Connected to hotel Wi-Fi for three days, my encrypted wallet was stolen with $5,000.

Author: The Smart Ape

Translation: Deep潮 TechFlow

A few days ago, I went with my family to a very nice hotel to spend the New Year holiday. One day after leaving the hotel, my wallet was completely emptied. I was baffled because I had not clicked on any phishing links nor signed any malicious transactions.

After hours of investigation and consulting experts, I finally understood the truth. It was all due to the hotel’s Wi-Fi network, a brief phone call, and a series of stupid mistakes.

Like most cryptocurrency enthusiasts, I carry my laptop with me, thinking I can still do some work while on vacation with my family. My wife repeatedly insisted that I not work during these three days, and I really should have listened to her.

Like other guests, I connected to the hotel’s Wi-Fi network. This network doesn’t require a password, just a login through a captive portal.

As usual, I worked in the hotel without doing anything risky: I didn’t create a new wallet, click on strange links, or access suspicious decentralized apps (dApps). I only checked Twitter (), my balances, Discord, and Telegram.

At one point, I received a call from a crypto circle friend, and we discussed market trends, Bitcoin, and other crypto topics. What I didn’t know was that someone nearby was eavesdropping on our conversation and realized I was involved in cryptocurrency activities. That was my first mistake. The other party learned from our conversation that I was using the Phantom wallet and that I was a significant holder.

This made him target me.

On public Wi-Fi networks, all devices share the same network, and in fact, the visibility between devices is higher than you might think. There are almost no real protections between users, which provides an opportunity for a “Man-in-the-Middle Attack.” An attacker acts like an intermediary, quietly inserting themselves between you and the internet, like someone reading and tampering with your letters before they are delivered.

When I was browsing the web on the hotel Wi-Fi, a website appeared to load normally, but behind the scenes, malicious code was injected into the page. I didn’t notice anything unusual at the time. If I had installed some security tools, I could have detected these issues, but unfortunately, I did not.

Usually, websites may request your wallet to sign certain operations. Phantom wallet pops up a window where you can approve or reject. Generally, you trust the website and your browser and sign with confidence. However, I shouldn’t have done that on that day.

While I was performing a token swap on @JupiterExchange, malicious code triggered a wallet request that replaced my normal swap operation. I could have noticed it was malicious by carefully checking the transaction details, but since I was already executing a swap on Jupiter, I had no suspicion.

That day, I did not sign any transactions transferring funds, only an authorization permission. This is exactly why my assets were stolen a few days later.

The malicious code did not directly ask me to send SOL (Solana), as that would be too obvious. Instead, it requested me to “authorize access,” “approve account,” or “confirm session.” In simple terms, I actually granted permission for another address to operate on my behalf.

I approved it because I mistakenly thought it was related to my operation on Jupiter. At that moment, the Phantom wallet pop-up looked very technical, with no amounts displayed and no prompt for immediate transfer.

And that was exactly what the attacker needed. He patiently waited until I left the hotel to start his actions. He transferred my SOL, withdrew my tokens, and moved my NFTs to another address.

I never thought such a thing would happen to me. Fortunately, this was not my main wallet but a hot wallet used for specific operations, not for long-term asset holding. But even so, I made many mistakes, and I believe I am mainly responsible.

First, I should never have connected to the hotel’s public Wi-Fi. I should have used my phone’s hotspot instead.

My second mistake was discussing cryptocurrency in the hotel’s public area, allowing many people to overhear our conversation. My father once warned me never to let others know I was involved in crypto. Luckily, this time, some people have even been kidnapped or worse because of crypto assets.

Another mistake was approving the wallet request without paying full attention. Because I was convinced it was from Jupiter, I didn’t analyze it carefully. In fact, every wallet request should be scrutinized carefully, even from trusted applications. Requests can be intercepted and may not actually come from the application you think.

In the end, I lost about $5,000 from a secondary wallet. Although it’s not the worst case, it’s still very frustrating.