An alarming bug has been affecting the MetaMask wallet, which is considered to be one of the most critical parts of Web3 infrastructure. According to a report by Protos, a crypto-skeptical news site, over 5,000 ETH worth approximately $10.5 million have been stolen from crypto veterans since December. MyCrypto founder Taylor Monahan conducted an informal investigation and found that this exploit is “deliberately” targeting people who should know the ins-and-outs of crypto self-custody and security. Developers at ConsenSys, the private blockchain software technology that built much of Ethereum’s open-source tooling, including the MetaMask wallet and Infura application toolkit, are investigating the issue.
“This is NOT a low-brow phishing site or a random scammer. It has NOT rekt a single noob. It ONLY rekts OGs,” said Monahan. The attack is widespread, affecting keys created between 2014 and 2022 and affecting 11 blockchains, according to Tay’s preliminary investigation. Monahan suggests that the perpetrator may have received a cache of data that is helping them access users’ private keys or wallet recovery phrases. She added emphatically that the issue is not related to MetaMask’s underlying cryptography or a social engineering scam, as with phishing.
Most of the attacks have occurred on weekends, with the exploiter swapping assets within a victim’s wallet for ETH, often bypassing staked positions, non-fungible tokens, and lesser-known coins. The attacker consolidates the ETH and then transfers it out, often going back hours, days or weeks after an initial attack to sweep remaining funds. The “theft and post-theft on-chain movement is VERY distinct,” Monahan said, hoping to open the doors to identifying the attacker and recovering assets. Several “recovery” attempts have been very successful so far.
ConsenSys has not yet confirmed the attack, but Monahan could be said to be speaking for the organization in some capacity. ConsenSys acquired Monahan’s startup MyCrypto in February 2022, having implemented MyCrypto’s “scam blocklist” (aka CryptoScamDB), which is used to protect MetaMask users from visiting known scam URLs in 2017, according to an announcement at the time. Monahan knows what she’s talking about.
It appears that average or occasional users of MetaMask are not being targeted. However, because of the sophisticated nature of the attack and the pedigree of the victims, the fallout could be severe. It is essential to remember a few wallet best practices and to take stock of your holdings. Split up your assets, use a hardware wallet, and migrate your funds off accounts connected to the internet. As the nature of the exploit is revealed, it’s likely this story will only get bigger. Apparently, many long-time crypto users have been affected over a period of months without much word filtering out into the wider world. As long as crypto continues to have value, wallet users will continue to face such threats.
Chainalysis’ latest accounting reported that a record $3.8 billion in crypto was stolen last year through scams, hacks, and theft. CoinDesk recently published a list of “Projects to Watch,” meaning protocols and companies we feel relatively good about recommending to users. Rainbow wallet, which is spreading mostly by word-of-mouth, has rolled out a series of security features to help protect wallets, including pop-up messages that warn users about suspicious addresses they may be interacting with, as well as ID tools to prevent people from sending assets to incorrect or dead addresses.
It is clear that scamming is endemic to crypto, and even years of hands-on experience is no guarantee of safety. There are best practices to follow and pitfalls to avoid, but users should be able to trust even “trustless” technologies.
