Recently, my Metamask was hacked. Hackers moved all ETH and tokens to the address: 0x9d8c55c6e5f0bd59bf1d6f73022dd7554e57fa87
I’m asking for help to find the hacking method because I have no clue how this happened and lost peace of mind.
A little bit of background:
Windows 10 with built-in security and virus protection (always up to date and few recurring checks per week)
Brave browser
No untrusted apps or suspicious software installed.
Access to the Metamask only from one PC with private Wi-Fi (no MITM attack possibility)
Used same Metamask for three years, created seed with MM, and secured with a strong memorized password (can’t be brute-forced)
Stored seed phrase on paper in a secured place
I did not open the MM for the last month. Used PC for the last week only for youtube browsing and nothing else.
After the hack, I performed different types of virus scans, including the Microsoft Defender Offline scan: no threats or viruses were found.
Funds were moved from six different MM wallets handling by a script (one block transaction). That implies the seed phrase was compromised.
On the same date, before the hack, I had completed Brave synchronization with a brand new notebook (after fresh windows install). All sync options were chosen, including passwords, extensions, etc.
On the new device: clean MM was installed during the sync. The seed didn’t import.
I had performed computer security courses and have advanced knowledge about different types of attacks and how to protect them. I know how phishing attack is working and always double check the address of websites.
My only suggestions that it could be some breach in Brave sync or a sophisticated OS hack. But if my PC was compromised, why other sources weren’t hacked (like Exodus wallet or exchanges accounts).
Any help or piece of advice would be highly appreciated. Thanks!
Was your issue fixed ? I just had the same thing happen to me. Nothing going on with my phone at all. No malicious shit at all. Still managed to get into my wallet and liquidate it. And all my other wallets are untouched.
Hi.
No, I didn’t found the way how hackers compromised the Private Key. I ran dozens of checks, and all of them showed the absence of any malware. This and other tests made it less likely that my computer was compromised with some sort of Rootkit. Also there is no trace that my browser has been compromised.
Also this is not some sort of smart-contract vulnerability, because in this case hackers can’t get access to wallet that wasn’t in use and used only for storing assets once. I had few, and they also were drained. So again, private key was highjacked and I don’t know how.
Hi.
Sorry to hear that. Yeah, it’s very painfully, and what is the most demoralizing, that it’s not clear how hackers do that and how to protect from it.
I still didn’t found the weak spot, my MM was drained, but Exodus not. Maybe because I had only less $50 on it. Also you using Mac, and I’m a PC.
I didn’t found any malware or viruses, either. Also, didn’t entered anywhere the secret seed words, or got phished.
In your case it’s more likely system breach, hackers get rood access to your Mac. Because only this can explain Exodus hack, which is not the web service or extension to the browser. Did you trace the transaction of your tokens?
Mine still holding on hackers wallet: 0x9d8c55c6e5f0bd59bf1d6f73022dd7554e57fa87
I think if you fully reformat your mac, it should help. Yes, storing on exchange with strong 2fa, is a good solution. Also for Binance you can use Yubikey, it’s hardware key for additional level of security (can use it for protecting accounts over the web)
