My MetaMask Chrome Extension Wallet was hacked the morning of December 5, 2021. The $400 worth of ETH is gone forever. Even though I can clearly see the address of the wallet that stole it. There’s nothing I can do to get it back.
I’m writing this blog post as a warning for anyone who thinks keeping more than a few hundred dollars in a “hot wallet” is a good idea.
I always keep a small amount of ETH in my MetaMask wallet to buy virtual goods and NFTs and game tokens, etc. I have been aware that the wallet was vulnerable to attack, but this hack is remarkable. We can’t figure out the attack vector. It may have been a vulnerability in a Chrome plugin, or perhaps the hackers guessed my password (not likely), or perhaps I visited a website and was not careful enough when I signed-in with my MetaMask wallet (also unlikely, but possible). Here’s a chronicle of the events. I’ll keep it updated.
10:00 am ET – Just received a notification that roughly $400 in ETH was sent from my shellypalmer.eth (0x5A2a0266…77AFb) to a wallet I’ve never heard of. The transaction is logged on CoinTracker (which is where I received the notification) and Etherscan.io but it is not visible in my MetaMask wallet. The hackers left a balance of 0.0009 ETH roughly $4. The transaction is not listed in the transaction history of my MetaMask wallet. So it is clearly not a transaction that was initiated from my end.
10:05 am ET – I contacted MetaMask support and received an email confirming receipt of the ticket that says it may take up to 7 days for anyone to look at it. Bye bye $400.
10:43 am ET – I tweet the following: So this lowlife 0x178b5ba… just hacked into my MetaMask wallet and stole $400 with this transaction 0xce7cb31ad4d6f… I have no idea how. Thoughts? @MetaMask @MetaMaskSupport
Immediately, fake twitter accounts @AmyAlle25546248 and @CarlzDarwish and @Juli4Trump suggest I contact the fictitious “MetaMask Instant Support” website. These are Google Forms that ask for transactional information – IMPORTANTLY: They also ask for the “seed phase” for my account. MetaMask would never, ever ask for a seed phrase and you should never, ever let anyone know a seed phrase or your private key for a wallet. These accounts are scammers trying to suck whatever additional blood can be sucked. The level of evil is unsurprising.
11:45 am ET – Visited Reclaim Crypto (a service of Coinfirm) and filled in a form detailing the hack. It won’t help me get my money back, but they will list the hacker’s wallet in the database which may make it harder for the hacker to use my money. As far as I can tell, the hacker has over $200,000 in the wallet they used to steal my ETH, so there are assets there to grab. At least for now.
12:07 pm ET – I checked my MetaMask wallet on Token Allowance Checker to ensure that I did not give any “blanket” approvals to a Metaverse site or some other dapps that might use it to gain access. Nope. That’s not how the hackers got in.
02:09 pm ET – Just reported and blocked the Twitter accounts: @zwappzy25 @AmyAlle25546248 @CarlzDarwish @Juli4Trump as they are all hackers who sent links to a fake “MetaMask instant support” Google form. And, of course, @metamask2012 just posted that I should dm them with my issue. That’s not MetaMask support, BTW. It’s another hacker. Now I’m looking at my $400 loss as a ticket to an awesome Greek Tragedy.
I don’t expect to hear from anyone at MetaMask, ever. I’ve put this blog post out on all of my social media channels — it won’t help me, but hopefully it will help someone avoid (or at least understand) the nature and potential dangers of leaving funds in “hot wallets.”
The Key Take-Away
These funds are gone. The amount is too small for law enforcement to take seriously. There is no one to go see. No time/risk/reward calculation that allows for spending time trying to get the funds back. The money is gone.
The good news is that I follow my own advice. I only had $400 in the wallet. That has always been my upper limit for any wallet connected to the internet (aka “hot wallet”). When I need to use crypto to make a large purchase, I move money from my hardware wallets into a hot wallet and use it for the transaction. When I receive any material amount of crypto, I immediately move it to cold storage (offline in a hardware wallet).
The internet is a dangerous place. Any one can (and will) be hacked. It’s an arms race and on any given day the bad guys are ahead of the good guys. You have to be on guard 24/7. The bad guys only have to be right once.
As for this hack? Here’s what MetaMask support has to say about it:
- Your computer has been compromised with (malware/spyware) and you stored your private information on your computer.
- You have visited a malicious phishing website that stole your information.
- You gave your private key or Seed Phrase / Secret Recovery Phrase to someone or a site.
- You gave a web3 site / smart contract unlimited access to your funds (check who you gave access to and revoke here: https://tac.dappstar.io/#/)
- You installed a fake MetaMask extension that stole your funds.
- Install MetaMask on another browser (or create another profile on your current browser of choice), or create a new account from a fresh download of the mobile app.
- When asked, create a new seed
- Write it down and store it someplace safe
- Go back to the compromised account and send funds to the newly created account
- Discontinue using the old account as soon as possible.
If you were hacked, this would most likely be due to a few possible reasons:
Try to analyze your browser history and scan your computer to eliminate any further breach of information. If you discover any suspicious phishing websites please notify us via the MetaMask Support Form so we can prevent this from happening to other users in the future. If you have any further information after your own investigation please let us know.
Unfortunately, transactions cannot be reversed, nor missing the funds restored.
A Seed Phrase / Secret Recovery Phrase cannot be edited or changed.
To be continued…
If you’ve got some ideas about how to get these funds back or if you have a story you’d like to share
If the form is not visible, click here.
Author’s note: This is not a sponsored post. I am the author of this article and it expresses my own opinions. I am not, nor is my company, receiving compensation for it. I am not a financial advisor. Nothing contained herein should be considered financial advice. If you are considering any type of investment you should conduct your own research and, if necessary, seek the advice of a licensed financial advisor.