Users of the MetaMask non-custodial crypto wallet lost more than $10.5 million due to an unknown exploit.
For the past 48hrs I’ve been unwinding a massive wallet draining operation
I don’t know how big it is but since Dec 2022 it’s drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.
Its rekt my friends & OGs who are reasonably secure.
No one knows how. pic.twitter.com/MafntG7RkP
— Tay
MetaMask developer Taylor Monahan reported that since December 2022, thanks to a bug, the attacker withdrew more than 5,000 ETH and an unknown number of tokens from 11 different blockchains.
Monahan says no one on the team knows how the exploit works, so it’s impossible to determine the exact amount of damage.
According to the investigation, the attacker targets addresses that were created between 2014 and 2022.
As a rule, a few hours after the first hack, the hacker returns to withdraw the remaining assets, while simultaneously exchanging tokens for Ethereum. About a week later, the attacker converts the stolen funds into bitcoin and sends the coins to the cryptomixer.
Monahan also warned that the exploit does not look like a typical phishing or scam. It is rather aimed at “crypto veterans” who are experienced in protecting their digital assets.
My best guess rn is that someone has got themselves a fatty cache of data from 1+ yr ago & is methodically draining the keys as they parse them from the treasure trove.
But that’s just a guess. I *don’t* know.
It is NOT cryptographic/entropy related tho, don’t waste your time.
— Tay
“My most likely guess is that someone got the fat data set over a year ago and started extracting keys methodically as users view them in their wallet. […] This is not related to cryptography or entropy, don’t waste your time,” Monahan said.
For security reasons, the developer advised investors to distribute funds to different addresses and purchase a hardware wallet.
In February, the MetaMask team warned about phishing attacks from fake company addresses.
In March, the wallet developers fixed a privacy bug that occurred when interacting with decentralized applications.
Stay in touch! Subscribe to bitcoinlinux.com at Telegram.
