Hello, Metamask community.
Recently, my Metamask was hacked. Hackers moved all ETH and tokens to the address: 0x9d8c55c6e5f0bd59bf1d6f73022dd7554e57fa87
I’m asking for help to find the hacking method because I have no clue how this happened and lost peace of mind.
A little bit of background:
- Windows 10 with built-in security and virus protection (always up to date and few recurring checks per week)
- Brave browser
- No untrusted apps or suspicious software installed.
- Access to the Metamask only from one PC with private Wi-Fi (no MITM attack possibility)
- Used same Metamask for three years, created seed with MM, and secured with a strong memorized password (can’t be brute-forced)
- Stored seed phrase on paper in a secured place
- I did not open the MM for the last month. Used PC for the last week only for youtube browsing and nothing else.
- After the hack, I performed different types of virus scans, including the Microsoft Defender Offline scan: no threats or viruses were found.
- Funds were moved from six different MM wallets handling by a script (one block transaction). That implies the seed phrase was compromised.
- On the same date, before the hack, I had completed Brave synchronization with a brand new notebook (after fresh windows install). All sync options were chosen, including passwords, extensions, etc.
- On the new device: clean MM was installed during the sync. The seed didn’t import.
- I had performed computer security courses and have advanced knowledge about different types of attacks and how to protect them. I know how phishing attack is working and always double check the address of websites.
My only suggestions that it could be some breach in Brave sync or a sophisticated OS hack. But if my PC was compromised, why other sources weren’t hacked (like Exodus wallet or exchanges accounts).
Any help or piece of advice would be highly appreciated. Thanks!