What is the TikTok hardware wallet scam?
People who purchased what seemed like a “sealed brand new” hardware wallet, advertised on the Chinese version of TikTok, fell victim to a $6.9 million cryptocurrency heist, losing all their investments in mere minutes.
A late-night alert from blockchain security firm SlowMist highlighted one of the most significant cryptocurrency thefts of 2025. Criminals are utilizing security devices that are meant to safeguard users against online threats, which represents a troubling new trend in crypto fraud. Many users, understandably, are worried about the security of hardware wallets being compromised in such a large-scale criminal operation.
SlowMist’s Chief Information Security Officer, known as 23pds, was the first to bring attention to this incident. Unlike the more common phishing emails or fake websites, this attack operated at the hardware level, fundamentally compromising victim security.
The major issue for crypto users is that there are often few warning signs of this type of attack until it’s too late.
How are counterfeit hardware wallets compromised?
The victim, in this case, purchased what appeared to be a legitimate ledger hardware wallet through Douyin Shop, TikTok’s Chinese e-commerce platform.
It’s generally advised to never purchase second-hand hardware wallets, as they may be compromised. However, in this instance, the buyer was misled by the convincing packaging. It closely resembled a factory-sealed, authentic product, complete with original holographic stickers. For casual users, the wallet’s appearance seemed perfectly normal.
When the victim activated the new wallet, everything appeared to function correctly—it generated a typical 24-word recovery phrase. However, investigators later determined this was the critical moment when the wallet had been compromised before its sale.
The attacker had either pre-set secret phrases or interfered with the random number generation process, gaining full access to the wallet and its private key. As soon as funds were transferred into the wallet, the attacker drained it rapidly.
Sadly, the victim had deposited roughly 50 million yuan (around $6.9 million), but the criminals emptied the wallet within hours.
Did you know? The global market for hardware wallets was valued at over $460 million in 2024 and is expected to exceed $3 billion by 2033. This makes hardware wallets a primary target for cryptocurrency theft.
Slow Mist Team Crypto Research Trail
According to reports from SlowMist’s X account, the victim filed an emergency theft report on June 13, 2025.
SlowMist is a blockchain security firm that specializes in various services, including security audits and threat intelligence, and plays a significant role in cryptocurrency crime investigations, often collaborating with large organizations and government bodies.
They seized this occasion to trace the stolen funds and discovered they had swiftly moved through a clandestine financial network linked to a figure in Cambodia named Huiwang. This operation was associated with a group known as Huione, which engages in laundering cyber theft proceeds. The Financial Crime Enforcement Network also noted concerns about this group.
Huiwang’s money laundering tactics, which involve multiple layers of obfuscation, are notoriously effective, rendering recovery virtually impossible, especially since they evade anti-money laundering and know-your-customer controls. Although SlowMist successfully tracked the stolen assets, hopes for recovery dimmed significantly following the exposure of the wallet key.
Did you know? Platforms like TikTok and others are rife with crypto scams, which span from fake investment schemes to unsolicited messages and compromised hardware wallet sales. These scams aim to exploit users’ trust in crypto assets.
Crypto theft issues with sealed wallets on the rise
Cold wallet scams illustrate how quickly one can lose an entire cryptocurrency investment. SlowMist’s Chief Security Officer, 23pds, mentioned that crypto users should be cautious about placing all their assets in wallets that are significantly cheaper. He emphasized that this isn’t about saving money but rather risking the lifeline of their finances.
Such incidents are emblematic of a widespread increase in cryptocurrency scams that have wreaked havoc throughout 2025. In the first half of the year, reports indicated over $2.1 billion in cryptocurrency losses due to attacks on infrastructure.
The operations of hardware wallets represent a complex vulnerability that all crypto holders must understand. Regardless of how “authentic” a wallet may appear, this situation underscores the need to purchase new devices directly from trusted suppliers, steering clear of discounts or third-party platforms.
Security experts have identified multiple methods criminals employ to compromise hardware wallets:
- Firmware changes: Attackers may replace genuine firmware with malicious versions that can leak private keys.
- Manual replacement: Criminals might insert fake setup instructions that guide users to pre-generate addresses.
- Supply Chain Penetration: Wallets can be intercepted and tampered with during transport or retail distribution.
- Counterfeit Manufacturing: Creation of entirely fake devices that resemble legitimate hardware wallets.
Did you know? Even Coinbase, one of the largest crypto firms globally, has faced cyber attacks and recently acknowledged that criminals gained access to sensitive data, using it to mislead people into handing over their crypto. Although they demanded $20 million to maintain silence, Coinbase refused to comply and promised to reimburse victims.
How to protect against hardware crypto wallet scams
The cryptocurrency industry, valued at over $3 trillion, is a prime target for criminals, especially concerning hardware wallets. Users often depend on these devices to secure significant funds over the long term.
This necessitates that users take specific steps to ensure the safe purchase of crypto wallets:
- Packaging inconsistencies: Authentic hardware wallet packages employ ultrasonic welding and come with tamper-proof seals. Red flags include devices bonded with adhesive, missing security packaging, or items that look pre-opened.
- Cheap pricing: Wallets priced below manufacturer retail rates could be counterfeit or compromised, mainly if sourced through social media and informal channels.
- Pre-filled information: Any wallets with preset PINs, recovery phrases, or setup instructions should be discarded immediately.
- Informal markets and retailers: Purchasing from anywhere other than the manufacturer’s official site increases risks significantly.
