There's reportedly been a nasty bug going around OG crypto holders, affecting arguably the most critical part of Web3 infrastructure: the MetaMask wallet. Over 5,000 ether (ETH) worth about $10.5 million have been stolen from crypto veterans since December, crypto-skeptical news site Protos reported, citing an informal investigation done by MyCrypto founder Taylor Monahan.
It appears that developers at ConsenSys, the private blockchain software firm that's built much of Ethereum's open-source tooling, including the MetaMask wallet and Infura application toolkit, are investigating the exploit, which appears to be "deliberately" targeting people who should know the ins and outs of crypto self-custody and security.
"This is NOT a low-brow phishing site or a random scammer. It has NOT rekt a single noob. It ONLY rekts OGs," Monahan, who goes by "Tay" on Twitter, wrote. The attack is widespread, affecting keys created between 2014 and 2022 and affecting 11 blockchains, according to Tay's preliminary investigation.
I mention this exploit not to spread fear, uncertainty and doubt. As of now, it appears average or occasional users of MetaMask aren't being targeted. But it is a moment to remember a few wallet best practices and to take stock of your holdings. Because of the sophisticated nature of the attack and the pedigree of the victims, the fallout could be severe.
The most important thing now is not only making everyday crypto users feel safe and secure, but ensuring they actually are. I've reached out to several ConsenSys developers for ideas about asset security, and will update the piece on CoinDesk.com if and when they get back.
The unknown attacker(s)
As mentioned, much about the attack and attacker(s) are still unknown, and it's not clear whether this is a coordinated effort by several skilled hackers or perpetrated by someone with inside knowledge of the MetaMask operation.
Monahan suggests the perpetrator may have received a cache of data that is helping him or her gain access to users' private keys or wallet recovery phrases. She added emphatically that the issue is not related to MetaMask's underlying cryptography and is not a social-engineering scam, as with phishing.
However, there are a few commonalities among the victims: Most of the attacks have occurred on the weekend, and the exploiter swapped assets within a victim's wallet for ether (often bypassing staked positions, non-fungible tokens and lesser-known coins), consolidating that ETH and then transferring it out. Often the attacker has gone back hours, days or weeks after an initial attack to sweep remaining funds, Monahan said.
The "theft and post-theft on-chain movement is VERY distinct," Monahan said, hoping to open the doors to identifying the attacker and recovering assets. She added that several "recovery" attempts have been successful so far.
ConsenSys hasn't confirmed the attack yet, but Monahan could be said to be speaking for the organization in some capacity. ConsenSys acquired Monahan's startup MyCrypto in February 2022, having implemented MyCrypto's "scam blocklist" (aka CryptoScamDB), which was used to protect MetaMask users from visiting known scam URLs in 2017, according to an announcement at the time. So she knows what she's talking about.
Best practices
As for best practices, Monahan wrote in all caps: "PLEASE DON'T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS." If that is mostly useful only in retrospect, she also cautions users to split up their assets, use a hardware wallet and migrate their funds off accounts connected to the internet.
As the nature of the exploit is revealed, it's likely this story will get only bigger. Apparently, many longtime crypto users have been affected over a period of months without much word filtering out into the wider world. As long as crypto continues to have value, wallet users will continue to face such threats. A record $3.8 billion in crypto was stolen last year through scams, hacks and theft, according to Chainalysis' latest accounting.
CoinDesk recently published a list of "Projects to Watch," meaning protocols and companies we feel relatively good about recommending to users. I wrote about the increasingly popular Rainbow wallet, which is spreading mostly by word of mouth, in part because of its easy interface and built-in security features.
Rainbow, like many crypto wallets, has rolled out a series of security features to help protect wallets including pop-up messages that warn users about suspicious addresses they may be interacting with, as well as ID tools to prevent people from sending assets to incorrect or dead addresses. Basic security features like this should be the norm across crypto (to be clear, MetaMask is among the wallets with similar protections).
But it also seems like crypto users and malicious actors will constantly be playing a game of cat and mouse. With every technological product used to protect the uninformed, there is likely a workaround. And if Monahan is correct, even years of hands-on experience is no guarantee you will be safe. There are best practices to follow and pitfalls to avoid – but at this point, scamming is clearly endemic to crypto.
Where does that leave Web3? It's not like banks or fintech apps are immune to hacks or scammers – but users should be able to trust even "trustless" technologies.
– D.K.
daniel@coindesk.com
@danielgkuhn
