Summary:

An unknown hacker has drained cryptocurrencies through several on-chain wallet providers since December 2022, blockchain developer Taylor Monahan said on Twitter.

According to the MetaMask builder, the hacker drained over 5000 ETH in tokens and NFTs from addresses across 11 chains. The loot amounts to over $10 million in Ether at current prices. ETH traded above $2100 on Tuesday following the Shapella upgrade that rolled out on April 12.

For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭

I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.

Its rekt my friends & OGs who are reasonably secure.

No one knows how. pic.twitter.com/MafntG7RkP

MetaMask OGs And Crypto Users Rekt

According to Monahan’s Twitter thread, the wallets that suffered theft shared some commonalities. For starters, they all belong to crypto OGs and not ‘noobs’, a term used to refer to new crypto users. Also, all the drained wallets generated their private keys or seed phrases sometime between 2014 and 2022.

The stolen assets are swapped to ETH, sometimes using MetaMask‘s in-built swap function, before draining the wallet of the funds. Notably, this only happens when the target address holds a smaller value and a basket of tokens.

Afaik, no one has determined the source of their compromise.

Multiple devices have been forensic'd. Nothing.

The only known commonalities are:

– Keys were created btwn 2014-2022

– Folks are those who are more crypto native than most (e.g. multiple addresses, work in space, etc)

Monahan said that the hacker ultimately converts tokens to Bitcoin (BTC) before moving the funds to a centralized swapping platform like FixedFloat, SimpleSwap, SideShift, ChangeNOW, or LetsExchange. The unknown attacker also leverages digital asset tumblers like CryptoMixer.

High-Level Theft

Monahan theorized that the attacker holds a “fatty cache” of data that allows them to methodically steal assets. The MM developer stressed that the source of the compromise is unclear, even after several wallets across 11 chains were analyzed.

Monahan stressed that the exploit is not limited to only MetaMask users, noting that crypto users, in general, were affected. It remains to be seen how or if affected crypto users can recover their assets or guard against the ongoing “unidentified exploit”.

My best guess rn is that someone has got themselves a fatty cache of data from 1+ yr ago & is methodically draining the keys as they parse them from the treasure trove.

But that's just a guess. I *don't* know.

It is NOT cryptographic/entropy related tho, don't waste your time.