Replies (17)

Have you considered the shipping companies too? We found out by bitcoiners working at DHL that basically every employee can just find a company account that ships and get all shipment data if there is a company account. We decided to therefore do manual shipments without any account with shippers when we started. Specifically because of this risk.
Default avatar
Austin 2 weeks ago
If the letter came with swag, seeds would be lost
@NVK why are you passing off blame to competitors? This was you (or one of your partners). I got same and the pseudonym on the letter wasn’t given to any other competitors. It was specifically only used for coldcard order
Man, this one 100% has zero ties to anything anywhere else. Literally, the COLDCARD is the only BTC-related product ever purchased by this person with a name or address used. I wouldn't push it if I wasn't certain about this. I fully realize what I'm saying, and I did due diligence on this to not waste your time.
That's interesting. I'd heard Coinkite doesn't keep customer data, so I wonder what it could be. Some middleman shipping person taking notes as devices pass by? That's the only thing that comes to mind.
Yeah, it could be a middle man shipping person... but this smells to me more like the middle man shipping company itself might have been hacked - exposing past invoice data. It's great that Coinkite delete's user data, but they can't control the deletion of the data that they had already passed along to someone else. To me, the bottom line is, there are no guarantees: act accordingly. *and in this case, it sounds like the appropriate skepticism to an unexpected correspondence was indeed applied. PS. It does seem like Coinkite should take more of an interest in determining if their shipping partner was the weak link here or not. Maybe behind the scenes they will/are. 🤷
TJW's avatar
TJW 2 weeks ago
I also received two of these letters. Unfortunately I lost my Coldcards and all of the bitcoin I've ever purchased in a boating accident, so I can't upgrade them anyway.
anon1984's avatar
anon1984 2 weeks ago
@NVK You need to look deeper into this. I just got the same letter to my current address which I moved just 8 months ago. I have only purchased coldcards for the past 4 years in any case. The most recent purchase was in April. So the information the scammers have are very up to date and somehow seem to be related to Coinkite. This leak is not from another hardware wallet company.
Your customers are pretty smart people and they've noticed that this is evidently somehow connected to an order that they have placed. These are not Ledger owners or Target customers who got a fake CoinKite letter. They are people who ordered a ColdCard. And this is not the first iteration of this scam. If you look, you can find the exact same scam happening worldwide for months. It is likely that a downstream logistics partner has a leak. If you look, the people who received this letter are marked as owning a "ColdCard Calculator". I would bet 20,000 sats that something like that is what is being told to the shippers to be declared probably to customs. You can express concern about this leak and even let your customers know that it's probably not you. It's probably someone downstream from you that you don't control. At least I hope this is the case. And by the evidence, it seems so. But just acting like we have been the victims of past information breaches and shrugging it off doesn't really feel good to people who have placed their trust in you in buying your product. This is not meant to be any kind of finger wagging post. I'm just trying to point out something that you might not be seeing quite yet.