Jul 2021 - MetaMask Hack Recovery 007happyguy amanusk_

$140 000 USD

JULY 2021

GLOBAL

METAMASK

DESCRIPTION OF EVENTS

"Incredible (and sad) story of a Metamask user losing his coins after connecting MM to a scam site." "There was a post [on Reddit] where someone had over 100k stolen/hacked and a white hat hacker guy helped him recover a significant sum."

"I was tired from staying up all night to watch the Euro 2020 final really really not alert. Other than what was on MM, the rest were staked on a combination of sushiswap, uniswap, lido, yearn, Alchemix and curve. It has been previously on exchanges and on a ledger but my ledger wasn’t connecting with some of the exchanges and letting me authorise them so I switched to MM and for a while."

"I knew it was risky leaving so much on a hot wallet but I have used MM for a long time and found Ledger to be challenging with some Defi." "I have a few different accounts but started using MetaMask heavily in recent months. Basically because Argent was heavy in gas prices and my ledger didn’t always connect to some of the DEFI sites I stitched to MM. Thanks to a run up in crypto market valuations, and some small trades and staking, the $20k was playing with 6 months ago in the hot wallet had became around $250-260k yesterday."

"My first mistake was leaving such a large amount on MM. In fact I had been actively considering moving some of it but with hindsight waited too too long. At times gas prices on ETH have been insane and was my pure bad luck that yesterday was one of the cheapest days around where tx were a few dollars rather than $20-70 which I’d seen in previous weeks. Trying to save a few hundred bucks turned out to be a very bad decision."

"Normally I am hyper sensitive to security and very very wary of online support from strangers. However, due to a rare combination of sleep deprivation from staying up late to watch the Euro 2020 final, and not paying attention when I should have I made the fatal error of falling for what is now obviously a elaborate con."

"I decided that yesterday I would finally get around to messaging the help desk at the discord chat for SNX and ask if they could help me with some SNX I had deposited there on the L2 wallet. The problem was, that I was able to see the amount of SNX on their Optimism mainnet which showed SNX token only but not but not my ETH, whilst the Ethereum mainnet showed my ETH and other alts but not the SNX tokens."

"I went to the sub and asked for help in the chat. Got no response and tried a bit later. That time I got 3 people replying in private chats each claiming to be from SNX. Whilst the SNX sub warns against this, I was tired and assumed that maybe it was like some of the other subs where people can advise you if the mods are busy."

"To my misfortune I replied to the scammer explaining the problem. He basically told me my MM wallet wasn’t syncing back to the network and I should validate it. That sounded plausible given I couldn’t see my total balances and also in recent weeks I’ve faced a glitch as time where the wallet balance comes up a zero for up to a minute when I first open it so thought maybe he’s right."

"I’m so used to clicking approve on Defi sites to connect to wallets that my guard has as down and this looked genuine enough." "To help, he sent a link to quite a detailed looking site which looked real enough and unfortunately, thanks to weeks of linking random DEFI sites to my MM wallet I had become unfortunately desensitised to connecting to random pages and accepting connections to my wallet."

"I was sent a link to a site which was going to validate my MM extension. The site looked real enough that I clicked on it and entered my security phrase." "When I tried the link on the fake site, it wasn’t working apparently so [s]cammer suggested I try again. This time, I figured maybe I should try the option to connect to my wallet by entering my private pass phrase."

"That was where I suddenly blew up 6 years worth of HODLing in one go." "This was totally my mistake and not due to SNX, who to be fair, warn you not to do what I did. But I was tired, had sent a message to their tech support sub and instead of reading the warning, ignored it like a noob so yeah - I own this and it’s my fault."

"A few min[ute]s pass as the scammer is still engaged on the discord chat explaining it will take some time. He then ca[su]ally asks me if I have a ledger and want to sync that too. At that instant, I suddenly realise what I’ve done and get a cold sweat. Why should he ask that unless..."

"Some bustard who tricked me into clicking on a dodgy link (pretending to be tech support for SNX on discord) has taken half my wallet so far (about $130k). The rest is still there but disappearing slowly in front of my eyes." "By the time I realised what was happening it was too late. I logged into MM from a MacBook as my original wallet was on pc, but it made no difference. They initially took 8 ETH, some sushi and old GNT I forgot to convert." "I check my MM wallet on zapper.fi and see that the wallet balance has suddenly dropped. I’m now missing $20k and a quick check shows my 8 ETH, some sushi and some Golem which I had are gone."

"I start to get super angry that I’ve lost 8 coins. After a few mins I calm down and suddenly realise that the only reason I haven’t lost more is there is now zero ETH on my account so no way to do more transactions." "It’s likely that he must have set up a copy of my wallet on his pc and started emptying it out. At this stage I’m becoming less angry about what’s gone and becoming deeply worried about the rest." "With no gas fees the raid stopped."

"So I thought I would be quick and add a little gas and try and take some out. That didn’t work - no matter what I big in gas fees it was either immediately outbid (lost my aave and STETH) or accepted and went to another wallet which I didn’t recognise (lost my ALCX there). Later the [scammer] started liquidating my assets and put gas in to do this. I managed - and this was through the most frantic clicking and accepting any fucking gas bid at the highest price to transfer out the ETH to a separate wallet. I managed to get some out which slowed the attacks as there was no ETH to pay for the gas. This would happen every hour and I managed to get about 0.05 ETH LOL."

"To those of you who think this is fake, I hope it never happens to you. I had to take a day off work to watch this slow motion disaster - I am sitting with a sick feeling, with pounding chest and periodically start tearing up which I can only assume is a slow motion panic attack. I have told my wife who is understandably shocked. When it all goes, I get to tell the rest of family that I got [destroyed] through ONE SINGLE LAPSE OF JUDGEMENT."

"To those of you telling me I’m dumb /stupid / foolish for so much holding on MM, thank for the comments but after the first 100 I stopped reading them as they get dull quickly. It was a mistake to leave so much on MM and with hindsight, the fact that my ledger wasn’t letting me connect to some Defi sites was an obvious flag rather than an obstacle."

"He could only watch his coins being sweeped til he got helped by @amanusk_ preventing half of the coins to be stolen!" "It will happen more & more. Stay safe."

"[T]here are some kind and smart people out there who might be able to help." "This is his twitter handle @amanusk_." "A rather regular afternoon was interrupted by a message in the flashbots discord. [amanusk_] sometimes check[s] out messages there and see if someone needs help recovering funds. This time the message seemed quite urgent. The victim was losing tens of thousands of dollars by the minute. What followed was an 8-hour hackathon to try and save as much of it as possible."

"Why didn’t they empty the entire wallet on the first block? Fortunately for happyguy, not all funds in his account were just ERC20 tokens and ETH. Some tokens were less well known (e.g. LP tokens) and some were locked up or staked in various protocols. These are the funds that might still be saved."

"There are still some ERC-20 tokens in the wallet. All the Eth is gone so there's nothing to pay gas fees with so those tokens can't move. Apparently the hacker just used a script and isn't manually emptying the wallet because they'd have removed those other tokens first before draining the Eth. Or they'd just deposit back enough Eth to pay the gas fees to move the rest of the tokens. But OP can't deposit any Eth for gas so he can move them himself because as soon as he does the script transfers the tokens to a different wallet before he can. So he somehow needs to stop that script from doing that so he can rescue the tokens that are still there."

"Once the account is verified — the tricky part starts. Having access to the account requires the private key. The number one rule (and the reason that this happens at all) is to never give anyone your private key or secret seed phrase. There is no easy way around this. The scammers have access to the account and can reign rampage and do whatever they want. Getting the same level of access might be necessary, especially if time is of the essence, as was the case here. This time it was necessary for happyguy to share the private key (again), to have any chance of fighting back."

"Once the private key is received, the first order of business is to stop the bleeding. This is done by running a “burner” script on the account, which does its best to remove all incoming ETH to the account." "The burner works in a simple way. If ETH is detected in the account, try to spend as much as possible as a fee to the miner, and send the leftovers to some unrelated address. After the scammers’ deposit, all funds are paid to the miner, and the remainder is sent to the burn4Ever address (everyone will all be richer soon ;) ). The burn Tx in this case paid 3000 Gwei to the miner, way above the average gas price at the time. What makes the burner effective, is the fact that it uses the entire ETH balance of the account to pay a fee to the miner."

"The most basic Ethereum transaction is sending ETH, costing 21000 units of gas. More complicated transactions (such as a token transfer) require more gas, and thus, for a given amount of ETH in the account, an Ethereum transfer would pay the most per unit of gas, making it more preferable to the miner."

"But what if the scammers run a script and broadcast their transaction super fast? Here’s where another important feature comes in. An Ethereum transaction can be replaced after the broadcast, as long as they have the same nonce, and pay at least 10% more for gas than the transaction they are replacing."

"Since any valuable transaction of the scammers would likely require more than 21000 gas, it can be outbid by paying ALL the balance to the miners and sending the most basic transaction possible. As long as a burn transaction is sent, it is most likely to override and replace any transaction initiated by the scammer."

"Once the bleeding was stopped, it was time to try and extract what was still salvageable from the account. It is important to note here that whoever has the private key, has the same level of access to the account." "Flashbots is a service that enables sending transactions directly to miners (via a relay). Importantly, it allows the creation of bundles of several transactions that can be executed atomically (sort of). Normally, a transaction is the atomic unit on the Ethereum blockchain. A transaction can either succeed or revert. A reverted transaction does not change the state (but does pay for gas)." "A bundle, however, can ensure a miner that they will be paid (generously) if and only if they execute a series of transactions exactly in the order you requested." "In step 3, a contract call can be put in place, which checks a condition. If the condition is met, the miner gets paid. The appropriate condition, in this case, could be: “make sure the safe address has exactly X amount of tokens at the end of the bundle”."

"You can send a Flashbots bundle with two transactions - one contains a miner tip t[r]ansaction and a second contains your token transfer transaction. Flashbots bundles are sent directly to miners rather than entering the mempool so the attacker won't be able to front run your tx. The two txs will be executed atomically in the same block. I won't be able to help do this directly since it is pretty full on if you haven't done it before. You may be able to get help from somebody on the the Flashbots discord."

"So since this afternoon, I was recommend the flashbots service on discord by some of you. With some (read massive) trepidation about using discord again, I posted my details and one of their whitehat guys Alex got in touch."

"I won’t give all the details for now as he’s still on the case but he already rescued just over 40 steth that was staked on curve as a ETH/STETH LP pool. I’m overjoyed as that’s $85k that I had written off now back (and in a ledger before any of you ask)."

"I’m hopeful as to what happens to the remaining $35k but it already feels like a [real challenge] to the thief."

"I got in touch with flashbots and Alex from there got in touch. I gave him full info and access to my account (after he checked to verify it was mine) and then he set up a burner so any ETH coming in would be immediately burned leaving no gas for transfers This closed the gate on the thief for the short term. I didn’t want to alert him as to what was happening so there was minimal mentions of this on my post."

"Alec then managed to start moving the rest to a hard wallet and basically recovered all of it minus some dust and dai staked on alchemix which I can’t get back so it’s all there which was around 117k. I don’t know how he did it - if you really want to know go to discord and ask him - but I am glad I did."

"Alex has been been awesome. After he verified that the account was actually mine he stepped to stop the bleed (and I appreciated the fact that both the groups on discord and even this sub want to fact-check this to make sure it’s not a scam or a lie to flame someone). He set up a burner to remove incoming ETH which meant the thief couldn’t take more as there was no gas on the account. He then started to work on moving out the remaining coins to a safe wallet. At the time of writing he’s retrieved 117k from the 120k that was left (using this mornings prices). There’s a bit left which will hopefully come over but given how much was taken this am, that’s a rounding error on what I lost. For those of you who need his details DM or wait as I’ll edit one last time and add his Twitter account when this is all over and I’m calm. He has been amazing and whilst they ask for a modest fee it’s well worth it."

"Thanks to those of you who told me some of my stolen money may have gone to kraken, I’m messaging them so I hope they can freeze the money and if I’m lucky even help ID the counterpart (not holding my breath though as I don’t know ifs it’s real and whether they will help or not)." "Thanks to Kraken for reaching out and apologies to SNX if it looked like I was blaming them for my mistake. Hopefully Kraken can help but I’m also going to message a lot of the other exchanges too - anything I can do to make the money hard to get for the thief will make me happy and maybe it might even get him caught (but really not holding my breath on that)."

"With respect to the site I clicked on, DM if you really want to know but I left it off here in case someone else clicks on it and makes the same mistake I did. I’ve got in touch with the domain hosts to ask for their help in identifying the thief." "Obviously it not the best day in the world but feels a hell of a lot better than it did a few hours ago."

"A strange set of events in which I was super tired, not nearly alert enough and my warning radar was off meant I went for the most basic and simple phishing scam. To those of you on your high horses laughing about how this can never happen to you - good luck and I hope you carry on living perfect lives in which you never make a mistake."

"Hi there, Dave from MetaMask here. First I want to say I'm truly sorry this happened to you. It is extremely unfortunate. Please open a support case with us by going directly to our website, then click support, and submit a request (or in app click the hamburger icon, then get help). Our support team has steps you can take immediately to try to recover some/all of the stolen funds. Really sorry again this happened to you."

"Hi Dave, thank you very much. I did raise a ticket this morning and every confidence your team will help. The mistake I made had nothing to do with MM and only my own carelessness, so I appreciate your help and support!"

"I didn’t post for moons or karma. I posted as a warning and for help and I’m glad I did. I would never have found flashbots without it and now my support requests to both MetaMask and Kraken (where some of the coins have been move to) have been picked up by their Reddit mods and escalated there, so I’m more hopeful than I was."

"I really wish I had been more careful but that’s done. I don’t blame anyone other than myself and the bastard who stole my coins but wish MM had 2FA which would have killed this or a way to hard freeze your account instantly which again would stop the bleed and work out a recovery."

"Are you still happy guy? Less than yesterday but much more than 9 hours ago." "It’s been a long and highly surreal day which I’m not going to forget in a hurry. I guess the one good thing is that it took my mind off the England loss last night."

The Reddit user 007happyguy wasn't such a happy guy for a period after he attempted to resolve an issue with his SNX coins stored on a MetaMask wallet along with many other ERC20 coins. The particular issue was that balances were not showing up properly.

The "SNX support" individual who reached out to him from Discord gave a reasonably plausible explanation that he just needed to synchronize his wallet and provided him a website which would assist with that task. After connecting his wallet on that website failed, he tried another option there which accepted his seed phrase.

The whole thing was a con to begin with, and funds were immediately taken from his account. Fortunately, the scammer wasn't the brightest and rather than plan strategically, decided to first empty the wallet of all the ethereum. It's not possible to do any transactions without ethereum, so he then wasn't able to do any further withdrawals of any of the other tokens.

007happyguy attempted to deposit ethereum and withdraw the remaining tokens himself, but any transactions he made were intercepted by the scammer. The wallet address would simply be changed in a new transaction with a higher gas fee, which sent the tokens to the scammer instead of his new wallet.

At this point 007happyguy was able to make a post on Reddit and stayed monitoring the account, withdrawing any new ethereum before the scammer could use it withdraw more funds. The Reddit community contained some more experienced members who knew how to use "flashbots". Under the flashbot, ethereum could be deposited, other tokens withdrawn, and then the remaining ethereum withdrawn, all at the same time within a single block. This prevented the scammer from intercepting any remaining transactions and allowed all assets to be resolved safely.

The scammer was also fairly stupid and sent the stolen assets to the Kraken exchange, where his KYC/AML information was stored. While there is no evidence that the remaining funds have been recovered, this is definitely possible and it also seems likely that the scammer will be brought to justice.

HOW COULD THIS HAVE BEEN PREVENTED?

You should never enter your seed phrase anywhere unless you are specifically recovering your wallet. Even in a case where you do want to enter your seed phrase, it's recommended to first do so with a smaller wallet. Keep the vast majority of funds stored permanently offline in wallet(s) which you do not use for regular transactions.

Check Our Framework For Safe Secure Exchange Platforms

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$140 000 USD

JULY 2021

GLOBAL

METAMASK

DESCRIPTION OF EVENTS

HOW COULD THIS HAVE BEEN PREVENTED?

More case studies

DeFiPie Nested
Borrows

Ape Rocket Finance
Reward Bug

$140 000 USD

JULY 2021

GLOBAL

METAMASK

DESCRIPTION OF EVENTS

HOW COULD THIS HAVE BEEN PREVENTED?

More case studies

DeFiPie NestedBorrows

Ape Rocket FinanceReward Bug

DeFiPie Nested
Borrows

Ape Rocket Finance
Reward Bug