Metamask extension accounts HACKED w/o keys?

All my Metamask extension accounts were compromised somehow. Attacker transferred all funds of value, including unstaking and removal from various farm/vault contracts. Breech happened approximately 10am PST July 4th over about an hours time clearing out all 10 accounts in the extension. More than 20k USD in value total stolen. The transactions were not executed from my desktop indicating account wallets were rebuilt and transactions executed somewhere else from a script possibly however, was curious to see that the attacker sent a small amount of ETH to one wallet, then transferred the other coin(s) even tho there was already ETH in said wallet.
I have never given out my private keys or seed words and would not for any reason ever however, I will list what I think are possible holes for vectors of attack as I cannot pinpoint exactly how the private keys were compromised. Here are my security mistakes:

  1. My Brave browser was left open unattended connected to internet while MM extension wallet was NOT locked prior to attack. So, possible a attacker got ‘remote desktop’ access and/or somehow installed a key logger via malware to gain my MM extension password allowing my keys to get exposed. It seems unlikely. Also, all wallets other than metamask on my desktop are unaffected.

  2. I have connected my accounts to allot of various web3 site / smart contract w/unlimited access to funds like Defi farms/vaults, etc. in the past and have been left unchecked however, since all 10 accounts under the extension were compromised, I don’t see how it would be possible to breech all of them as I have not ever signed access to all 10 accounts on a single WEB3 contract EXCEPT: Zapper & APYvision could be culprit. Will be pruning the ‘connected sites’ list entirely.

  3. The last transaction(s) I made were minting ‘Panda Golf Squad’ NFT’s and viewing them on Opensea. The minting process did not run smooth. I posted my eth address in PGS Discord looking for help regarding why my minted Pandas were not being revealed in a timely manner. I see FUD on CT regarding security holes with NFT’s, Opensea & Metamask suppressing info while supporting dark web hackathons that end up exploiting victims in the process.

  4. About a week ago I installed MS Office Pro Plus 2016 from 1337x and used KMSauto to activate. This required I turn off virus protection. Malware may have gotten me here. I have since rolled back Windows to a restore point prior to installation and will wipe computer clean and start fresh before I work with any sensitive info going forward. No one has mentioned KMSauto/Office not being legit lately but, it’s pirated software so who knows.

Very curious, was it malware like an ‘zero day chrome exploit’? Some issue with a recent Chrome update OR bug in Metamask requiring their latest update? My computer found no signs tampering or keyloggers when performing a rootkit virus deep scan after hack. KMSauto for MS Office does not seem malicious. The only possible way to access my private keys would have been through using a keylogger of some sort to gain my MM extension password to export the private keys. Beyond that, it would have to be through a WEB3 contract I signed ‘unlimited access’ to on all 10 accounts in the past that went rogue on me unchecked.

Being that I have never exposed my private keys that are encrypted offline concerns me very much as to how my MM accounts were actually breeched. Nothing else on my computer seems affected. If it was through a signed WEB3 contract turned malicious then Metamask needs to stress this as of equal if not greater importance than beyond keeping your private keys safe (a no brainer) that you need to SIGN OUT of all contracts after interacting with them and/or limit their access AND keep extension locked at all times!!! I am not new to crypto trading and have been using Metamask for more than 3 years now without issues. Hard to express how disappointed I am in Metamask’s lack of security and transparency on this.

I see report after report of accounts getting compromised/hacked WITHOUT THEIR PRIVATE KEYS EXPOSED. Sounds like the majority. This is the elephant in the room Metamask will not seem to address from what I see, anywhere.

Anyone in a similar situation, can anyone relate? Misery enjoys company.

1 Like

I had the same problem my account got hacked and I lost 170 Millions tokens. That’s why I’ll never use Metamask again.

1 Like

Same thing just happened to me this morning actually. Opened a ticket with MetaMask and waiting to hear back from them. 99% sure there’s nothing they can do, but I’m worried about how I’m going to claim my farming if their tied to my comprised wallet. The odd thing is the hacker took everything from my BSC then MATIC and ETH, but didn’t touch my EWC or KCC stuff. There’s 2 things I could think of that caused my hack
1: I happened to check out the
DeBank . com wallet checker a few days ago and all my tokens and farming on there is what was taken. Anything I was farming that wasn’t on there wasn’t touched as well as any tokens that weren’t listed on there weren’t touched. Also my EWC and KCC aren’t tracked there and wasn’t touched either. So I will no longer use DeBank . com in the future. Maybe the site is legit, but just too coincidental to me
2: the polyBunny hack just happened recently and the first thing the hacker took was my Bunny and polyBunny. So not sure if that was related somehow

Now I’m just waiting on the MetaMask team to show me how I can associate the stuff I still have in farms to a new wallet or protect my funds from being taken when I try as claim anything.

Took over 70% of my stuff. Fck hackers….

1 Like

That happened with me too. All of the eth in the metamask just disappeared.

So this just happened to my brother while he was buying a zed horse off OpenSea. He was on the phone to me trying to work it then bang transaction appears on etherscan taking all of his coin.

If any of you have (or future people who no doubt will be hacked shortly ) are interested in connecting to figure out how it happened & if we can do something about it, send me a message on Telegram!!!

User name is mikemmike

I noticed something realllly interesting which I think has the potential to maybe catch these people… would love to know how your cases happened & the etherscan transaction id ( so I can follow the money )

I hope to hear from someone.

Ps happy to get on Facebook / instagram or something if you don’t like telegram

I hate to say it guys, but this is why you should never rely on a hot wallet alone.

" 1. About a week ago I installed MS Office Pro Plus 2016 from 1337x and used KMSauto to activate. This required I turn off virus protection. Malware may have gotten me here. I have since rolled back Windows to a restore point prior to installation and will wipe computer clean and start fresh before I work with any sensitive info going forward. No one has mentioned KMSauto/Office not being legit lately but, it’s pirated software so who knows."

This is the culprit. Your machine was compromised by a keylogger and remote desktop allowed someone to drain your funds. No private key is required and this is an extremely common attack vector that has been around for decades.

Metamask is fine for play money, but if you are doing anything significant I highly recommend using a hardware wallet like the nano ledger.

;tldr Don’t torrent pirated software on the machine you trade on, use a hardware wallet, and honestly don’t trust metamask with more than play money.