In a perplexing cybersecurity incident, a hacking operation has managed to steal more than $10 million worth of cryptocurrency from highly security-conscious users, leaving top security experts puzzled. Taylor Monahan, the previous CEO and founder of Ethereum wallet manager MyCrypto, revealed via Twitter that over 5,000 ETH had been pilfered since December, equating to a staggering $10.4 million at current market rates.
What has experts concerned is that the victims of this hack were not newcomers to the world of crypto but rather experienced users who had taken measures to prioritize security. Monahan, who moved to MetaMask after ConsenSys acquired MyCrypto last year, described the operation as a "massive wallet draining" event. The affected individuals were more crypto-savvy than average and had adopted "reasonably secure" practices to protect their funds.
The attack, Monahan explained, is far more sophisticated than ordinary phishing scams, and the exact method of how the funds were stolen remains unknown. MetaMask's security team informed Decrypt that an "unidentified exploit" had impacted a variety of crypto users, including those using MetaMask. The team suspects that the attack involved the compromise of private keys, which are essential for accessing funds in digital or physical wallets and authorizing transactions.
Current investigations into the breach suggest that the users' secret recovery phrases may have been compromised, likely due to unintentional insecure storage. Monahan also noted that the attack seemed to focus on wallets created between 2014 and 2022. She speculated that the hacker might have obtained a large amount of data from over a year ago and was systematically draining the wallets as they deciphered the information. However, she stressed that this was merely conjecture, and the actual source of the compromise remains undetermined.
Monahan advised against keeping all assets in a single key or secret phase for extended periods of time. MetaMask's security team also urged users to avoid storing their private keys online or on internet-enabled devices. They recommended creating a new wallet if users cannot recall whether they have been consistently diligent in securing their keys.