Taylor Monahan, the founder of Ethereum wallet manager, MyCrypto, with the Twitter user @tayvano_ reported unwinding a massive wallet-draining operation since December 2022, draining over 5,000 ETH, as well as tokens and NFTs on more than 11 different chains. The developer revealed this via a Twitter post.
The victims according to her were crypto natives who are “reasonably secured.” Adding that it has only exploited long-stayed or experienced users rather than newbies. The only known commonalities include that keys involved were created between 2014-2022, she added.
Although multiple devices have been analyzed, no one has determined the source of the compromise. As a result, it is advisable to avoid keeping all assets in a single key or secret phrase for years, Monahan advised.
“My best guess right now is that someone has got themselves a fatty cache of data from 1+ yr ago & is methodically draining the keys as they parse them from the treasure trove,” Taylor Monahan said.
Primary theft transactions are usually between 10 am and 4 pm UTC, she detailed. For secondary thefts and “dust” collecting, it is anytime, usually 4 pm to 10 pm UTC, and follow-up drains typically occur four hours after the initial theft or at around 7 am UTC the following day.
Although the attacker may miss smaller amounts and assets on other EVM chains, they will bridge from one of the victim’s addresses to another or even from victim 1 to victim 2 to victim 3, and once a sufficient amount of ETH exists in one address, they will move it out.
Further, it may look like a random ENS-named person has sent 0.0X ETH for gas and then stolen all the funds, or that the wallet has been drained to an ENS-named account. The random ENS name is not the attacker; it’s another victim, she explained.
Moreso, the attacker is likely to swap tokens for ETH inside the victim’s wallet when exploiting larger amounts using MetaMask Swaps, Uniswap, or 0x, and the final destination is always Bitcoin. The attacker always uses centralized swappers such as FixedFloat, SimpleSwap, SideShift, ChangeNOW, LetsExchange, or Binance.
According to Taylor Monahan, the attacker is draining whale MetaMask users and whale MetaMask employees using MetaMask. However, she clarified that she got to know because it’s easily discernible on-chain.
The attacker has been seen using VPNs, proxies, and “unlabeled stuff.” Recent IP addresses are mostly HideMy and IPs and UAs have been seen, including Windows/Chrome, Windows/FF, and Mac/Chrome. She said that large December 2022 thefts used RenBridge and made specific observations that an exploited address is revisited in 80+ days and most of the thefts occur over the weekend.
Finally, the MyCrypto founder assured that she would dig more into her find-outs with a couple of others and will provide a form for users who think they are victims. Additionally, she mentioned that the exploit is not MetaMask specific, “users of all wallets, even those created on a hardware wallet or generated for the Ethereum presale, have been impacted by this,” she said.
MetaMask reacting to Taylor Monahan said her claims are incorrect and that the mentioned 5,000 ETH was stolen from various addresses across 11+ blockchains.
The MetaMask team confirmed that its security team has their hands on deck and are researching the source of the exploit. MetaMask is also “working with others across the Web3 wallet space,” the team said.
Read also;
Intel stops producing Bitcoin-mining chips
What do you think of this article? Share comments below.
