Hacker Drained OG MetaMask Addresses Of $10.4 Million In ETH Since December 2022
According to the MetaMask builder, the hacker drained over 5000 ETH in tokens and NFTs from addresses across 11 chains. The loot amounts to over $10 million in Ether at current prices. ETH traded above $2100 on Tuesday following the Shapella upgrade that rolled out on April 12.
For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭
I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.
Its rekt my friends & OGs who are reasonably secure.
No one knows how. pic.twitter.com/MafntG7RkP
MetaMask OGs Rekt
According to Tay Vano’s Twitter thread, the wallets that suffered theft shared some commonalities. For starters, they all belong to MM OGs and not ‘noobs’, a term used to refer to new crypto users. Also, all the drained wallets generated their private keys or seed phrases sometime between 2014 and 2022.
The stolen assets are swapped to ETH using MetaMask’s in-built swap function before draining the wallet of the crypto. Notably, this only happens when the target address holds a smaller value and a basket of tokens.
Afaik, no one has determined the source of their compromise.
Multiple devices have been forensic'd. Nothing.
The only known commonalities are:
– Keys were created btwn 2014-2022
– Folks are those who are more crypto native than most (e.g. multiple addresses, work in space, etc)
Vano said that the hacker ultimately converts tokens to Bitcoin (BTC) before moving the funds to a centralized swapping platform like FixedFloat, SimpleSwap, SideShift, ChangeNOW, or LetsExchange. The unknown attacker also leverages digital asset tumblers like CryptoMixer.
Vano theorized that the attacker holds a “fatty cache” of data that allows them to methodically steal assets. The MM developer stressed that the source of the compromise is unclear, even after several wallets and devices were analyzed.
It remains to be seen how or if affected MetaMask users can recover their assets or guard against the ongoing exploit.
My best guess rn is that someone has got themselves a fatty cache of data from 1+ yr ago & is methodically draining the keys as they parse them from the treasure trove.
But that's just a guess. I *don't* know.
It is NOT cryptographic/entropy related tho, don't waste your time.
Source: Read Full Article