My MM got hacked, can't find the vector of attack

Hello, Metamask community.

Recently, my Metamask was hacked. Hackers moved all ETH and tokens to the address: 0x9d8c55c6e5f0bd59bf1d6f73022dd7554e57fa87

I’m asking for help to find the hacking method because I have no clue how this happened and lost peace of mind.

A little bit of background:

  • Windows 10 with built-in security and virus protection (always up to date and few recurring checks per week)
  • Brave browser
  • No untrusted apps or suspicious software installed.
  • Access to the Metamask only from one PC with private Wi-Fi (no MITM attack possibility)
  • Used same Metamask for three years, created seed with MM, and secured with a strong memorized password (can’t be brute-forced)
  • Stored seed phrase on paper in a secured place
  • I did not open the MM for the last month. Used PC for the last week only for youtube browsing and nothing else.
  • After the hack, I performed different types of virus scans, including the Microsoft Defender Offline scan: no threats or viruses were found.
  • Funds were moved from six different MM wallets handling by a script (one block transaction). That implies the seed phrase was compromised.
  • On the same date, before the hack, I had completed Brave synchronization with a brand new notebook (after fresh windows install). All sync options were chosen, including passwords, extensions, etc.
  • On the new device: clean MM was installed during the sync. The seed didn’t import.
  • I had performed computer security courses and have advanced knowledge about different types of attacks and how to protect them. I know how phishing attack is working and always double check the address of websites.

My only suggestions that it could be some breach in Brave sync or a sophisticated OS hack. But if my PC was compromised, why other sources weren’t hacked (like Exodus wallet or exchanges accounts).

Any help or piece of advice would be highly appreciated. Thanks!

Was your issue fixed ? I just had the same thing happen to me. Nothing going on with my phone at all. No malicious shit at all. Still managed to get into my wallet and liquidate it. And all my other wallets are untouched.

No, I didn’t found the way how hackers compromised the Private Key. I ran dozens of checks, and all of them showed the absence of any malware. This and other tests made it less likely that my computer was compromised with some sort of Rootkit. Also there is no trace that my browser has been compromised.
Also this is not some sort of smart-contract vulnerability, because in this case hackers can’t get access to wallet that wasn’t in use and used only for storing assets once. I had few, and they also were drained. So again, private key was highjacked and I don’t know how.

Hey I had something similar happen 2 days ago… all metamask wallets drained. exodus also drained (desktop wallet). clearly points to a security phrase breach and not a smart contract issue. Cannot find any malware on scans I have done. on a macbook. was not phished, never entered any words online. How can a keylogger if I do have one get me if I never enter my 12 word phrase online or anywhere on the computer ever? It is so absurd i can’t fathom how this has happened at all.

Let me know what you found and did you just reformat your computer?

Sorry to hear that. Yeah, it’s very painfully, and what is the most demoralizing, that it’s not clear how hackers do that and how to protect from it.
I still didn’t found the weak spot, my MM was drained, but Exodus not. Maybe because I had only less $50 on it. Also you using Mac, and I’m a PC.
I didn’t found any malware or viruses, either. Also, didn’t entered anywhere the secret seed words, or got phished.

In your case it’s more likely system breach, hackers get rood access to your Mac. Because only this can explain Exodus hack, which is not the web service or extension to the browser. Did you trace the transaction of your tokens?
Mine still holding on hackers wallet: 0x9d8c55c6e5f0bd59bf1d6f73022dd7554e57fa87

thanks for the reply, yes I have been tracing everything and some is sitting in wallets and some has moved to exchanges and moving around. What do you use now for your primary wallet? It seems to me that using an exchange perhaps really is the safest way after all, an exchange you trust, with 2 factor and a very strong unique password? I have read about hackers even accessing hardware wallets without anyone ever sharing the secret key even if they bought directly from the manufacturer. Very perplexed how this can ever happen. There are clearly more vulnerabilities than people know out there.

Did you reformat your computer since then? I suppose you are right- there was some sort of security breach to the mac that led to root access. I am not even fully sure if reformatting would fix this since if I reinstall my files from backup would they not just give me the malware again? And some root issues can stay no?

I think if you fully reformat your mac, it should help. Yes, storing on exchange with strong 2fa, is a good solution. Also for Binance you can use Yubikey, it’s hardware key for additional level of security (can use it for protecting accounts over the web)

Still many question how, and no any answer :pensive: