MetaMask developer Taylor Monahan uncovered a large-scale wallet draining operation that has targeted crypto wallets across more than 11 blockchains.
In a tweet on April 18, Monahan alerted users to an unidentified exploit that drained over 5000 ETH, worth around $10 million, from long-term crypto users’ wallets across several blockchains.
For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭
I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.
Its rekt my friends & OGs who are reasonably secure.
No one knows how. pic.twitter.com/MafntG7RkP
— Tay 💖 (@tayvano_) April 18, 2023
“This is NOT a low-brow phishing site or a random scammer. It has NOT rekt a single noob. It ONLY rekts OGs,” said Monahan.
Despite conducting a forensic analysis of the number of wallets targeted, the source of the compromise could not be determined. The only common theme of the exploit’s victims was the fact that their private keys were created between 2014 and 2022, and their on-chain activity suggests they were more “crypto native” than other users.
Posting tx in thread 🪡 pic.twitter.com/35Qdk0n5ii
— Nabeel.lens 🌿(🗑️🟢) (@Nabeel41967044) April 18, 2023
The attackers typically carried out their theft between 10 am and 4 pm UTC, following up with dust collecting transactions after the initial wallet sweep a few hours later. Monahan noted that the attackers would swap tokens for ETH inside the victim’s wallet itself, before transferring the ETH out, when targeting high-value wallets.
The “out” transactions were carried out through centralized swapping services like FixedFloat and SideShift. The attackers would then consolidate all tokens to Bitcoin addresses before sending them to coin mixers like Wasabi and Coinomize.
“To be completely clear: this is NOT a MM[MetaMask]-specific exploit. Users of *all* wallets, even those created on a hardware wallet or generated for the Ethereum presale, have been impacted by this. This source of this exploit is unidentified, and I’m trying to identify it,” said Monahan.
While the source remains unidentified, the nature of the exploit suggests that these users had their seed phrases compromised in some way.
On Tuesday, a Kaspersky blog identified serious vulnerabilities in Apple’s operating system where attackers could gain root privileges, potentially compromising the security of crypto assets.