According to MetaMask programmer @tayvano_ on Twitter, more than 5,000 Ethereum (ETH) and an unspecified amount of tokens and NFTs have been stolen across numerous chains in an ongoing breach since late last year.
The programmer also stated that he has been digging into the incidents for the past two days but has not been able to ascertain how the attacker is carrying out the thefts. Furthermore, the victims are all crypto OGs who are “reasonably secure,” but not even those who are new to the industry.
For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭
I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.
Its rekt my friends & OGs who are reasonably secure.
No one knows how. pic.twitter.com/MafntG7RkP
— Tay 🦊 💖 (@tayvano_) April 18, 2023
The Attacking Methods Have Not Been Discovered
Furthermore, the Metamask builder suspects that the attacker might be using a new technique or exploiting a vulnerability that has not yet been discovered. He recommends that all crypto users, regardless of their experience level, take extra precautions to secure their assets.
Additionally, he said that forensic device analysis had produced no results, further delaying attempts to figure out how the victims’ MetaMask wallets were accessed. Meanwhile, it was noticed that the keys that fell victim were created between 2014 and 2022, and the owners are obviously those who are more crypto-native, like those with multiple addresses or who work in crypto space.
The hacker will carry out “primary” thefts, followed by “secondary” thefts hours later to recover whatever assets or dust remain from the original heist—sometimes weeks or months later.
According to him, primary theft transactions almost always occur between 10 a.m. and 4 p.m. UTC, while secondary thefts and “dust” collection occur anytime but usually from 4 p.m. to 10 p.m. UTC.
In the event of large thefts, the perpetrator will convert the stolen coins to ETH inside the wallet before sending the tokens to an exchange like SimpleSwap or ChangeNOW and always converting to Bitcoin (BTC).
After a week of waiting on the exchanged BTC, the funds are sent to a mixer for address concealment.
When dealing with lesser sums and assets on other EVM-compatible blockchain networks, the attacker may frequently bridge or switch between the addresses, or even from victim 1 to victim 2 and victim 3, depending on the situation. Once there is enough ETH at one address, they will transfer it to another location.
Security Tips
However, he urges everyone not to keep all their digital assets in a single key or secret phrase for years. @tayvano_ also advised users to migrate to a new wallet, split their assets, and get a hardware wallet.
This is because relying on a single key or secret phrase for a long time can make it vulnerable to cyberattacks. By following these simple practices, users can better protect their digital assets from potential threats.
