It is helpful to provide some background on the existing ways an attacker may create a malicious signing device. We place each attack in a taxonomy around which component of the signing algorithm it focuses on.
Recall that a Schnorr signature with secret key $x$, public key $X = x \cdot G$ on a $\text{message}$ is computed with the following steps:
A malicious signing device outputs a predetermined seed phrase in wallet generation. This is easy to pull off and is hard or impossible to detect. Prior to Dark Skippy we speculate this is likely the most attractive attack and indeed it has been seen in the wild. Users can mitigate this attack by providing their own securely generated seed phrase.
Even when provided with a securely generated seed phrase, a malicious signer could lie about the public keys belonging to that wallet usually by providing a malicious xpub that does not correspond to the secret seed. The user will then give out the attacker's addresses when receiving funds rather than those derived from their own seed phrase. This attack can be detected by using an independent device to verify the conversion from secret seed to public keys.
A malicious signer can use a predetermined nonce during signing, allowing an attacker to algebraically solve for the secret key. Since Bitcoin signers generally use derived secret keys, this only allows the attacker to extract individual private keys when funds are being spent; meaning the attacker can only steal these funds in-flight via Replace-By-Fee (RBF). This attack can be mitigated using 'anti-exfil' signing protocols.
A malicious signer can exfiltrate a master secret by grinding bits into public nonces used in signing. By piecing together enough bits from the user's public nonces, the attacker can recover the master secret seed. This attack is difficult to pull off due to the computation required to grind enough bits, as well as the challenge of identifying a number of affected signatures in order. This attack can be mitigated by using an anti-exfil signing protocol.
A malicious signer can exfiltrate a master secret by encoding the secret key into low entropy secret nonces and uses them in signing. The attacker can use an algorithm like Pollard's Kangaroo algorithm to invert the public nonces in order to extract the data. By piecing together just a few solved secret nonces, the attacker can recover the master secret seed.
In contrast to predetermined nonce attacks, with Dark Skippy the remote attacker does not know $r$ but $r$ is small enough that it can solved from $R$ using algorithms like Pollard's Kangaroo algorithm. This acts as a supercharged version of nonce grinding attacks. Nonce grinding takes exponential work ($2^n$) to embed $n$ bits of data while extraction is fast. In Dark Skippy, embedding data is fast and extraction takes $2^{(n/2)}$ work. So Dark Skippy is overall a quadratic speed up and the attacker is not limited by the computational power of the signing device.
Note that each of these attacks can be carried out against ECDSA also.