My MM got hacked, can't find the vector of attack

Hello, Metamask community.

Recently, my Metamask was hacked. Hackers moved all ETH and tokens to the address: 0x9d8c55c6e5f0bd59bf1d6f73022dd7554e57fa87

I’m asking for help to find the hacking method because I have no clue how this happened and lost peace of mind.

A little bit of background:

  • Windows 10 with built-in security and virus protection (always up to date and few recurring checks per week)
  • Brave browser
  • No untrusted apps or suspicious software installed.
  • Access to the Metamask only from one PC with private Wi-Fi (no MITM attack possibility)
  • Used same Metamask for three years, created seed with MM, and secured with a strong memorized password (can’t be brute-forced)
  • Stored seed phrase on paper in a secured place
  • I did not open the MM for the last month. Used PC for the last week only for youtube browsing and nothing else.
  • After the hack, I performed different types of virus scans, including the Microsoft Defender Offline scan: no threats or viruses were found.
  • Funds were moved from six different MM wallets handling by a script (one block transaction). That implies the seed phrase was compromised.
  • On the same date, before the hack, I had completed Brave synchronization with a brand new notebook (after fresh windows install). All sync options were chosen, including passwords, extensions, etc.
  • On the new device: clean MM was installed during the sync. The seed didn’t import.
  • I had performed computer security courses and have advanced knowledge about different types of attacks and how to protect them. I know how phishing attack is working and always double check the address of websites.

My only suggestions that it could be some breach in Brave sync or a sophisticated OS hack. But if my PC was compromised, why other sources weren’t hacked (like Exodus wallet or exchanges accounts).

Any help or piece of advice would be highly appreciated. Thanks!

Was your issue fixed ? I just had the same thing happen to me. Nothing going on with my phone at all. No malicious shit at all. Still managed to get into my wallet and liquidate it. And all my other wallets are untouched.

No, I didn’t found the way how hackers compromised the Private Key. I ran dozens of checks, and all of them showed the absence of any malware. This and other tests made it less likely that my computer was compromised with some sort of Rootkit. Also there is no trace that my browser has been compromised.
Also this is not some sort of smart-contract vulnerability, because in this case hackers can’t get access to wallet that wasn’t in use and used only for storing assets once. I had few, and they also were drained. So again, private key was highjacked and I don’t know how.