crypto.news
Crypto wallet provider MetaMask has pushed back against accusations that an exploit in its wallet led to a massive wallet-draining operation that siphoned off more than 5,000 ether.
The denial comes in response to a series of tweets by Taylor Monahan, founder of Ethereum (ETH) wallet manager MyCrypto, who claimed that an unidentified wallet-draining exploit had resulted in the loss of more than $10.5 million in cryptocurrencies and non-fungible tokens (NFTs) since December 2022.
Recent reporting on @tayvano_’s thread has incorrectly claimed that a massive wallet draining operation is a result of a MetaMask exploit.
— MetaMask 🦊💙 (@MetaMask) April 18, 2023
This is incorrect. This is not a MetaMask-specific exploit. https://t.co/MiJ3QgslMy
In a statement released on April 18, MetaMask clarified that recent reports linking the loss of funds to a MetaMask exploit were incorrect. The company emphasized that the funds were stolen “from various addresses across 11 blockchains” and that the claim that the funds were hacked from MetaMask was false.
MetaMask’s security team is currently investigating the source of the exploit and is working with others across the Web3 wallet space, the company confirmed in a series of tweets.
Details of the hacker’s modus operandi
Monahan had initially claimed that the exploit was specifically targeting long-time MetaMask users and employees. However, she later stated that the exploit was not MetaMask-specific and that users of all wallets, including those created on a hardware wallet, had been impacted by the exploit.
According to Monahan, the hacker would commit a secondary heist in the hours following their original heist to obtain assets and dust that they had missed the first time. Large-scale thefts are carried out by converting assets into ETH within the victims’ wallets and then into Bitcoin via a controlled swapper. After a week, the crypto gets washed through a rugged crypto mixer to make it traceable.
9. Dust remaining in original drained address and/or from other keys under the same seed have been stolen 80+ days after first address was drained.
— Tay 💖 (@tayvano_) April 18, 2023
Known large dust collections from already drained accounts occured on:
Feb 15
Feb 17
Feb 22
Mar 23
Mar 26
Apr 6
Monahan further warned that the vulnerability was not a conventional phishing effort or the work of random crooks. Instead, it specifically targets individuals with expertise in protecting their digital assets. As a result, she encouraged anyone with investments linked to a single private key to transfer their money, divide up their assets, or get a hardware wallet.