A cryptocurrency professional stayed at a luxury hotel to celebrate the holidays but was hacked through a man-in-the-middle attack after connecting to public WiFi and discussing cryptocurrencies in a public setting, resulting in a loss of $5,000.
(Background: North Korean hackers set a record in 2025 by stealing $2.02 billion in cryptocurrencies, with a laundering cycle of about 45 days)
(Additional context: The Bitfinex hacker couple, who stole 120,000 BTC, have already been released from prison: Thanks, President Trump, Happy New Year)

Table of Contents

• Man-in-the-middle attack on public WiFi
• Impersonating legitimate authorization requests
• Signing not a transfer transaction, but an access permission
• My mistakes and lessons learned

“I shouldn’t have connected to the hotel’s public WiFi; I should have used my phone hotspot.”

A few days ago, I stayed at a luxury hotel with my family for three days to celebrate the year-end holiday. But just the day after checking out, my cryptocurrency wallet was looted. I was completely clueless—I hadn’t clicked any phishing links, nor had I signed any malicious transactions.

I spent hours investigating and even hired experts to help, finally figuring out the entire theft process. It all started with the hotel’s public WiFi, a brief phone call, and a series of foolish mistakes I made.

Like most crypto enthusiasts, even while staying with family at a hotel, I carried my laptop with me, thinking I’d find time to handle some work. My wife repeatedly told me to completely disconnect from work during these three days. Looking back, I really should have listened to her.

So, like others, I connected to the hotel’s public WiFi. This network requires no password—just a forced authentication portal to access.

I handled work as usual, avoiding risky operations: I didn’t create new wallets, didn’t click on unfamiliar links, and didn’t use suspicious decentralized apps (dApp). I was just browsing social platforms like X, checking wallet balances, and visiting Discord and Telegram.

At that moment, I received a call from a friend in the crypto industry. We discussed market trends, Bitcoin, and some recent developments in the crypto world.

But I never expected that someone nearby was eavesdropping on our conversation and immediately realized I was a crypto professional. That was my first mistake. The person not only identified that I was using Phantom wallet but also deduced I held a significant amount of tokens.

And because of that, I became his target.

Man-in-the-middle attack on public WiFi

Public WiFi networks are characterized by all devices sharing the same network. Devices are far more visible to each other than you might think, and users are not truly isolated for security. This creates an opportunity for hackers to launch man-in-the-middle attacks. In this mode, hackers lurk between you and the internet, like someone secretly opening and reading or tampering with your mail before it reaches you.

While browsing websites on the hotel WiFi, a site appeared to load normally but secretly had malicious code embedded. I was completely unaware at the time. If I had installed some security tools beforehand, I might have detected the anomaly, but I didn’t.

Impersonating legitimate authorization requests

Normally, some websites ask users to sign certain content with their wallets. Phantom wallet would pop up a prompt window for the user to approve or reject. Usually, users trust the website and browser and simply confirm authorization. But that day, I really shouldn’t have done that.

I was in the process of swapping tokens on the decentralized exchange Jupiter Exchange, and malicious code took the opportunity to tamper with the process, popping up a wallet authorization request instead of the original swap command. In fact, I could have noticed this was a malicious request by carefully checking the transaction details, but since I was actively operating on Jupiter, I didn’t suspect anything.

Signing not a transfer transaction, but an access permission

That day, I signed not a transfer of assets but a permission authorization agreement. That’s why my wallet was compromised days later.

The malicious code was clever; it didn’t directly ask me to transfer platform tokens like SOL, which would have been too obvious. Instead, it issued a vague request such as “Authorize access,” “Approve account permissions,” or “Confirm session.”

In essence, I authorized a stranger’s address to operate on my wallet.

I approved this request because I thought it was a normal step required by Jupiter platform. At that time, the Phantom wallet prompt was full of technical jargon, with no indication of any transfer amount or that it was an immediate transaction.

By then, the hacker had all the conditions needed to steal my assets. They waited until I left the hotel before transferring my SOL, various tokens, and all my NFTs (NFT).

My mistakes and lessons learned

I never thought this would happen to me. Fortunately, this wallet was not my main wallet, just a hot wallet used for daily operations, not for long-term holding. Still, I made many mistakes, and I take full responsibility.

First, I shouldn’t have connected to the hotel’s public WiFi; I should have used my phone’s mobile hotspot instead.

Second, I was too relaxed—discussing cryptocurrencies openly in a public place like a hotel without considering someone nearby might overhear. My father has always warned me never to let outsiders know I’m involved in crypto. The consequences could have been much worse; in reality, some people have been kidnapped or even murdered over crypto holdings.

Another critical mistake was approving that wallet authorization request without carefully verifying it. Because I believed it was a normal Jupiter platform operation, I didn’t analyze its details thoroughly. A reminder to everyone: no matter what application you’re using, always scrutinize any wallet authorization request carefully. These requests can be intercepted and tampered with by hackers, and the initiator may not be the application you think it is.

Finally, my wallet lost about $5,000. Although it could have been worse, this incident still frustrates me greatly.