I am posting this as an urgent warning to all Fearless Wallet users and to the Polkadot team.
My 260.05 DOT was stolen three days ago immediately following a recent update prompted by the Fearless Wallet application itself. This is not a case of a lost seed phrase or user error.
CRITICAL EVIDENCE OF SOFTWARE EXPLOIT:
Seed Phrase Intact: My 12-word seed phrase remains securely stored and has never been entered on any external site.
Automated Theft Confirmed by Timestamps: The stolen funds were moved to an attacker’s transit address, which immediately split and transferred the funds out. The outgoing transfers occurred with intervals of only 18 and 36 seconds:
Incoming fund: 260.05 DOT arrived at 13:37:24.
Outgoing split (Transaction 1): 50 DOT left at 13:39:48.
Outgoing split (Transaction 2): 50 DOT left at 13:40:06 (an interval of just 18 seconds).
Outgoing split (Transaction 3): 80 DOT left at 13:45:30.
Outgoing split (Transaction 4): 79.98 DOT left at 13:46:06 (an interval of just 36 seconds).
This technical precision is definitive proof of an automated bot exploiting a vulnerability in the application’s code or update mechanism.
ZERO ACCOUNTABILITY AND CALL TO POLKADOT
The complete lack of support is unacceptable. I submitted a detailed report with irrefutable technical evidence (proving the bot exploit) to the official developer email (fearless@soramitsu.co.jp). My claim has been met with zero response. Furthermore, the official Fearless Wallet Telegram channel appears inaccessible, suggesting a complete failure of the user support system.
This situation is particularly alarming because Fearless Wallet holds an official recommendation from Polkadot. If an officially recommended wallet demonstrates such a critical security flaw (proven by bot timing) and provides absolutely no support or accountability to users who lost funds, it reflects poorly on the entire Polkadot ecosystem’s commitment to security.
I am urging the Polkadot team to publicly address this issue, suspend its official recommendation of Fearless Wallet, and explain what steps will be taken to protect the community from this failed project.
COMPROMISED ADDRESSES (for verification):
My Compromised Source: 16PkJ21BDkv63RnkHEJER9FKyUbnBQmQWjQprtmnQfGk2sJj
That sucks. Your coins are gone, and I think there’s basically zero chance you’ll get them back.
Unfortunately, this isn’t an isolated incident. The Web3 Foundation and/or Polkadot treasury has funded several teams of questionable reputation, which has led to people losing money—whether due to incompetence, negligence, or outright fraud.
Some examples:
Acala – suffered three “hacks“ and has even been accused of theft.
Parallel Finance – a “government hack” led to stolen funds, plus there are sketchy reports of GLMR being printed.
Equilibrium – some user funds are still stuck there and lost forever.
Sora, the team behind the Fearless Wallet, doesn’t exactly have a great reputation either.
I’ve seen more and more people on Twitter calling Polkadot itself a scam—at least the ones who aren’t being paid by the treasury.
Thank you for laying out the larger context. I fully agree.
It’s extremely disappointing that Polkadot’s official recommendations, often funded by the Treasury, lead to these kinds of critical security failures. My loss is a symptom of exactly the negligence you describe.
While I appreciate your realism about the chances of refund, I refuse to let this go undocumented: My case is unique because it provides irrefutable technical proof of a software exploit.
My seed phrase is secure.
The 260.05 DOT was stolen by an automated bot (confirmed by the 18- and 36-second transaction intervals).
Polkadot must now step up and address this. The ecosystem cannot afford another failure where a recommended project (Fearless Wallet) is proven to have a critical vulnerability and zero support.
I am using this technical proof to demand a full investigation and refund from the Polkadot Support and Anti-Scam teams. If they truly care about their reputation after these repeated incidents, they have to fix proven, documented security failures like this.
As noted elsewhere, no app vulnerability has been confirmed. Polkadot Support is looking into it after it was reported this morning, but there have been no other reports of this type with Fearless Wallet.
There were hundreds if not thousands hacks/rugs on Ethereum.
It’s not because a couple had bugs/issues/hacks that the ecosystem as a whole is a scam.
You’re just spreading useless fud here.
Polkadot is a permissionless network, like Ethereum.
The underlying network is not responsable about bugs or lack of user education.
Acala: their bug was a surprise for everyone
Parallel Finance: many red flags were raised by the community but people kept using their protocol
Fearless wallet: many concerns if not red flags were raised by the community about SORA team. Why people are still using Fearless??
Equilibrium: they had many management issues over time, resulting in their chain being halted. To their defense, they paid back users from their stuck assets (at least for the crowdloaners DOT).
It’s crypto, you are responsible for your own actions. Pay attention to red flags.
For this case, i prefer Bill’s approach to analyse the situation and then only draw conclusions.
Barely no users use Fearless. “Ecosystem wallets” are definitely only 3 (except the airgapped or cold wallets):
Why do I “spread FUD”?
Because it’s not FUD—it’s my personal experience.
I’ve used Ethereum since 2018 (and later its L2s). I also use Solana.
Not once have I fallen victim to a bug, hack, or scam on either chain.
Unfortunately, I can’t say the same about Polkadot.
Maybe I’m just unlucky. Or maybe there are simply more bugs, hacks, and scams in this ecosystem.
So, why do I “spread FUD” again?
Well—why does the Polkadot treasury fund an entire army of Twitter shills to drown out the unpaid critics?
Because those so-called “FUDders” are just reflecting the actual sentiment of many users.
As for Acala—take your pick.
Which bug, hack, lie, or case of vanishing treasury funds are you specifically referring to?
And yes, I believe no one should recommend any product involving members of the Sora team.
I agree with @danilty: Polkadot bears some responsibility for the tools it funds and promotes.
You’re completely wrong here… It’s not because this or that received funds from OpenGov that Polkadot bears any responsability.
Is Polkadot responsible for any project that could have received funds years ago?
Is Eth foundation responsible for the failure of all the supported projects ? Or Gitcoin ? Or W3F for the grants given to any project even years after?
Projects live their life, they can fail for various reasons.
Not sure you understand how open source projects works, or web3 in general.
Drawing a responsability line between any funded projects and OpenGov is really questionable, that is just not how OpenGov works from the very beginning.
To facilitate your forensic investigation and resolve this issue efficiently, I propose the following:
Required Action (Forensics): I grant the Web3 Foundation and Polkadot Support teams full permission to use my compromised Fearless Wallet address (16PkJ2…sJj) for active network tracing and investigation of the hacker network.
Exclusion: I request that my verified, personal exchange address (16Ng6G…HV6Y) be excluded from the active forensic analysis, as it is solely a receiving account under my control and is not part of the exploit.
Compensation: I formally request reimbursement for the original stolen amount of 260.05 DOT, minus any funds that have been recently returned to my exchange address (18 DOT from the recent illicit activity).
My goal is not personal gain but accountability and system security. I have provided irrefutable evidence of a software exploit, which is now actively being used. By accepting this proposal, Polkadot can simultaneously address a security failure, mitigate community risk, and pursue the malicious actors.
Could be any number of things without more clarification?
I primarily use Nova and haven’t had a single hiccup besides this migration to Asset Hub and being unable to see my staking dashboard, on the app or on the cloud, prompting unbonding .
If you got drained, I’d recommend to open a new wallet, not on Fearless.
If your address has been compromised, it could be your phone, PC, email, SIM card, an open smart contract, not ending smart contracts regularly, phishing, clicking a suspicious link, getting help from “admin” in DMs (which is always a scam), using the web browser in the app to potentially comprised websites, forgetting to disconnect your wallet on x website, keyloggers. The list goes on.
For reference, I never conduct any transactions on a PC, EVER, without using a cold wallet or Metamask, unless directly linked on Polkadot.js. PCs are extremely vulnerable to malware and it’s very easy to get phished.
.