- A MetaMask developer revealed a hacker stole millions from unaware MetaMask users for five months.
- MetaMask responded to the allegations.
Recently, a massive wallet-draining exploit claiming millions of dollars put MetaMask in the spotlight. While it remains unclear how the hack occurred, a developer shared on Twitter that a sophisticated hacker has been siphoning funds since December 2022 from MetaMask users “who were reasonably secure.”
However, despite users’ funds disappearing, MetaMask has dismissed allegations that its wallet was ever exploited.
On Tuesday, April 18, Taylor “Tay” Monahan, CEO and Co-founder of MyCrypto, revealed on Twitter an ongoing unidentified wallet-draining hack that stole over 5,000 ETH or approximately $10 million from long-time MetaMask users who had reasonable security measures put in place.
The developer alleged the hacker got a hold of data caches from users’ devices, from data leaks, which enabled them to extract funds. Monahan added that the hacker would swap victims’ tokens by exploiting MetaMask swaps.
Following the heightened concerns regarding MetaMask’s security, Monahan clarified that the exploit was not specific to MetaMask. Users of “all” wallets, including hardware wallets like Ledger Live, were affected.
In a series of tweets, MetaMask later acknowledged the exploit’s existence. However, the wallet provider refuted all claims of hackers compromising its platform, rebutting they stole from various addresses across eleven blockchains. The wallet provider shared that its security team is working with auditors and security teams across the Web3 wallet space to identify the source of the exploit to protect its users.
While MetaMask and other wallet providers investigate the exploit, it still wouldn’t hurt to set up necessary security measures and double-check everything.
What Should You Do?
According to Monahan, the hack targeted “crypto natives,” wallets that users created between 2014 and 2022, MetaMask employees, and long-time MetaMask users. The hacker used a sophisticated operation that helped them methodically extract millions of dollars without raising the alarms until now.
If you’re affected by this hack, you should migrate your assets to another wallet as soon as possible until the concerned authorities investigate the matter. Here are a few additional tips to protect you in the long run:
- One common factor among the victims was the number of crypto assets they stored in their accounts. Therefore, store large amounts of tokens on hardware or cold wallets.
- Protect your Secret Recovery Phrase offline as advised by MetaMask.
- Always do your own research.
- Double-check links, websites, and emails. Refrain from clicking any link unless it’s from a verified source.
- Ask for help from officials, and prioritize your safety and security.
- Verify and scan all addresses, such as contract, sender, and others, before doing anything permanent.
On the Flipside
- MetaMask developers Consensys announced on April 14 that its wallet suffered a data breach, affecting users between August 2021 and February 2023.
- In February, MetaMask users received unsolicited emails prompting them to enter their secret recovery phrase.
Why You Should Care
MetaMask is one of the leading wallet providers in the space, with over 21 million monthly active users. Hacks like these can be concerning, considering the exploit successfully stole millions from unaware users for a long time. Given the rising number of hacks, you must perform your due diligence and set up the best measures to protect yourself.
Read how you can earn points using NFTs on Starbucks’ Web3 app:
How Starbucks Customers Can Earn Points in New NFT Loyalty Program
Read how MetaMask united with Unity and Solana to level up Web3 Games:
Unity, Solana, MetaMask, and More Unite for Next-Gen Web3 Games