Metamask extension accounts HACKED w/o keys?

All my Metamask extension accounts were compromised somehow. Attacker transferred all funds of value, including unstaking and removal from various farm/vault contracts. Breech happened approximately 10am PST July 4th over about an hours time clearing out all 10 accounts in the extension. More than 20k USD in value total stolen. The transactions were not executed from my desktop indicating account wallets were rebuilt and transactions executed somewhere else from a script possibly however, was curious to see that the attacker sent a small amount of ETH to one wallet, then transferred the other coin(s) even tho there was already ETH in said wallet.
I have never given out my private keys or seed words and would not for any reason ever however, I will list what I think are possible holes for vectors of attack as I cannot pinpoint exactly how the private keys were compromised. Here are my security mistakes:

  1. My Brave browser was left open unattended connected to internet while MM extension wallet was NOT locked prior to attack. So, possible a attacker got ‘remote desktop’ access and/or somehow installed a key logger via malware to gain my MM extension password allowing my keys to get exposed. It seems unlikely. Also, all wallets other than metamask on my desktop are unaffected.

  2. I have connected my accounts to allot of various web3 site / smart contract w/unlimited access to funds like Defi farms/vaults, etc. in the past and have been left unchecked however, since all 10 accounts under the extension were compromised, I don’t see how it would be possible to breech all of them as I have not ever signed access to all 10 accounts on a single WEB3 contract EXCEPT: Zapper & APYvision could be culprit. Will be pruning the ‘connected sites’ list entirely.

  3. The last transaction(s) I made were minting ‘Panda Golf Squad’ NFT’s and viewing them on Opensea. The minting process did not run smooth. I posted my eth address in PGS Discord looking for help regarding why my minted Pandas were not being revealed in a timely manner. I see FUD on CT regarding security holes with NFT’s, Opensea & Metamask suppressing info while supporting dark web hackathons that end up exploiting victims in the process.

  4. About a week ago I installed MS Office Pro Plus 2016 from 1337x and used KMSauto to activate. This required I turn off virus protection. Malware may have gotten me here. I have since rolled back Windows to a restore point prior to installation and will wipe computer clean and start fresh before I work with any sensitive info going forward. No one has mentioned KMSauto/Office not being legit lately but, it’s pirated software so who knows.

Very curious, was it malware like an ‘zero day chrome exploit’? Some issue with a recent Chrome update OR bug in Metamask requiring their latest update? My computer found no signs tampering or keyloggers when performing a rootkit virus deep scan after hack. KMSauto for MS Office does not seem malicious. The only possible way to access my private keys would have been through using a keylogger of some sort to gain my MM extension password to export the private keys. Beyond that, it would have to be through a WEB3 contract I signed ‘unlimited access’ to on all 10 accounts in the past that went rogue on me unchecked.

Being that I have never exposed my private keys that are encrypted offline concerns me very much as to how my MM accounts were actually breeched. Nothing else on my computer seems affected. If it was through a signed WEB3 contract turned malicious then Metamask needs to stress this as of equal if not greater importance than beyond keeping your private keys safe (a no brainer) that you need to SIGN OUT of all contracts after interacting with them and/or limit their access AND keep extension locked at all times!!! I am not new to crypto trading and have been using Metamask for more than 3 years now without issues. Hard to express how disappointed I am in Metamask’s lack of security and transparency on this.

I see report after report of accounts getting compromised/hacked WITHOUT THEIR PRIVATE KEYS EXPOSED. Sounds like the majority. This is the elephant in the room Metamask will not seem to address from what I see, anywhere.

Anyone in a similar situation, can anyone relate? Misery enjoys company.

16 Likes

I had the same problem my account got hacked and I lost 170 Millions tokens. That’s why I’ll never use Metamask again.

5 Likes

Same thing just happened to me this morning actually. Opened a ticket with MetaMask and waiting to hear back from them. 99% sure there’s nothing they can do, but I’m worried about how I’m going to claim my farming if their tied to my comprised wallet. The odd thing is the hacker took everything from my BSC then MATIC and ETH, but didn’t touch my EWC or KCC stuff. There’s 2 things I could think of that caused my hack
1: I happened to check out the
DeBank . com wallet checker a few days ago and all my tokens and farming on there is what was taken. Anything I was farming that wasn’t on there wasn’t touched as well as any tokens that weren’t listed on there weren’t touched. Also my EWC and KCC aren’t tracked there and wasn’t touched either. So I will no longer use DeBank . com in the future. Maybe the site is legit, but just too coincidental to me
2: the polyBunny hack just happened recently and the first thing the hacker took was my Bunny and polyBunny. So not sure if that was related somehow

Now I’m just waiting on the MetaMask team to show me how I can associate the stuff I still have in farms to a new wallet or protect my funds from being taken when I try as claim anything.

Took over 70% of my stuff. Fck hackers….

4 Likes

That happened with me too. All of the eth in the metamask just disappeared.

2 Likes

So this just happened to my brother while he was buying a zed horse off OpenSea. He was on the phone to me trying to work it then bang transaction appears on etherscan taking all of his coin.

If any of you have (or future people who no doubt will be hacked shortly ) are interested in connecting to figure out how it happened & if we can do something about it, send me a message on Telegram!!!

User name is mikemmike

I noticed something realllly interesting which I think has the potential to maybe catch these people… would love to know how your cases happened & the etherscan transaction id ( so I can follow the money )

I hope to hear from someone.

Ps happy to get on Facebook / instagram or something if you don’t like telegram

3 Likes

I hate to say it guys, but this is why you should never rely on a hot wallet alone.

" 1. About a week ago I installed MS Office Pro Plus 2016 from 1337x and used KMSauto to activate. This required I turn off virus protection. Malware may have gotten me here. I have since rolled back Windows to a restore point prior to installation and will wipe computer clean and start fresh before I work with any sensitive info going forward. No one has mentioned KMSauto/Office not being legit lately but, it’s pirated software so who knows."

This is the culprit. Your machine was compromised by a keylogger and remote desktop allowed someone to drain your funds. No private key is required and this is an extremely common attack vector that has been around for decades.

Metamask is fine for play money, but if you are doing anything significant I highly recommend using a hardware wallet like the nano ledger.

;tldr Don’t torrent pirated software on the machine you trade on, use a hardware wallet, and honestly don’t trust metamask with more than play money.

2 Likes

Something similar may have happened to me today.

I logged into MetaMask this morning to check the balances of various tokens. Most balances are now zero. There are a few tokens with small balances (< $10) that still show up, but anything that had more substantial balances are now zero.

I haven’t shared my secret phrase with anyone.

I looked at my account: 0x541f599137212189Be3d8A56CD63997036C7cAAA on Etherscan, and see that there are recent transfers to another address: 0x6d123F7d71771bf0bC0D5d1d705d8196d3A2828f
This address appears to hold my tokens, although the most recent transaction from this address was a transfer of my AMP tokens to UNISWAP V2: AMP 6.

I’m using MetaMask extension 9.8.2 in the Chrome browser.

Any help with this is appreciated. If you think I was hacked somehow, you can tell me that too (don’t want to have false hope). Thing is, I would like to understand how this happened. As mentioned, I have not shared my secret phrase, and I would generally consider myself security-conscious in these matters. Thank you for any assistance you may provide.

4 Likes

So what is metamasks responses to this? Have they said any thing. This is some seriously stuff. I already lost one metamasks wallet this yeah. I’v only use it for transferring things now. You can’t trust it to leave balances in it.

3 Likes

I also have just been through this. I feel for you. I lost nearly $50K from from a Metamask wallet that was interacting with BSC, Polygon and Ethereum. I am certain that the hack came through an old farm that imploded quickly. I should have revoked and put spend limits. Like you I would not have been so stupid as to give out my private keys!
These yield farms are designed to fail and then these rat bag Devs go through there address books and see who the lazy types are and exploit.
They justify it as teaching you a lesson. If I could get one of them in a room with no windows…say no more. Anyone reading this revoke old farms. Use only one wallet per farm. Get into the habit of sending your divs and stables to another wallet or Ledger or Binance. You must get active moving your profits.
Most farms are garbage and designed to be an opportunity for white-collar criminals.
Like an email list these Devs are selling your wallet address to talented hackers.
I have tracked the stollen funds and can see all my tokens in his new address.
Tracking to an exchange for fiat cashout is possible. A lot of work though.
When do you give up? Start again and follow best practices.
Sign transactions with a ledger…Will that stop them? Without knowing how the exploit happened? Will you ever feel safe?

3 Likes

same problem.

somewhere along the line you must have gone to metamask .com instead of metamask .io.

the websites are identical. upon logging in you have to restore your wallet, by doing so you gave the hacker access to your wallet.

the hacker must have written a code that sees when a deposit is made and imediately deposits ETH into your wallet imediatly then withdraws your tokens in less than one minute.

its pathetic metamask has done nothing to resolve this issue when many users are loosing thousands of dollars

2 Likes

I had my cryptopunk stolen from my MM wallet july 4th. I literally don’t know what happened exactly, though it definitely happened while connecting on my computer. Oddly, all my coins within my wallet were untouched. I did not put in my seed phrase. I find myself totally freaked out and not knowing how to protect myself. Normally I only use it on my phone, but I was trying to put my punk up for sale, so had to use computer (oh the irony). Any advice? I’m totally traumatized, as one might imagine, seeing the floor price of punks…and just so scared it could happen again.

2 Likes

Sorry to hear all these stories.

I had my MetaMask hacked yesterday, all ETH cleared and with that, all my NFTs stolen from Openasea.

This is address.

0x86f6bf16f495afc065da4095ac12ccd5e83a8c85

I have no idea how this could of happened and am now worried about using MetaMask again. The most frustrating thing is that I can see all the NFTs listed for sale on another Users Collections page.
Would this of happened if the MetaMask is locked?
Is there anything I can do at all?
Also, is there another more secure Wallet out there that I could look into?

Thanks

3 Likes

Same here, my metamask was hacked yesterday, everything was cleared.

I can see transfers from my wallet to the following addresses:
0xadbF1854e5883eB8aa7BAf50705338739e558E5b
0x019ba0325f1988213D448b3472fA1cf8D07618d7
0xD668724fFb32070B87361cB3533E461060CEff45

Same questions here, wondering if MetaMask was able to help someone here…

Thanks.

6 Likes

Do you mean Metamask is okay if it is linked to a hardware wallet? All defi seems to require hot wallets, it’s hard to know how to avoid them.

1 Like

Same happened to me. I wrote many comments on this thiefs adress and asked hin to give my money back. He did. I was surprised.

2 Likes

What did you say to the hacker and where did you leave the comments? I was hacked recently as well :frowning:

Type in the etherscan site this
0x9be9824C07477EFdc110ef54e80bc81BDb1289F5

Im Givemymoneyback

1 Like

Same happened to me.

Hacker addresses are:
0x077d360f11d220e4d5d831430c81c26c9be7c4a4
0xa305fab8bda7e1638235b054889b3217441dd645

@Metamask you can help by blocking those addresses

3 Likes

Hi all.

I would also like to know WTF is going on here?

I was in the process of purchasing a NFT from OpenSea but the Gas prices where through the roof so I had to cancell my transaction.

The next morning I woke up and my balance was withdrawn to an unknown address.

I would also like to know how this is possible?

A lot of the new sites require you to join Discord to become part of their project.
Furthermore they require you to link your Metamask with Collab.land to verify your address. Also to be able to send you NFTs if you won any in one of their giveaways.

Could this be an exploit?

I have sent a message to the account as well and have reported it to Metamask Helpdesk.

0x303db03a84baa799803b4b5361460d49a10151ce

Just to add: I am in no means a wealthy individual. In contrary I live in a third world country, have lost my permanent employment due to the Covid 19 pandemic so this was some of my hard earned savings money to try and build up a Crypto and NFT Profile because I love this space.

But now I’m not so sure anymore.

Is there anything else I can perhaps do?

4 Likes

The same thing just happens to me yesterday , couldn’t sleep all night . I see on meta mask there is nothing they can do lost 4500 in eth and collectibles . I filled out a police report . Please if somone has any advice .

1 Like