There have been a series of crypto hacks taking down OGs and crypto savvy users. Our resident security expert BowTied Iguana is here to shed light on the situation.
What is most concerning about these hacks is that they seem to be affecting security conscious users who have been in crypto the longest, including some of the earliest Ethereum wallets.
It’s safe to assume these crypto OGs have a better understanding of crypto security than average users, so how are they being cracked?
It’s an evolving situation where all the details are not available (yet). Let’s go over what we know, and what you can do to mitigate risk for your on-chain funds.
What We Know
Started in December 2022
Has stolen over 5,000 ETH ($10M!) plus other tokens and NFTs
Across 11 chains
Seems to target OGs and security conscious users
(credit to @tayvano_ for researching)
Victims are users of the main crypto wallets:
Metamask and Metamask mobile
*bolded wallets are used and trusted by the DeFi team
So far, nobody has uncovered a pattern / common factor to the hacks.
Victims have used all the main operating systems: Windows, Mac, Linux, Android, iOS.
Different key storage methods were employed, ranging from 12-word or 24-word seed phrases to raw private keys, encrypted private keystores, wallet.dat files, and genesis presale wallets. Some of the victims stored their keys in cloud storage or password managers, while others did not.
The patterns of theft varied as well. In some cases, multiple accounts under the same seed were drained, while in others, only one account was drained. There were instances where multiple accounts not in the same seed were drained, as well as cases where multiple accounts not in the same seed, but stored together or in the same wallets, were not drained.
And that’s all we know. We don’t know how they are doing it. Not great.
Let’s revisit the basics and dispel some common myths we’re seeing spouted.
First off, hardware wallet users have been affected. Hardware wallets are not bulletproof. People have been commenting on Twitter assuming that they’re safe because if they use a hardware wallet, any transaction requires “physical confirmation”.
No such thing as physical confirmation. Private keys (your seed phrase) can only be used in the digital/electronic world. If someone has accessed your keys, they can forge a transaction as you. If the attacker somehow has your keys, it does not matter where the keys are stored.
If you had malware on your computer, you could be into signing a malicious transaction with your hardware wallet.
For example, a targeted email attachment could make your Metamask present a false transaction, which you may sign with your hardware wallet unknowingly.
To be truly secure, you need to understand how crypto transactions work at a fundamental level.
Let’s go over actionable advice and close out with a market update.