All my Metamask extension accounts were compromised somehow. Attacker transferred all funds of value, including unstaking and removal from various farm/vault contracts. Breech happened approximately 10am PST July 4th over about an hours time clearing out all 10 accounts in the extension. More than 20k USD in value total stolen. The transactions were not executed from my desktop indicating account wallets were rebuilt and transactions executed somewhere else from a script possibly however, was curious to see that the attacker sent a small amount of ETH to one wallet, then transferred the other coin(s) even tho there was already ETH in said wallet.
I have never given out my private keys or seed words and would not for any reason ever however, I will list what I think are possible holes for vectors of attack as I cannot pinpoint exactly how the private keys were compromised. Here are my security mistakes:
My Brave browser was left open unattended connected to internet while MM extension wallet was NOT locked prior to attack. So, possible a attacker got ‘remote desktop’ access and/or somehow installed a key logger via malware to gain my MM extension password allowing my keys to get exposed. It seems unlikely. Also, all wallets other than metamask on my desktop are unaffected.
I have connected my accounts to allot of various web3 site / smart contract w/unlimited access to funds like Defi farms/vaults, etc. in the past and have been left unchecked however, since all 10 accounts under the extension were compromised, I don’t see how it would be possible to breech all of them as I have not ever signed access to all 10 accounts on a single WEB3 contract EXCEPT: Zapper & APYvision could be culprit. Will be pruning the ‘connected sites’ list entirely.
The last transaction(s) I made were minting ‘Panda Golf Squad’ NFT’s and viewing them on Opensea. The minting process did not run smooth. I posted my eth address in PGS Discord looking for help regarding why my minted Pandas were not being revealed in a timely manner. I see FUD on CT regarding security holes with NFT’s, Opensea & Metamask suppressing info while supporting dark web hackathons that end up exploiting victims in the process.
About a week ago I installed MS Office Pro Plus 2016 from 1337x and used KMSauto to activate. This required I turn off virus protection. Malware may have gotten me here. I have since rolled back Windows to a restore point prior to installation and will wipe computer clean and start fresh before I work with any sensitive info going forward. No one has mentioned KMSauto/Office not being legit lately but, it’s pirated software so who knows.
Very curious, was it malware like an ‘zero day chrome exploit’? Some issue with a recent Chrome update OR bug in Metamask requiring their latest update? My computer found no signs tampering or keyloggers when performing a rootkit virus deep scan after hack. KMSauto for MS Office does not seem malicious. The only possible way to access my private keys would have been through using a keylogger of some sort to gain my MM extension password to export the private keys. Beyond that, it would have to be through a WEB3 contract I signed ‘unlimited access’ to on all 10 accounts in the past that went rogue on me unchecked.
Being that I have never exposed my private keys that are encrypted offline concerns me very much as to how my MM accounts were actually breeched. Nothing else on my computer seems affected. If it was through a signed WEB3 contract turned malicious then Metamask needs to stress this as of equal if not greater importance than beyond keeping your private keys safe (a no brainer) that you need to SIGN OUT of all contracts after interacting with them and/or limit their access AND keep extension locked at all times!!! I am not new to crypto trading and have been using Metamask for more than 3 years now without issues. Hard to express how disappointed I am in Metamask’s lack of security and transparency on this.
I see report after report of accounts getting compromised/hacked WITHOUT THEIR PRIVATE KEYS EXPOSED. Sounds like the majority. This is the elephant in the room Metamask will not seem to address from what I see, anywhere.
Anyone in a similar situation, can anyone relate? Misery enjoys company.