as they can avoid chargebacks after they have delivered the decryption key. Or they can simply keep demanding more funds without ever delivering.For the attackers, it’s this quality that makes Bitcoin an attractive ransomware payment method. Bitcoin payments cannot be reversed or stopped, unlike wire transfers, prepaid cards, or SMS payments, which in some cases promise higher levels of anonymity.

Attack on the rise

Yesterday, some residents of Johannesburg, the largest city in South Africa, were left without electricity after the city’s power company got attacked by a ransomware virus. City Power, the company responsible for powering South Africa’s financial capital Johannesburg, confirmed Thursday on Twitter that it had been hit by a Ransomware virus that had encrypted all of its databases, applications, and network. The attack prevented prepaid customers from buying electricity units, upload invoices when making payments, or access the City Power’s official website, eventually leaving them without power.

According to SonicWall cyber threat report current trend sees global common malware volume slow down comparing to 2018 and its gets replacing by ransomware attacks which now at the all time high volume hit. In 2018, SonicWall logged more than 2.8 million ransomware malware attacks, which was already a 27% jump over the previous year. So far in 2019, that threat is only accelerating. Through the first six months of 2019, SonicWall has registered 2.4 million ransomware attacks, almost eclipsing the 2018 full-year total in half the time. This marks a 76% year-to-date increase.

How to protect yourself?

Regularly backup your data, and make sure the backups are not connected to the computers and networks they are backing up.Most ransomware variants can encrypt files on any attached drives or network files that are also accessible to the host machine (including cloud hosting and cloud-based backups if those passwords are stored on the machine).

Many companies are now selling products that claim to block ransomware attacks. Those claims are beyond the scope of this article, but don’t be lulled into thinking these products will always protect you.

Even products that could somehow block all ransomware attacks can’t prevent the biggest reason that ransomware attacks succeed: They trick victims into taking an action that inadvertently undermines the security of their device — be it a smart phone, tablet or desktop computer.

This usually involves clicking a link or downloading and opening a file that arrives in an email or instant message. In either case, it is an action that opens the door to the attacker to download and install malware.

With global ransomware projected to generate global revenues of at least a billion dollars this year, ransomware authors are going to keep targeting businesses for the foreseeable future. It is therefore imperative for businesses and endusers to implement available safeguards, create regular data backups and educate employees on how best to avoid triggering a ransomware infection.

Posted on Leave a comment

What is 2FA?

Two-factor authentication is used globally, in many different industries, and by many different brands. You don’t always realize it, but every time you complete simple actions like entering your PIN number when using your debit card, you’re using 2FA. Every time you’re asked for ID at a bank, you’re using another form of 2FA.

According to Verizon, 80% of cyber breaches could be prevented by 2FA, and this could be something as simple as a transaction requiring an SMS confirmation. It’s much less likely that someone will be able to get a hold of your password and your phone!

Recently Google also reported that 100% of automated bots, 99% of phishing attacks and 66% of targeted attacks were blocked by 2FA.

There are three main types of authentication:

  • What you know – a password, a PIN or an answer to a security question.
  • What you have – a phone, credit card or fob.
  • What you are – a biometric such as a fingerprint, retina, face or voice.

They can all be mixed and matched to be used together in whichever way suits your company’s purpose. In this article, we’ll take you through everything you need to know about 2FA so it can become an integral part of everyday life that protects your side or your customers.

Your customers’ security should be one of your highest priorities. If they experience a security breach it could be completely life-changing for them – that’s why it’s so important to protect your client’s accounts.

2FA provides an extra layer of security and makes it harder for attackers to access their accounts. Simply adding a layer of 2FA to logins and transaction processes can alleviate risk.


1. Better security

2FA decreases the chances of an attacker being able to impersonate somebody on their account and gain access to sensitive resources. Even if they have the password, they’ll need something else too!

2. Increased productivity and flexibility

Companies that embrace new technology are likely to experience better productivity and flexibility. Customers are able to sign up for services quicker and more securely than before, and can be given the choice of how they’d like to verify their identity.

In businesses, 2FA is used so employees can securely access corporate applications, data, documents, and back-office systems from virtually any location without putting company data at risk.

3. Lower security management costs

Implementing 2FA can help reduce the lengthy and costly password reset calls, and can act as a secure way for customers to sort these issues out themselves.

Reducing customer interactions with call centers, not only strengthens security but also improves UX. Then, as a massive bonus, operational overheads that are associated with security controls are reduced.

4. Reduced fraud

It’s not easy for a hacker to bypass 2FA, making it an effective security tool against fraud. Potential threats would have to know lots of information to gain access and duplicate information, not just one password.


Turning on two-factor authentication is an easy way to stay protected. It quite literally places the security of customer accounts in their own hands.

Even the simplest form of 2FA puts a practically impenetrable wall between hackers and your customers’ personal information.

Yubikey 2fa device can be use to protect all range of applications

Taking these steps to protect your customers’ accounts will offer them the highest level of security and the best UX, creating happy and secure customers all around.


Posted on Leave a comment

Cryptocurrency users being targeted by APT Hacking Group

It’s being normal for anyone who follow cyber threat intelligence that the infamous APT Hacking Group targets financial entities such banks and financial institution as their main operational core profit income. Alongside goals like cyber espionage and cyber sabotage, the attacker has been targeting banks and other financial companies around the globe.

What APT stand for?

An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time. The intention of an APT attack is usually to monitor network activity and steal data rather than to cause damage to the network or organization.

The trend are shifting starting by last year since this APT actor now are moving into cryptocurrencies user and business, especially targeting the operator of the exchanges. Financial gain remains one of the main goals for APT actor, with its tactics, techniques, and procedures constantly evolving to avoid detection.

According to Kaspersky report, recent campaign to attack cryptocurrency business the APT group said to utilizing a fake company with a backdoored product aimed at cryptocurrency businesses. One of the key findings was the group’s new ability to target macOS. Since then the group has been busy expanding its operations for the platform.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS. The fact that the APT group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms

Infection procedure


This is a reminder for Windows and macOS users to be more cautious and not fall victim to this kind of attack campaign. If your business operation involving cryptocurrency or revolve around fintech startup industry, exercise extra caution when dealing with new third parties or installing software on your systems. It’s best to check new software with an antivirus and use trusted hadware wallet provider like Ledger Nano S or Trezor. In the meantime, stay safe!

Posted on Leave a comment

How to Protect Yourself from Ledger Addresses Man in the Middle Attack

Recently, published a blog post – Ledger Addresses Man in the Middle Attack That Threatens Millions of Hardware Wallets. We would like to address some of the claims made in the post which are unfortunately incorrect.


TL;DR: This is not a Ledger security flow, Ledger users are not at risk. As a Ledger user, you should verify new receive addresses on device screen when you want to receive fund. As far as we know, no one has ever lost any coins in this Proof of Concept.


While there are attack vectors that can modify the address displayed on an infected client computer (where you connect and interact with a hardware wallet), this type of vulnerability has been around since the beginning of Bitcoin. In fact, this same class of vulnerability applies to all Bitcoin and other crypto wallets everywhere, whether software or hardware. It is not unique to Ledger devices.

We would like to start off with some quick facts:

  1. Your funds are safe in a hardware wallet. No immediate action is required. This particular risk only applies once you try to send or receive crypto assets to/from the hardware device.
  2. This is not a “bug” in Ledger or any other hardware wallet. In fact, hardware wallets offer the best level of protection against this specific threat. However, some due diligence is still required by the user.
  3. The attack works by modifying the content on your clipboard or changing the displayed receive address in your Ledger Chrome apps. Other versions could potentially affect Trezor hardware wallet as well.
  4. This vulnerability cannot be easily patched or addressed. It’s better to adopt best practices when handling addresses so that you can ensure you’re not affected.


Steps you can take to prevent attacks by address-changing malware or client software hacks:

When receiving funds using the main Ledger Wallet Chrome app:

Make sure you tap on the monitor icon at the bottom of the address display window. Compare the address shown on the Ledger device itself with that shown on your PC screen.

If they are the same then great! If they are not, then you should try a different computer to see if you get the same result. Make sure you install Ledger apps yourself from the official Ledger website:


When receiving Ethereum or most other tokens (ERC-20):

It may be better to use the MyEtherWallet (MEW) website instead of the Ledger Ethereum Chrome app for greater functionality. Within the Ethereum app on your Ledger device you will need to enable browser support.

Once you’ve connected the Ledger on MEW, select the address you want to receive into. Make sure you click the “Display address on Ledger” link to confirm it on your Ledger device screen. If you don’t see the same address, use another computer to connect to MEW. Make sure you are in the correct website:


When receiving other coins using Ledger official app such as Ripple:

Right now these apps do not have the ability to display receive address on your Ledger device screen. Until that, you may simply send a small amount of the asset to the receive address. Ideally, check from another computer to see if the same address and test amount appear as well. Although this method is not perfect, if you can see the same address and balance on both client computers then you should be safe. Again, only install apps from the official Ledger website.

Tips: Make sure your apps on the Ledger Nano S or Ledger Blue are updated to the latest version (by using Ledger Manager).


Final Important Tips!

Whether your are sending or receiving fund using ANY wallet, software or hardware, always visually compare the first or last few characters of the address after pasting from your clipboard. Compare the address with your source and make sure they match before proceeding the transaction.

Posted on

How to Claim Bitcoin Gold on Ledger Hardware Wallet

Finally we can claim Bitcoin Gold in our Ledger Nano S and Ledger Blue device by using official BTG split tool. You can find the guide below, however we must remind you that Bitcoin Gold’s block explorer and network is still unstable at the time of this post, please be caution.


Step-by-step tutorial to claim your Bitcoin Gold by Ledger


To enable Bitcoin Gold, make sure that you have the latest Ledger Wallet Bitcoin Chrome app installed (v1.9.9, it should upgrade automatically). Then you must install the Bitcoin Gold app through the Ledger Manager.

A more comprehensive guide will be available soon, but to send your BTG to an exchange please follow these steps:

  • Make sure you have Ledger Wallet Bitcoin Chrome app v1.9.9
  • Make sure your Nano S firmware is v1.3.1
  • Install the Bitcoin Gold app on your device through the Ledger Manager
  • Launch the Ledger Wallet Bitcoin Chrome app on your computer
  • Launch the Bitcoin Gold app on your Ledger device
  • Click on “BTG split tool” line on the Chrome app
  • If you wish to access your BTG on your legacy chain, select legacy, otherwise select segwit
  • The app will sync (it may take some time, be patient)
  • You have then access to your BTG
  • You can safely send your BTG to the exchange, there is a native replay protection. Your BTC will stay completely safe during these operations




Source: How to use Bitcoin Gold with Ledger – Ledger

Posted on Leave a comment

Scam Alert: Airdrop Campaign

Recently we noticed a scam campaign to lure user to handover Ethereum private key wallet by clicking on the links purportedly from OmiseGo airdrop. This is nothing new as this method has been actively used during ICO craze before, by plastering scam link into slack channel to get into victim, but now they are shifting into twitter and email to reach new victim.

OmiseGO airdrop scam


On the scam page below, they ask victim to enter private key for so-called “verification”. Once enter, kapoof! All ETH gone to the scammer’s address. Please be alert do not easily hand over your private key because that’s the last key to accept all your money.

Fake Ethereum Airdrop
Fake OmiseGo Airdrop site


We advise user to install MetaMask plugin on your Chrome browser to get notify if you are accidentally landed on a phishing site.

Metamask auto block the phishing site
MetaMask auto block the phishing site


Avoid untrusted email from unknown source. Protect your coin, Stay safe.