An unknown hacker has reportedly drained over 5000 ETH in assets, NFTs, and tokens from OG MetaMask wallet addresses since December 2022. This has resulted in a loss of over $10 million in Ether at current prices, according to MetaMask developer Tay Vano’s Twitter thread. The hacker has drained wallets across 11 chains, swapping other cryptocurrencies for Bitcoin and Ether before moving the funds to a centralized swapper. Vano believes that the exploiter most likely laid hands on a cache of private keys generated between 2014-2022.
The wallets that suffered from theft all belong to MM OGs, which refers to experienced crypto users. They generated their private keys or seed phrases between 2014 and 2022. The stolen assets are swapped to ETH using MetaMask’s in-built swap function before draining the wallet of the crypto. This only happens when the target address holds a smaller value and a basket of tokens. Vano theorizes that the attacker holds a “fatty cache” of data that allows them to methodically steal assets. However, the source of the compromise is still unclear, even after several wallets and devices were analyzed.
The hacker ultimately converts tokens to Bitcoin (BTC) before moving the funds to a centralized swapping platform like FixedFloat, SimpleSwap, SideShift, ChangeNOW, or LetsExchange. The attacker also leverages digital asset tumblers like CryptoMixer. It remains to be seen how or if affected MetaMask users can recover their assets or guard against the ongoing exploit.
The theft has affected only experienced crypto users or OGs, and not ‘noobs’ or new crypto users. It is speculated that the hacker has a cache of private keys generated between 2014 and 2022, which has allowed them to steal assets methodically. The stolen assets are swapped to ETH using MetaMask’s in-built swap function before being drained from the wallet. The attacker ultimately converts tokens to Bitcoin (BTC) before moving the funds to a centralized swapping platform, followed by leveraging digital asset tumblers like CryptoMixer. The source of the compromise is still unclear, and it remains to be seen how affected MetaMask users can recover their assets or guard against the ongoing exploit.
The stolen assets are swapped to ETH using MetaMask’s in-built swap function before being drained from the wallet. The attacker ultimately converts tokens to Bitcoin (BTC) before moving the funds to a centralized swapping platform, followed by leveraging digital asset tumblers like CryptoMixer. The source of the compromise is still unclear, and it remains to be seen how affected MetaMask users can recover their assets or guard against the ongoing exploit.