Crypto Investor Loses $6.5 Million After Falling for a Cold Wallet Scam

Highlights:

• A user has lost funds after buying a tampered cold wallet through Douyin.
• Investigators linked the stolen crypto to Huiwang, a dark web network that remains active under new domain names.
• SlowMist warned that discounted cold wallets often contain malware and advised users to buy only from trusted sources.

Blockchain security firm SlowMist has confirmed that a crypto user has been defrauded of $6.5 million after buying a cold wallet on Douyin. The wallet appeared to be new and factory sealed. However, attackers had already compromised its private key. Hours after the user transferred funds into the wallet, attackers stole the entire amount.

🚨 Last night, We received an emergency report: a user lost $6.5M worth of crypto from a cold wallet.

The wallet was bought via Douyin (TikTok China), but the private key was compromised at creation — and funds were drained within hours.

⚠️ Cold wallet ≠ Safe

Avoid “Factory… https://t.co/YDV4EgxD3a

— SlowMist (@SlowMist_Team) June 14, 2025

The case mirrors a 2023 incident involving a Trezor Model T wallet. Attackers flawlessly sealed that wallet and loaded it with modified firmware and predetermined recovery phrases. After weeks went by, the victim lost his money without suspecting the tampering.

One of the X users, a good friend of the victim, gave details regarding the incident. In his account, the victim had bought the wallet using the e-commerce functionality of Douyin, the Chinese version of TikTok. The seller included a price cut and advertised the device as factory sealed. Assuming that it was authentic, the user sent cryptocurrencies to the wallet. Shortly afterward, the victim lost the crypto.

近 5000万一夜蒸发！只因在抖音买了个“冷钱包”？血的教训！🔥

一个深夜电话，让我毛骨悚然！😱关系很铁的朋友，刚经历了人生至暗时刻—— 他持有的价值近 5000万人民币的加密货币，被盗一空！…

— Hella | 海拉｜神奇女侠👑 (@hella1413) June 14, 2025

Hella described the device as a “carefully designed hot trap.” The attackers had access to the private key from the beginning. Once the user activated the wallet, they moved the funds quickly. The listing that offered the wallet had no clear signs of fraud, making it difficult to detect.

Investigators Trace Laundering Path to Huiwang’s Dark Web Network

SlowMist, a blockchain security firm that offers cybersecurity audits, worked to trace the stolen funds after the theft. The attackers laundered the money using an existing network controlled by Huiwang, or the Huione Group. Authorities have also linked the group with Haowang Guarantee, a darknet marketplace. The network still operates under new names despite reports that authorities had shut it down. Chainalysis data indicate that its volumes have increased even though Huiwang was flagged over money laundering concerns.

The laundering route allowed the attackers to hide the stolen funds quickly. With multiple layers in place, tracing each transaction became harder over time. The group behind the network uses Telegram to manage operations. This platform helps them remain hidden while conducting illegal transactions.

SlowMist Urges Caution as Cold Wallet Scams Multiply

SlowMist’s chief information security officer, known as 23pds on X, warned users to avoid cheap cold wallets from unofficial sellers. He stated that choosing a low-cost option may result in huge losses. Scammers often load these wallets with built-in malware or saved recovery phrases. Attackers often employ this tactic to drain funds once the user activates the tampered device.

He added that such cold wallet scams are hard to prevent. Many devices are shipped by third-party sellers who may not know they are part of a larger scheme. He reminded users to buy wallets from verified sources. He emphasized that many online sellers offer unsafe wallets despite making them look genuine.