A hacker has stolen $10 million in Ethereum and no one knows how
A $10 million hack targeting sophisticated crypto users has top security experts baffled.
Taylor Monahan, former CEO and founder of Ethereum wallet manager MyCrypto, so on Twitter on Tuesday that over 5,000 in ETH had been stolen since December.
That’s over $10.4 million worth of crypto at today’s prices.
The worrying part? It hit the hardware wallets of users who prioritized security, according to Monahan.
“For the past 48 hours I’ve been unwinding a massive pocket emptying operation,” wrote Monahan, who joined MetaMask after MyCrypto was acquired by the crypto wallet’s parent company ConsenSys last year. “People are those who are more cryptonative than most” and “reasonably safe” were hit by the loss of money, she tweeted.
In other words, these aren’t crypto newbies clicking on obvious phishing links being tapped. The attack is far more sophisticated than that, and it’s OGs that get “right,” Monahan explained. “No one knows how.”
The security team behind the popular crypto wallet MetaMask told Decrypt that the “unidentified exploit” hit crypto users “including, but not limited to, MetaMask users.”
“The on-chain behavior strongly suggests a private key compromise,” they said.
“What current research shows is that this specific attack vector appears to point to these users’ secret recovery phrases being compromised somewhere along the line, likely due to inadvertent insecure storage of the phrase.”
Private keys are used by crypto users to access their money stored in a wallet – whether digital or physical – and authorize transactions.
Monahan also said the attack targeted funds held on wallets created from 2014-2022. “My best guess [right now] is that someone has obtained a large cache of data from 1+ [years] since [and] methodically emptying the keys as they analyze them from the vault,” Monahan tweeted. However, she emphasized that this is only a guess and that no one has yet been able to “determine the source of their compromise.”
Her best advice? “Please don’t keep all your assets in a single key or secret phase for years,” she said.
MetaMask’s security team added that to protect funds, users must not store their private keys anywhere on the web or on any “Internet-enabled device.”
“If you ever get to the point where your wallet is so old that you can’t remember if you’ve been 100% diligent with your keys at all times, consider making a new wallet,” they added.