There seems to be a thorny problem among long-time cryptocurrency holders. One of the most critical parts of the Web3 infrastructure has been affected. MetaMask.
Over 5,000 Ethereum (ETH), worth about $10.5 million, has been stolen from veteran cryptocurrency holders using various non-custodial wallets since December. Mareta.
Crypto-skeptic news site Protos has reported, citing an unofficial investigation by Taylor Monahan, the founder of ethereum wallet management tool MyCrypto.
Developers at ConsenSys, the software company behind most of Ethereum’s open source tools, including Metamask and Infura, are investigating the damage. It seems that they are “deliberately” targeting people who should know everything about self-custody and security of crypto assets.
“It’s not vulgar phishing sites or ubiquitous scammers. We haven’t had a single case of bankruptcy for beginners. Only veterans are targeted.” (Mr. Monaghan)
According to his research, the attacks were widespread, affecting private keys and at least 11 blockchains created between 2014 and 2022. The unexplained vulnerability may affect “any wallet”, not just MetaMask.
Attacks are not mentioned here to spread fear, uncertainty or doubt. It’s about MetaMask, the most popular Web3 portal.
Leaked Recovery Phrase?
So far, MetaMask’s average and occasional users, the majority of cryptocurrency users, don’t appear to be targeted.
Still, it’s a good time to remember some wallet best practices and check your holdings. Given the widespread nature of the attack and the victims being veterans, the impact could be severe.
The most important thing now is not only to make the average cryptocurrency user feel safe, but to actually ensure its safety.
A ConsenSys representative confirmed that the targets of the attack were early ETH investors, industry insiders, or at least those active enough to be called “crypto natives.” He also said that the attacks extend far beyond MetaMask, and that the hackers’ “on-chain behavior strongly suspects that private keys have been compromised.”
“What we know so far from the nature of this attack is that users’ secret recovery phrases are likely unintentionally stored and leaked in an insecure manner,” said MetaMask’s security team.
As mentioned above, very little is known about the attack or the attacker. It’s not clear whether it was the work of multiple skilled hackers, or whether it was a single culprit, or whether multiple people found and exploited the same vulnerability independently. Still, Monahan said most of the attacks occurred between 10 a.m. and 1 p.m. UTC, suggesting they were perpetrated by a single person or group with sensitive information.
Monahan believes the perpetrators may have received a cache of data that could be used to access a user’s private key or wallet recovery phrase. He also emphasized that the issue is not related to the encryption technology underlying MetaMask, nor is it a social engineering scam like phishing.
But the attacks have several things in common. Most of the attacks occurred over the weekend, swapping assets for ETH within the victim’s wallet and withdrawing it in bulk. Attackers would often come back hours, days, or weeks after the initial attack and completely steal the rest of the assets, Monahan said.
“The stealing and what happens on-chain after stealing is very unique,” said Monaghan. We hope this paves the way for attacker identification and asset recovery. Moreover, Monahan said there have already been several successful “recovery” attempts.
share the damage
ConsenSys acknowledged the attack and called for contacting its support team “in all cases”. ConsenSys will acquire MyCrypto in February 2022. According to a statement at the time, ConsenSys introduced a MyCyrpto “fraud blocklist” in 2017 to prevent MetaMask users from visiting known fraudulent sites.
Both Monahan and ConsenSys emphasized at the time the importance of collaboration and the sharing of information and resources. Unfortunately, the cryptocurrency community has a tendency to victim-blame those who have been hacked.
“Let’s not criticize victims. Victims are not stupid,” Monahan said. In the unlikely event of a hack, making the details public will help find a solution, he said.
“Web3 belongs to everyone, and everyone should try to keep each other safe,” said a ConsenSys representative.
Of best practices, Monaghan said, “Don’t keep all your assets under one key or secret phrase for years.” While helpful advice, Monahan also recommended keeping assets decentralized and using hardware wallets to move assets from internet-connected accounts. MetaMask also shared the following advice:
- Never store your private key or secret recovery phrase online. Write it down somewhere and keep it safe.
- using a hardware wallet. However, as with MetaMask wallets, do not store private keys or private recovery phrases online (or on any internet-enabled device).
- If your wallet is old and you can’t remember if you kept your keys 100% of the time, consider creating a new wallet and moving your assets around (i.e. a new recovery instead of creating a new account). phrase)
- Regularly conduct security checks and audits and practice the best security measures.As already mentioned[by Monahan]consider spreading your assets across multiple recovery phrases and using hardware wallets.
It will be even bigger news once the details of the attack come out. Over the months, many veteran cryptocurrency users suffered, but the word didn’t seem to reach the outside world.
As long as crypto assets continue to have value, wallet users will continue to face such threats. According to a new report from Chainalysis, a record $3.8 billion will be lost to fraud, hacks and theft in 2022.
CoinDesk recently announced its “Projects to Watch 2023”. We list protocols and companies that we think are good to recommend to our users. I wrote about Rainbow, a cryptocurrency wallet that has gained popularity mainly by word of mouth for its easy interface and built-in security features.
Related Article: CoinDesk “Projects to Watch 2023”: Returning to Crypto Philosophy
Like many cryptocurrency wallets, Rainbow has a suite of tools to help protect your assets, such as pop-up messages that warn you about suspicious addresses, and ID tools that prevent you from sending assets to incorrect or obsolete addresses. equipped with security features.
Basic security features like this should become commonplace throughout the cryptocurrency world. Of course, MetaMask also has similar security features.
But cryptocurrency users and criminals are constantly playing a cat-and-mouse game. Every time a new feature is announced to protect unsophisticated users, they find a way around it.
If Monaghan is right, years of practice and experience aren’t necessarily safe. There are best practices to follow and pitfalls to avoid, but for now fraud seems to be a cryptocurrency-specific disease.
So what about Web3? Banking and fintech apps are not immune to hacking and fraud. Users should be able to trust even “trustless” technology.
｜Translation and editing: Akiko Yamaguchi, Takayuki Masuda
｜Original: If Crypto OGs Are Being Hacked, Where Does That Leave the Rest of Us?