​MetaMask users lose more than $10 million due to an unknown exploit

What’s new? Metamask crypto wallet developer Taylor Monahan discovered an unknown exploit that allowed the hacker to withdraw at least 5000 ETH (about $10,37 million at the exchange rate on April 19) and an unknown number of other coins and non-fungible tokens (NFTs) from 11 different networks since December 2022. In a series of posts on Twitter, she said that the attack was not related to a low-brow phishing site and was systemic in nature.

For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.Its rekt my friends & OGs who are reasonably secure.No one knows how. pic.twitter.com/MafntG7RkP — Tay 💖 (@tayvano_) April 18, 2023

What else is known? The hacker attacks exclusively experienced crypto users, with the MetaMask team still not understanding exactly how he does it and what specific bug he uses.

The only commonalities that the victims have in common include the fact that the private keys were created between 2014 and 2022 and that the users were fairly experienced.

It is also known that a few hours after the first hack, the attacker usually returns to steal the remaining funds. The first theft in this case occurs between 10:00 and 16:00 UTC. He usually exchanges various tokens for ETH inside the wallet and then converts them into BTC to send to the crypto mixer.

Monahan advised not to keep all of one’s assets in a wallet with one secret phrase and to distribute funds to different addresses to avoid losses. Another security option would be to buy a hardware wallet.

Как надежно хранить криптовалюту. Выбираем лучшие криптокошельки 2023 года

Подробно разбираем все типы криптовалютных кошельков, а также выбираем лучшие хранилища для цифровых активов, исходя из потребностей каждого отдельного пользователя

Read further

Earlier, ConsenSys, the developer of MetaMask, reported data leaks from more than 7000 customers around the world. Thus, between August 1, 2021, and February 10, 2023, third parties were able to obtain the personal data of users who contacted the MetaMask support service.

In January, the developers of MetaMask warned about a new scam scheme in which attackers substitute the address of a transaction, counting on users’ inattention when making further operations.