MetaMask Redline PDF Spearphishing Email CryptoJordin: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Another 30 minutes complete. Working on the transcripts to summarize them properly in the article.)
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Case Under Construction}}{{Unattributed Sources}}
{{Case Under Construction}}[[File:Cryptojordin.jpg|thumb|CryptoJordin on YouTube]]


[[File:Cryptojordin.jpg|thumb|Crypto Jordin]]
YouTuber CryptoJordin was targeted by a spearphishing attack which claimed to be from a representative of Canyon Gaming, a company that specializes in gaming accessories. CryptoJordin was tricked into installing Redline malware via a malicious PDF file. By exploiting a vulnerability which caused the PDF to automatically install malware, the attacker was able to gain access to CryptoJordin's computer and ultimately drain his MetaMask cryptocurrency hot wallet.
== About Crypto Jordin ==
CryptoJordin is from the United States and runs a YouTube channel where he discusses different cryptocurrency projects and news<ref>[https://www.youtube.com/watch?v=0xwJpTzhSiI CryptoJordin - My Crypto Addiction - YouTube] (Nov 14, 2023)</ref><ref>[https://www.youtube.com/watch?v=dxeEb1MG0xY CryptoJordin - Dont be fooled… Kaspa CRASH is coming! - YouTube] (Nov 15, 2023)</ref>.


This is a global/international case not involving a specific country.
== About Canyon Gaming ==


== About MetaMask ==
Canyon, founded in the Netherlands in 2003, offers stylish yet affordable accessories and wearables<ref name=":5">[https://canyon.eu/about/ About - Canyon.eu] (Sep 13, 2023)</ref>. Canyon promotes individuality, eco-friendliness, and mindful consumption<ref name=":5">[https://canyon.eu/about/ About - Canyon.eu] (Sep 13, 2023)</ref>. Their products are designed for young urban individuals who appreciate smart consumption and seek innovation<ref name=":5">[https://canyon.eu/about/ About - Canyon.eu] (Sep 13, 2023)</ref>. Canyon encourages users to be themselves, emphasizing that they are cooler than the brands they use and can prioritize what matters to them<ref name=":5">[https://canyon.eu/about/ About - Canyon.eu] (Sep 13, 2023)</ref>.
"Today we investigate who stole crypto from my #MetaMask wallet. This is one of many scams. We will get to the bottom of this. This is far from over... stay tuned "


"hey what is up guys it's jordan welcome back to another uh investigation video to be honest i haven't got much sleep probably about four to five hours last night i've honestly just been stressed about this whole situation"
They provide a range of gadgets, including smartwatches for fitness and outdoor activities, USB hubs to extend PC and Mac functionality, and Bluetooth audio devices for high-quality sound and design<ref name=":5">[https://canyon.eu/about/ About - Canyon.eu] (Sep 13, 2023)</ref>. They offer charging stations for a clutter-free desktop, power banks for portable device charging, and Canyon Gaming accessories known for their quality, original design, and affordability<ref name=":5">[https://canyon.eu/about/ About - Canyon.eu] (Sep 13, 2023)</ref>.


"hi i represent canyon gaming and i'm responsible for launching an advertising campaign to promote new technologies developed by our company"
Canyon Gaming offers a range of high-quality PC accessories designed for gamers, including mice and keyboards<ref name=":6">[https://gaming.canyon.eu/about-canyon/ About Canyon Gaming] (Sep 13, 2023)</ref>, headsets that provide an immersive experience for long gaming sessions, gamepads compatible with popular consoles and PCs, and a selection of Sport Battle chairs to suit various budgets, equipped with essential gamer-friendly features<ref>[https://gaming.canyon.eu/ Canyon Gaming Homepage] (Sep 13, 2023)</ref>. These devices are known for their unique design, extended functionality, and affordability<ref name=":6">[https://gaming.canyon.eu/about-canyon/ About Canyon Gaming] (Sep 13, 2023)</ref>. They are constructed from top-notch materials and designed for ergonomic comfort<ref name=":6">[https://gaming.canyon.eu/about-canyon/ About Canyon Gaming] (Sep 13, 2023)</ref>.


"i want to take my mistake and turn it into something positive and allow people to learn from it"
Canyon Gaming peripherals come with extra features such as programmable buttons, onboard memory modules, and a distinct style<ref name=":6">[https://gaming.canyon.eu/about-canyon/ About Canyon Gaming] (Sep 13, 2023)</ref>. The company prioritizes providing an enjoyable user experience and using quality materials that are accessible to the average user<ref name=":6">[https://gaming.canyon.eu/about-canyon/ About Canyon Gaming] (Sep 13, 2023)</ref>. As a result, Canyon Gaming tools are suitable not only for gaming but also for everyday work<ref name=":6">[https://gaming.canyon.eu/about-canyon/ About Canyon Gaming] (Sep 13, 2023)</ref>.


This is a global/international case not involving a specific country.
You can find drivers, e-catalogs, news, certificates, and more on their website<ref name=":5" />.


The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
=== Canyon Gaming Advertising Campaign ===
 
Crypto Jordin received an email which claimed to be from Canyon Gaming.<blockquote>
Include:
"hi I represent canyon gaming and I'm responsible for launching an advertising campaign to promote new technologies developed by our company"</blockquote>
 
* Known history of when and how the service was started.
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.
 
Don't Include:
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
 
== About CryptoJordin ==


== The Reality ==
== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
The email received by CryptoJordin was not from Canyon Gaming. It is believed to have originated from a malicious actor known as Mr.Santa. It contained a malicious PDF file with Redline malware.
 
* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.


== What Happened ==
== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
CryptoJordin installed the Redline malware by mistake, and this allowed the attacker to gain access to drain his cryptocurrency hot wallets on his computer.  
{| class="wikitable"
{| class="wikitable"
|+Key Event Timeline - Crypto Jordin Redline PDF Spearphishing Email
|+Key Event Timeline - Crypto Jordin Redline PDF Spearphishing Email
Line 53: Line 34:
|December 1st, 2021 6:30:53 AM MST
|December 1st, 2021 6:30:53 AM MST
|Last Avalanche Transaction
|Last Avalanche Transaction
|The last reported transaction on CryptoJordin's avalanche wallet prior to the malicious transaction<ref>[https://snowtrace.io/tx/0x6f5833a8b80986e414a1bc289b81eb1a9b9b44b11ee5404af0a510c9ae818820 Last Transaction of CryptoJordin Staking Avalanche - SnowTrace] (Mar 3, 2023)</ref><ref name=":4">[https://snowtrace.io/address/0x33dc162155d9df54e2849d79991110f7b369a415 CryptoJordin's Avalanche Wallet - SnowTrace] (Mar 3, 2023)</ref>.
|The last reported transaction on CryptoJordin's avalanche wallet prior to the malicious transaction<ref name=":7">[https://snowtrace.io/tx/0x6f5833a8b80986e414a1bc289b81eb1a9b9b44b11ee5404af0a510c9ae818820 Last Transaction of CryptoJordin Staking Avalanche - SnowTrace] (Mar 3, 2023)</ref><ref name=":4">[https://snowtrace.io/address/0x33dc162155d9df54e2849d79991110f7b369a415 CryptoJordin's Avalanche Wallet - SnowTrace] (Mar 3, 2023)</ref>.
|-
|December 4th, 2021 4:29:00 PM MST
|Response To Promotional Offer
|CryptoJordin receives an email reporting to be from Canyon Gaming, offering him a potential partnerships with them<ref name="unnamed-10585" />. He is reportedly able to pick out 3-4 items from a new private catalog in exchange for recording a video about their products. The email requests that he responds if he's interested and they will send him the catalog.
|-
|-
|December 4th, 2021 4:55:48 PM MST
|December 4th, 2021 4:55:48 PM MST
Line 61: Line 46:
|December 4th, 2021 4:58:48 PM MST
|December 4th, 2021 4:58:48 PM MST
|BUSD Tokens Transferred
|BUSD Tokens Transferred
|In an apparently unrelated transfer, 396.46602051 BUSD tokens are transferred from CryptoJordin's MetaMask wallet to another unidentified wallet<ref name=":1">[https://bscscan.com/tx/0x208be95348431aa0e7c6142c0250414a34369dcd0ce5225f809c913179d963f4 Transfer of 396.466 BNB (Unrelated) - BSCScan]  (Mar 3, 2023)</ref>.
|In an unrelated transfer, CryptoJordin<ref name="unnamed-10585" /> transfers 396.46602051 BUSD tokens from his MetaMask wallet to another wallet<ref name=":1">[https://bscscan.com/tx/0x208be95348431aa0e7c6142c0250414a34369dcd0ce5225f809c913179d963f4 Transfer of 396.466 BNB (Unrelated) - BSCScan]  (Mar 3, 2023)</ref> via the Binance Smart Chain.
|-
|December 5th, 2021 5:57:00 AM MST
|CryptoJordin Email Response
|CryptoJordin responds to the email requesting to look at the catalog to say he "would love to see the new collection & create videos"<ref name="unnamed-10585" />.
|-
|December 5th, 2021 10:58:00 AM MST
|Catalog Email Received
|CryptoJordin receives a response which provides the catalog with the "product line" for him to download, and reportedly including a "non-disclosure agreement" to be signed. Upon clicking on the PDF to view it, an installation bar briefly appeared before showing a catalog. The PDF contained a full catalog which also described everything he had to do for the commercial<ref name="unnamed-10585" />.
|-
|-
|December 5th, 2021 12:21:00 PM MST
|December 5th, 2021 12:21:00 PM MST
|Transfer In Avalanche
|Transfer In Avalanche
|The attacker transfers 0.300561904654125746 avalanche tokens into CryptoJordin's wallet, likely necessary to cover transaction fees<ref name=":4" /><ref>[https://snowtrace.io/tx/0x75787b1a4220980546e66a5d3f9cafe41c941910a7032457270f8de0443dc98b Malicious Attacker Transfers In 0.300561904654125 Avalanche - SnowTrace] (Mar 3, 2023)</ref>.
|The attacker transfers 0.300561904654125746 Avalanche tokens (AVAX) into CryptoJordin's wallet on the Avalanche blockchain. These Avalanche tokens are likely necessary to cover transaction fees<ref name=":4" /><ref name=":8">[https://snowtrace.io/tx/0x75787b1a4220980546e66a5d3f9cafe41c941910a7032457270f8de0443dc98b Malicious Attacker Transfers In 0.300561904654125 Avalanche - SnowTrace] (Mar 3, 2023)</ref>.
|-
|December 5th, 2021 12:22:48 PM MST
|Time Balance Unstaked
|The attacker unstakes CryptoJordin's balance of 0.16149775 TIME<ref name=":4" /><ref>[https://snowtrace.io/tx/0xef90d177d1654fdb19bfa795600c1924379a9cf8498c82db885484fe9363ecb7 Avalanche Transaction Unstaking TIME Balance - SnowTrace] (Nov 15, 2023)</ref>.
|-
|December 5th, 2021 12:31:49 PM MST
|Trader Joe Swap Completed
|CryptoJordin's unstaked 0.16149775 TIME balance and 974.24359663155504615 magic internet money (MIM) in his wallet are swapped for 11.519380960436277797 AVAX<ref name=":4" /><ref>[https://snowtrace.io/tx/0xb1464bcc36458404d0ead65e638ec5aa77d4fec67cb39437d3be807ef2115917 Trader Joe Swap Of 0.16149775 TIME And 974.24359663155504615 MIM for 11.519380960436277797 Wrapped AVAX in CryptoJordin's Wallet - SnowTrace] (Nov 15, 2023)</ref>.
|-
|-
|December 5th, 2021 12:34:22 PM MST
|December 5th, 2021 12:34:22 PM MST
|Malicious Transaction
|Malicious Transaction
|The malicious transaction happened which stole CryptoJordin's funds<ref name=":4" /><ref name=":2">[https://snowtrace.io/tx/0xe8082623678c894c50916565c06a70b95b8d5df4398d7e3616fb89dda66fcd37 Theft of CryptoJordin's Avalanche Tokens - SnowTrace] (Mar 3, 2023)</ref>.
|The entire 11.811348845090403543 AVAX resulting from the swap are swept from CryptoJordin's wallet<ref name=":4" /><ref name=":2">[https://snowtrace.io/tx/0xe8082623678c894c50916565c06a70b95b8d5df4398d7e3616fb89dda66fcd37 Transfer of 11.811348845090403543 AVAX From CryptoJordin's Avalanche Wallet - SnowTrace] (Mar 3, 2023)</ref>.
|-
|-
|December 8th, 2021 9:27:37 AM MST
|December 8th, 2021 9:27:37 AM MST
|Video About Missing Tokens
|Video About Missing Tokens
|The first video with reported missing wonderland tokens<ref name=":3">[https://www.youtube.com/watch?v=hpOrKIIewj4 CryptoJordin - My $Time Wonderland Balance Was Wiped. - YouTube] (Mar 3, 2023)</ref>.
|CryptoJordin posts a video reporting the missing wonderland tokens<ref name=":3">[https://www.youtube.com/watch?v=hpOrKIIewj4 CryptoJordin - My $Time Wonderland Balance Was Wiped. - YouTube] (Mar 3, 2023)</ref>. He reports that his TIME wonderland balance has been wiped from his wallet. A few days after he got the malware, CryptoJordin noticed his time balance was gone and wondered if it's a glitch. The malware has full control over his computer, and is still siphoning his personal information and activities during this time<ref name=":9" />.
|-
|-
|December 9th, 2021 8:20:49 AM MST
|December 9th, 2021 8:20:49 AM MST
Line 80: Line 81:
|-
|-
|December 11th, 2021 10:09:31 AM MST
|December 11th, 2021 10:09:31 AM MST
|Video Detailing Size of Account
|Video Detailing Size of Operation
|CryptoJordin produces and launches another video with "Shocking Details About My MetaMask Hackers." which goes through how his funds were joined into a wallet with over $31m in there<ref>[https://www.youtube.com/watch?v=7_fj1KWV7LE CryptoJordin - Shocking Details About My MetaMask Hackers. - YouTube] (Mar 3, 2023)</ref>.
|CryptoJordin produces and launches another video with "Shocking Details About My MetaMask Hackers." which goes through how his funds were joined into a wallet with over $31m worth of other funds<ref name=":11">[https://www.youtube.com/watch?v=7_fj1KWV7LE CryptoJordin - Shocking Details About My MetaMask Hackers. - YouTube] (Mar 3, 2023)</ref>.
|-
|December 11th, 2021 8:37:00 PM MST
|Security Expert Discussion
|CryptoJordin discusses his situation and the Redline Malware with a cryptocurrency expert, and is advised of the full extent of the risks<ref name=":9">[https://www.youtube.com/watch?v=-ySAJnYgNOI CryptoJordin - There's way more to these MetaMask Hackers... - YouTube] (Jan 5, 2023)</ref>.
|-
|December 12th, 2021 6:08:00 AM MST
|Security Expert Discussion
|In discussions with the security expert, he asks about any storage of the seed phrase. At that point, CryptoJordin recalls having a screenshot saved on his phone, and it's speculated that the screenshot might have been taken from the phone<ref name=":9" />.
|-
|December 12th, 2021 8:55:00 PM MST
|Security Expert Discussion
|CryptoJordin discusses more about the theft with the security expert<ref name=":9" />. The hacker is revealed as Mr. Santa, a name he uses on many forums where he sells stolen data on. The attack was more of a "malicious virus" and the malware uncovered was called Redline. Multiple Chrome extensions are downloaded, which attempts to capture all the saved passwords from the browser. CryptoJordin was not saving any of his passwords on his browser. The attacker tried to get access to the WiFi, which was replaced by Comcast. There were 3-4 days where his computer was compromised and he didn't know. It was also revealed that he had stored a picture of his seed phrase on his phone. He's very glad to only have the single wallet taken. He wants to bring justice against hackers and references a recent arrest of hackers. The hackers are exploiting information to steal funds and selling information they don't want to less sophisticated scammers/hackers. CryptoJordin gives incorrect information about how the malware could have infected his Ledger.
|-
|-
|December 14th, 2021 2:14:07 PM MST
|December 14th, 2021 2:14:07 PM MST
|Video Baiting Scammer
|Video Baiting Scammer
|CryptoJordin reports on baiting the hacker into sending a malicious PDF with the malware included<ref>[https://www.youtube.com/watch?v=msqDmwmkDEA CryptoJordin - We've Baited My MetaMask Hacker... - YouTube] (Mar 3, 2023)</ref>.
|CryptoJordin reports on baiting the hacker into sending a malicious PDF with the malware included<ref name=":12">[https://www.youtube.com/watch?v=msqDmwmkDEA CryptoJordin - We've Baited My MetaMask Hacker... - YouTube] (Mar 3, 2023)</ref>.
|-
|January 1st, 2022 12:56:28 PM MST
|Update Video Published
|CryptoJordin publishes a video with an update on the incident for his followers on YouTube "There's way more to these MetaMask Hackers..."<ref name=":9" />.
|-
|-
|January 4th, 2022 11:15:13 AM MST
|January 4th, 2022 11:15:13 AM MST
|Another PDF Email Received
|Another PDF Email Received
|CryptoJordin reports on receiving another malicious PDF email in a new video. This video included 3 other YouTubers in the videos<ref>[https://www.youtube.com/watch?v=G33gjWfpdlo CryptoJordin - The PDF Crypto Scam Just Went To A Whole New Level. - YouTube] (Mar 3, 2023)</ref>.
|CryptoJordin reports on receiving another malicious PDF email in a new video. This email included 3 other YouTubers in the videos<ref name=":10">[https://www.youtube.com/watch?v=G33gjWfpdlo CryptoJordin - The PDF Crypto Scam Just Went To A Whole New Level. - YouTube] (Mar 3, 2023)</ref>. In this video, CryptoJordin reports that he felt something was funny when reviewing the original email, however still clicked the PDF file.
|-
|-
|April 4th, 2022 2:49:35 PM MDT
|April 4th, 2022 2:49:35 PM MDT
|Video About Scam Emails
|Video About Scam Emails
|CryptoJordin posts another video about scam emails. He also indicates that they are currently "in contact with the hackers"<ref>[https://www.youtube.com/watch?v=Pf0xsgzF_UM CryptoJordin - Do Not Fall For This MetaMask Scam. - YouTube] (Mar 3, 2023)</ref>.
|CryptoJordin posts another video about scam emails. He goes over cooperation business emails which claim to offer him a partnership. He reviews a phishing email from MetaMask which is claiming that his wallet is unverified and needs to be upgraded. He reviews a comment from a fake recovery service. He also indicates that they are currently "in contact with the hackers"<ref>[https://www.youtube.com/watch?v=Pf0xsgzF_UM CryptoJordin - Do Not Fall For This MetaMask Scam. - YouTube] (Mar 3, 2023)</ref>. Some scammers offering  cryptocurrency recovery scams commented on the video and had their comments liked by CryptoJordin.
|}
|}


== Total Amount Lost ==
== Technical Analysis ==
CryptoJordin shows a screenshot of his wallet, which has a transaction transferring 11.811348845090403543 avalanche tokens<ref name="unnamed-10585" /><ref name=":2" />. The historic closing market price of avalanche on December 5th, 2021 was $85.79<ref>[https://coinmarketcap.com/currencies/avalanche/historical-data/ Avalanche Historic Market Price - CoinMarketCap] (Mar 3, 2023)</ref>. This makes a total loss of $1,013.30 USD.  
CryptoJordin was tricked into installing Redline malware on his computer, which allowed attackers access to his files and data on his computer. It is believed that his seed phrase was obtained through an image backup which he kept on his computer. Once access to his MetaMask account was obtained, the attackers sent in Avalanche tokens and used those to unstake and withdraw all balances, which were then liquidated. CryptoJordin started his investigation only after noticing that all of his funds had disappeared from his wallet.
 
=== Blockchain Transaction Details ===
Avalanche: <ref name=":7" /><ref name=":4" /><ref name=":8" /><ref name=":2" /><ref>[https://snowtrace.io/txs?a=0x33dc162155d9df54e2849d79991110f7b369a415 Transaction History For CryptoJordin's Wallet - SnowTrace] (Nov 15, 2023)</ref>
 
BNB: <ref name=":0" />
 
=== Information From Security Researcher ===
From the video <ref name=":9" />.<blockquote>"I have identified the attackers alias base on his attack server associated with the malware. Security community refers to the attacker by the name Mr.Santa. This is the username he use on various forums that he sells stolen data on"
 
"The second stage malware file downloads and installs multiple .crx files (which is the file extension type for chrome browser extensions.) malicious extensions cannot be detected by AV because they do not run at the device system level. Chrome extension run within the chrome application. The way the google has developed chrom prevents AV from inspecting .crx files."
 
"The chrome extensions installed have very likely captured any bank account details from you device. If you have ever used your pc for personal banking please change your online banking password"
 
"This malware also tries to discover your active wifi connection. This means the the attacker is trying to discover other devices on your network. So please change the password on you home router as well."


A separate transaction the day prior<ref name=":1" /> for $396.47 BUSD is likely unrelated. While the attacker may have had access to that wallet due to the same compromised private key, this transaction happened just moments after a transfer from KuCoin<ref name=":0" />, which was likely initiated by CryptoJordin. There is no suggestion of his KuCoin account being compromised. In his December 8th video, CryptoJordin says he "lost $400 yesterday from trying to transfer something" which may be related to this transaction, however the timeline is not perfectly correlated<ref name=":3" />.
"If you live with your family or house mates or your girlfriend or something please ask them to also change their online banking passwords"


The total amount lost has been estimated at $1,000 USD.
"It is impossible for me to know if the attacker has compromised your wifi router without forensically inspecting the device and I cannot walk you through this process as you do not have the equipment required."


== Immediate Reactions ==
"Absolutely - people aren't security conscious with regular IT, let alone crypto security. Some people have millions of dollars staked with metamask. Its ridiculous."
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


"Can I also ask, did you store the seed phrase locally? as a text file of screenshot? I just trying to understand the level of info that the REDLINE malware can collect from the metamask application."


"okay interesting. If that screen shot was exfiltrated from your device that is highly likely the way they were able to rebuild your wallet on another device. Since I cant see that the metamask wallet stores the seed phrase"


==== My $Time Wonderland Balance Was Wiped. ====
"Yeah the security community refers to this bad actor as mr.Santa because he uses that username on hacking forums. He sells your pc profile and stolen info after he takes want he wants or what is most valuable. It's very common. Skilled hackers are the apex and they sells to less technical script kiddies that don't know how to hack themselves"</blockquote>
"hey what is up guys so today in this one i'm not gonna go fake and energetic and stuff because obviously if you read the title i'm not something happened yesterday and it got me really worked up and i wanted to make a video on it but i also wanted to calm down first before i even thought about making a video because i didn't want to make an immature video like freaking out and i wanted to get to the bottom of the problem before i actually made a video on it because you know how badly i wanted to jump on here and just freak out and ramble but i knew it wasn't the right thing i had to really just calm my thoughts and just breathe but um basically i went on my wonderland account to um just see how my stake balance was doing to see how much money it was i typically check on it like once a week or so just to see how it's performing so i went on and i noticed this zero time zero memo just a wiped account so obviously i thought to myself oh i'm not connected to my meta mask or i'm on the wrong network because if you get connected to the binance network ethereum network it doesn't really work i'll set up your wrong network i was connected to the avalanche network i was on my right account it was connected but i didn't notice that i had no avax and i did have like point like something like i always keep a little bit in here for transactions and stuff and i don't use metamask i really only used it for wonderland and to make the tutorial for wonderland like how to buy it and stuff the first thing i did was go down here to activity to see like has anybody been on my account i did send out two avex december 1st but that was from the snow bank that i sold because i unstaked all my snow bank and sold that off and that was december 1st that's seven days ago from today so i knew i checked my balance on wonderland within seven days it was probably like three or four days ago i checked it it was weird to see i had no balance but my activity was there was no activity and this is literally the only tab i use i only connect to the avalanche mainnet all the other ones won't even work for this site so it's like this is all i use so last night i was trying to calm myself down i'm like all right i'll wake up in the morning i'll refresh it maybe with something with the network having server issues or something i didn't know i was like all right i'm gonna just wake up in the morning try not to freak out yeah i woke up checked the balance and it was still blank it was just like this i tried to delete the network and re-edit and it was just all the same thing there was nothing i could do i went over to trader joe to see if i could uh pull up like previous transactions and that won't let me so the next thing i did was go into the telegram and i tried to talk to some people and there was about like three other people that also said they were having problems and their account got wiped so i really wanted to know like was it wonderland that was like pulling something suspicious was it like that i got hacked was it that that i did something wrong did i understand it when i was in sleeping did i did i sleep walk and unstick my wonderland like i really really wanted to know there's nothing in the transactions like if somebody got on my account there's literally nothing here there's no activity saying somebody unstaked my thousand dollars or they sent it somewhere else like there's literally no activity and you can't even click on the activity and like delete it like there's no there's literally no way of deleting my activity like i'm saying like if somebody got on my account sent it over like there's no way they can possibly delete it from here so when i was in the telegram i had some kind person really help me they told me to take my address from metamask god i'm still like so i'm still just like worked up man it's like like like this really gets me worked up my metamask address and copy it right here and then i'm gonna go over to snow trade paste my address and search up the history so two days and 20 hours ago i received a payment of 0.3 avax from this address which we will look into time staking so they unstaked my time and then went over the trader joe swapped it so the 11avex was then sent to this address which we will also look into these are not my addresses i did not send this point three avax two days ago i did not send that point to avax two days ago there is no activity explaining any of this that happened it is not it is not on my account is not in the activity two days ago i received the point three from this address this address here is the transaction right here they sent me 0.3 avax none of these transactions in these last six days are mine this is not my account this is not my address someone sent me avax got into my account so they could use that money to unstake it wiped all of my time out of wonderland and sent it back to theirs i'm going to go back over to my address and now we're going to see where they sent the 11 avax that was stolen from my account it was sent to this address right here and it is a brand new address it was literally created for this transaction this is something i'm just gonna have to accept and learn from i need to secure my accounts as much as possible all my other accounts are so freaking secured but my metamask a wallet that i don't really use that i just put a thousand dollars on the state time wonderland i got hacked i got beat i lost i have to accept this i have to get a ledger wallet i have to secure my assets i cannot let this happen again and it will not happen again and i do not want this to happen to anybody i want you to please please please go secure your assets buy a ledger right after this video i'm going to go watch youtube videos and figure out which one i'm going to buy i'm going to buy it up right away i'm going to delete this metamask while it start fresh and that's all i can do you know i mean i could sit here and just think about it all day which i'm probably end up well or i could just accept it and move on because there's nothing i can do you know when something's out of your control i mean you just have to do whatever you can to adapt and to make for so it doesn't happen next time and that's what i'm gonna do so this isn't a video to put any bad light on wonderland fight acid staked on other platforms they would have taken that too this was all on me i'm the only one that i can blame and sometimes you just got to own up to that instantly when it happened i was like oh my god wonderland's a scam lands god wonderland did people are so fast to jump i'm so fast to jump it's what we do we try to find something someone to blame quick but in reality i mean it was me probably clicked on something i probably downloaded something nothing happened for my while it wasn't secured i'm gonna have to deal with the consequence thank you guys for watching this video please throw a thumbs up on it i want this video to be shared with everybody and if you lost money staking somewhere if you lost money in crypto together we have to learn together we have to teach people and educate the crypto space so this doesn't happen there's nothing worse than losing money i lost 400 yesterday if i'm trying to transfer something and then this happens it's like every time i go forward something happens and there's two steps back but i can't allow myself to be emotionally torn by this so i'm gonna move on and thank you guys for watching really appreciate all of you always keep your head up and stay positive it's all we can do in this world love you guys peace"


====  Update on The Hackers Who Wiped My MetaMask Wallet. ====
=== Risks To Hardware Wallet ===
"Hey, what is up guys? It's Jordan. Welcome back to another, uh, investigation video. To be honest, I haven't got much sleep - probably about four to five hours last night. I've honestly just been stressed about this whole situation and a lot of people have been contacting me saying they've been having similar problems. They describe it to me. It's literally the exact same thing I'm going through. You feel hopeless. You feel like you have no voice. If something happens to your bank account or whatever you can go and contact your bank, talk to somebody. [It] makes you feel a little better, even if they don't fix your problem, but in the crypto world there's nobody. It's you, it's a decentralized world, and I mean it is scary. My latest videos sparked a huge conversation around the crypto world that nobody wants to talk about, and it's all of these scams that are going around. There's going to be a lot of information in this video you do not want to miss. Let's jump right into it."
In a discussion with a security expert, CryptoJordin shows a screenshot which states<ref name=":9" />:<blockquote>So in cases like your's where you computer was infected with malware - a hardware wallet would not have prevented you from being hacked. Because as soon as you plugged your USB wallet into your infected computer the malware would have copied the .log file... In some cases malware will copy the log file and delte it from the USB so that the victim cannot access the wallet...unless they also wrote the seed phrase down on paper and reimported the wallet into metamask.</blockquote>While it is certainly possible for an attacker to cause the hardware wallet to not work with that particular PC, and to trick a user into entering their seed phrase or signing a malicious transaction, it's not possible for the PC to damage the hardware wallet<ref>[https://www.reddit.com/r/ledgerwallet/comments/192li96/redline_malware_defeating_wallet_security/ Redline Malware Defeating Wallet Security? - Reddit] (Jan 9, 2024)</ref>.


"[I] began my investigation by thinking back to what I was doing the exact second my funds got stolen. When I took a look at the address that transferred the coins from my account to theirs, I noticed it happened two days and like 18 hours ago. That is the only information I was given. So, what do you do? You have to work with what you're given. [I] paste my address and search up the history, so two days and 20 hours ago. I sat right here for about an hour [and] really tried to think what I was doing two days and 18 hours ago, or whatever it was from yesterday. So I thought a lot, I did the math or whatever, and figured out what time it was. [I was] busy throughout the morning. Around the afternoon I went out for lunch. I came back and I started my day. And what do I start off with? First I respond to emails. I respond to sponsors, promos, questions, all types of stuff."
== Total Amount Lost ==
CryptoJordin shows a screenshot of his wallet, which has a transaction transferring 11.811348845090403543 avalanche tokens<ref name="unnamed-10585" /><ref name=":2" />. The historic closing market price of avalanche on December 5th, 2021 was $85.79<ref>[https://coinmarketcap.com/currencies/avalanche/historical-data/ Avalanche Historic Market Price - CoinMarketCap] (Mar 3, 2023)</ref>. This makes a total loss of $1,013.30 USD.  


"About four or five years ago I used to create vlog content. That's how I really built my channel and I mean I would get tons of emails every day. I would always respond to them, so I've been doing this for like a long time now. So I've seen scams where people want me to promote their product and they never end up sending payments and stuff. That's happened. So, I mean I've pretty much seen it all, besides what I'm going to show you, and this is crazy."
A separate transaction the day prior to the exploit for $396.47 BUSD<ref name=":1" /> is likely unrelated. While the attacker may have had access to that wallet due to the same compromised private key, this transaction happened just moments after a transfer from KuCoin<ref name=":0" />, which was likely initiated by CryptoJordin, and was also prior to CryptoJordin's original response to the attacker<ref name="unnamed-10585" />. There is no suggestion of his KuCoin account being compromised. In a video uploaded on December 8th, CryptoJordin says he "lost $400 yesterday from trying to transfer something" which may be related to this transaction<ref name=":3" />. The discrepancy related to the timeline is likely because CryptoJordin took a couple of days to edit his content before sharing it online.  


"Another way I pinpointed the exact thing I was doing at that time was i went onto my iPhone, I went to my pictures, and I took a thumbnail picture four o'clock or something, and I remember I made the video right after I did the emails. That means I was reading emails around like three o'clock or so, because I recorded at four probably. [It] probably took an hour, so reading emails, watching YouTube videos ... on the side watching flying emails and like god i didn't know like recording this video would be so hard like my heart's like actually kind of racing and like i get really worked up about this i said this last video really defensive i get very angry we'll say it again i'll probably say it at the end of the video this was all my fault but i want to take my mistake and turn it into something positive and allow people to learn from it this is an email i received on december 4th around 6 30 p.m hi i represent canyon gaming and i'm responsible for launching an advertising campaign to promote new technologies developed by our company so typically when i get one of these emails i'm like okay cool let me jump over to canon gaming website and see what they got i'm not gonna go over to the website because i don't know if they're affiliated with this hacking group or not which i assume they're not probably a normal company but maybe they made this company to disguise it that's very possible it's not hard to make a website and we will get to the bottom of that also i currently have a team right now while i'm recording this video investigating this this is a big deal and if nobody else in the crypto community wants to step up i will i want to be the voice for the people that are going through the same that i'm dealing with okay let's read this email you definitely want to hear this we create the best personal computer accessories your channel is suitable for us to advertise our campaign so we decided to order an advertising video from you about the new collection of which will be released in mid-december so in my head i'm thinking okay company that i checked out their website they have sick gaming chairs they have sick freaking headsets they got these gaming mouses that look amazing i mean they light up and whoa they're saying i can pick three to four accessories from their new catalog that's launching in december and they're gonna pay for all the shipping all i have to do is receive the accessories create a commercial about it on the day that i get it and then like a week before they do the sales post that video after they deliver the accessories free of charge they're gonna just remain with me it's not like i have to send them back or anything instead of paying me money they're gonna just give me these accessories that they probably don't pay too much for they probably get them made in china or something and if you buy products in bulk like of course you can just give them out cheap why i'm talking like this is the thoughts that were going through my brain i didn't read this and think ah they're freaking stupid they're trying to scam me and take my bitcoins i mean hey they're talking about gaming chairs and like they're going to provide me information in the future about this i mean they're not even like really like oh click this link right here click this link right here and you got you got to check out our new accessories you got to keep it click click click it download it install it and make sure you respond back to us they're just like hey let me know if you're interested and we'll send you a pdf with instructions obviously they can't post the catalog on their website they got to send you the catalog because it's private it's it's going to be a big sale like obviously i'm making an advertisement like i was gonna record a dope ass video like showing off this gaming chair like it's like an actual advertisement because it's not been released yet they're gonna hold a presentation early december so i wrote back the next morning december 5th at 7 57 a.m i said hello yes i am interested i would love to see the new collection and create videos i'd love to yeah later on the same day at 12 58 p.m they finally sent me their product line to check out so i could pick out three to four products free of charge all you gotta do is make a video guy being a youtuber is so great isn't it so what do my eyes see blah blah blah blah okay our campaign youtube all right free charge all right pick my products okay attach the document non-disclosure agreement oh because it's like a partner what information is needed it's in the products however okay documents does not need to be signed all right so i just got to read follow instructions only the company's employees and partners know about this okay everything you see in the catalog will be protected by the rule described in the okay okay cool oh all right right here so i have to do is all right so it's just a pdf and there was instructions to click another link which will lead to the private catalog and they gave me like a personal code to use for the catalog and i guess like all i can say is they they got me i'm not stupid well kinda but i know not to download stuff i am not new to the internet i am not new to scams i've literally seen everything in the books but like this i mean it was so perfectly written so manipulative so what happened was the catalog actually opened up and when i clicked on it right away my brain kind of went like why did like install the catalog like i thought i was just gonna click on the link and like the catalog would just pop up but no like it literally popped up on my monitor like an installation bar that just went across real quick and then the catalog popped up and inside the catalog real products like i could actually scroll i could actually like look at product selection and stuff and what they said in this pdf when you click on it it's like showing you the instructions like how to pick out something you want and what to do and stuff and this pdf that i'm not gonna click on this manipulated me even more it's saying to write down like three to four order numbers you can't exceed two thousand dollars and all of this stuff it's talking about everything you need to do for the commercial guys this is not a joke this is the most professional scam i've ever seen in my life so what happened when i clicked that what happened when i clicked that link gave them access to my meta mask they didn't just log into my meta mask through my key or something and send the funds over to their account they got access to full control of my metamask like they literally got handed over my metamask account just from me doing what i did from clicking that and believing this there's still so many details i need to be unraveled and there's a lot more investigation that needs to be done it is all in the works right now and i will not give up on this i'm going to stay on this case you do not want to miss future update videos about this so definitely throw a thumbs up on this video and click the subscribe button it mean a ton the support has been tremendous and i will be the voice for the people i'm currently in talks with a blockchain security engineer at binance he said this case piqued his interest and he has been working on cyber incidents for over 10 years and i'm actually looking at the tweets he just sent me and this case honestly just keeps getting deeper there's gonna be a part two to this video and the details we will be releasing will blow your mind the money that this hacker organization has accumulated within a short period of time is freaking insanity remember to prioritize securing your assets it is something i'm gonna forever tell my community to do and i will have a video coming out shortly within this week probably or next week talking about how to do so because every single day i'm informing myself how to lock down as best as possible and do what i can do to prevent this from happening again if you have been scammed or have had your metamask wallet completely wiped let me know down below i want to hear your story because your information definitely definitely definitely could help in this investigation if you would like to reach out to me and contact me please do so on twitter telegram or instagram all of that's down below in the description i'm glad i can update you guys on the situation this is far from over i'm gonna go get right back to it and i'll see you guys in part two peace"
The total amount lost has been estimated at $1,000 USD.


'''Shocking Details About My MetaMask Hackers.'''
== Immediate Reactions ==
CryptoJordin describes his initial reactions when first encountering the theft in his video. <blockquote>it got me really worked up and I wanted to make a video on it, but, I also wanted to calm down first before I even thought about making a video, because I didn't want to make an immature video like freaking out and I wanted to get to the bottom of the problem before I actually made a video on it. Because, you know how badly I wanted to jump on here and just freak out and ramble, but I knew it wasn't the right thing. I had to really just calm my thoughts, and just, breathe.


ever since my last video i've gotten over 100 messages from people been going through the same thing that i'm going through and to be honest it's just heartbreaking and what i'm gonna reveal in this video it's just not cool and it is the main reason why i started this investigation why i built a team around this and why i made that first video but without further ado let's get right into it i wanted to keep all the information kind of like enclosed i don't want to just start rambling to everybody blockchain security engineer at binance and right away i knew i wanted to work with him so i reached out he said he was sorry to hear about my loss and he wanted to know more information about the case so that's exactly what we started with sent him over my metamask address and he did a lot more digging and what he found out i just can't even comprehend it's it's just sad that's like the only thing i can say it's sad so the real question was what can we do to get information about these hackers there has to be something right my funds never landed into an exchange so unfortunately that kind of stops the path because there's no exchange to track it down to i mean it's kind of just chilling in the blockchain right now what he's saying is the best case scenario is the exchange will block the user's account and they will report his criminal activity to the police in his region i told you people don't give up on me i am not gonna just let this fly i'm gonna do whatever it takes to do something about this and you want to know why i'm even angrier than i was because we tracked down what happened after they unstaked my time or memo whatever then they sold it for avax then they transferred it to another account and then they swapped it for matic that was then transferred to an account with over 31 million 31 million dollars of hard-working people 31 million dollars when this all first happened it was more or less about me like hey guys i lost a thousand dollars i went through this i'm feeling i mean it's honestly beyond that point it it's not about me anymore guys it's not i'm not doing this for me i don't give a about that a thousand dollars i don't care i don't care there is 31 million dollars that has been stolen and nothing has been done about this i just since this is a screenshot i'm gonna actually uh go and see if this money is still in the account because this is a screenshot from uh two days ago and to make it more convenient for you i'll put that in the description you can look at it you can do some more investigation if you want i mean this is all a team effort and if you've been scammed or if you've been through something like this where you've had your meta mask hacked where you've had your crypto stolen hacked whatever reach out to me you should join my brand new telegram i actually just started it yesterday it's a place where i'm chatting and talking to viewers and it's just it's been great there's like 30 people in there because i haven't really even put in a video yet and it's just been cool like everybody's chilled and the community i'm building it's awesome it makes me smile every day it makes me feel like i'm not alone on this it just feels good having support behind me i hope you believe in me to not give up i know we can do it i believe in myself i believe in the people that are helping me i just want to turn something bad into something good okay people it looks like the hackers have some bad spending habits or maybe they're just buying the bitcoin dip that could be a good thing they have several transactions that are going outside of this matic wallet to other wallets when you think about it put yourself in the shoes of the hacker you hack somebody you get their bitcoins or whatever whatever the they want or in this case whatever the you want you take the currency you have it in a metamask wallet or whatever you send it to another metamask while you send it to another metamask while you think that's secure even though you can track the transactions but anyways what do you do to be able to actually spend that money you can't go and spend your freaking polygon at target well i haven't really been outside the house recently so maybe you can but you know they're gonna take this medic send it to another wallet and somehow get it to an exchange so they can cash it out and get some cash what what else do they want they want cash i mean at least if i was a hacker i would want the cash i don't want matic and you know they're gonna at least cash out a little bit you just know it you know it put yourself in those shoes so i took that thought and i told the main investigator that was helping me with this case i went and looked at my messages and he was already two steps ahead i was trying to tell him information i just discovered and he was already five steps ahead actually he tracked down multiple exchange accounts associated with my attacker that's big at that point i'm like whoa like we're actually getting somewhere with this so what he said was yeah one of the hackers in my summed up terms got pretty freaking greedy so we tracked down the greed in the chain of transactions that we detected you can see here one of the attacker's wallet is regularly receiving funds from various binance hot wallets this is a very strong indicator that this is a personal wallet and not a burner wallet you can report this address to binance and they can identify the hacker and i hope this ship bites his mother i hope it bites his ass like a pit bull so i just clicked the link now we're gonna take a little better look at what's going on in this wallet look at all of these transactions so the hacker is sending funds from binance hot wallets to their personal wallet which is right here i will also have that down below in the description and what we are suspecting is every single one of these transactions stolen funds stolen funds stolen funds stolen funds stolen funds stolen funds stolen funds stolen fond stone this wallet right here has been reported the binance and what i want you to do is the exact same thing please please please go report this to binance go report this to kucoin we need to report these addresses i have done my part i want you to do yours you never know what can happen when everybody works together the possibilities are endless i have the platform i will be the voice for the people this is far from over they currently have zero funds in this account everything they get they send it back out to another wallet this is also another wallet that is doing the exact same thing another one and this is a wallet that also led from tracking down transactions from that matic wallet so that was the main source where we're getting these leads from and every single day we're getting more and more information and it's been rewarding we're moving forward and we are getting somewhere with this this is the third one we tracked down another one and what it seems to be is one of them was for ethereum one of them was formatic this one's for b and b and it kind of seems to be that they're pretty organized which potentially could help us even more when you search up somebody's wallet and see their transactions you can also leave comments what do the comments say on this wallet let's see one month ago well that's the address of someone who steals your bnb here is another address that he sends stuff please return every bnb you have stolen it is hard earned money it is just sad to think that there's like people out there that could actually like live normally knowing that they literally single-handedly destroyed lives money is something that's connected to emotion i don't see money as like a physical object i see it as like an emotion in a way you could literally just ruin somebody's whole life by doing something like this i just can't even like sit here and comprehend it all i'm kind of just so overwhelmed with all the messages of like this happening to people and stuff and i've said this in several videos it's just something that gets me very very worked up i just want to do my part and that's what i'm doing so there are still many details i cannot release and i hope you can understand that we want to ensure that we do the proper thing but the one thing i can tell you is we're currently in contact with the hackers [Music] you
But um, basically I went on my wonderland account, to, um, just see how my stake balance was doing, to see how much money it was. I typically check on it like once a week or so, just to see how it's performing. So, I went on and I noticed this 'zero time zero' memo - just a wiped account. So obviously I thought to myself 'Oh I'm not connected to my MetaMask' or 'I'm on the wrong network.' because if you get connected to the Binance network [or] ethereum network it doesn't really work. It'll say you're wrong network. I was connected to the avalanche network. I was on my right account. I was connected. But I did notice that I had no avax and I did have, like point, like something, like I always keep a little bit in here for transactions and stuff.</blockquote>
=== My $Time Wonderland Balance Was Wiped ===
CryptoJordin created a video just a few days after his loss<ref name=":3" />, explaining that upon checking his account, he discovered a balance of zero AVAX (Avalanche) and observed suspicious transactions. Despite being connected to the correct network, he found no activity in their account history and realized that someone had accessed their account, unstaked their assets, wiped out their Wonderland balance, and transferred the funds to a different address. He expresses frustration and plans to secure his accounts better, emphasizing the importance of securing assets and suggesting viewers do the same. He concludes by acknowledging personal responsibility for the situation and call for collective learning and education in the crypto space.<blockquote>"Hey. What is up, guys? It's Jordin. Welcome back to another uh investigation video. To be honest, I haven't got much sleep - probably about four to five hours last night. I've honestly just been stressed about this whole situation."


====  We Baited The MetaMask Hacker... ====
"Today we investigate who stole crypto from my #MetaMask wallet. This is one of many scams. We will get to the bottom of this. This is far from over... stay tuned"
"i'm not just saying this to say it but as a reason i've been really really anxious and i swear just like everything i see online now i'm just like is this a scam like is this a scam should i click this website is this person lying to me is this email this i've been really paranoid i'm not gonna lie and i mean i have a reason to be but i mean it's just not right everybody that even contacts me i'm just thinking in my head like we is this person like trying to pull something and come to find out they're just sending me like a picture you get what i'm saying i've just been overall paranoid and i'm sure a lot of people can relate because once it happens to you you feel like it's like always happening to you and i i don't know it's something that i can't really explain but it's there but i have promised you guys that i will not give up on this case and we haven't me and the person that's helping me out together we have detected a lot of information about my hacker some of the stuff i can talk about in this video some of the stuff i can't because it's an ongoing investigation i can't tell everything and i'm not trying to leave you with some like cliffhanger or something i'm not trying to turn this into like john wick where there's 15 different movies about the same exact thing i'm just trying to protect the information so we can use it to just milk as much information as possible because one thing just leads to the next that's how this investigation has been going so where we let off last video was we tracked down a chain of wallets that were all connected and by doing so that led us to the account with 31 million dollars of stolen funds and it led us to two exchange accounts one on kucoin and one on binance we then took appropriate action and i shared those wallet addresses with you guys that is in the last video if you have not seen any of these videos you've got to start with the first one otherwise none of this will be making sense and i don't want to go back and repeat myself because it will be an hour video we're going to continue from last video and right after that we discovered a lot more information about my hacker but how do we do so we baited them through the same email they sent me the investigator helping me out on this is using a separate computer separate emails and a lot of other different sources that is the only way we're gonna get somewhere you have to basically give your computer the virus so you can detect it and break it down it's something i can't really even explain to you that's why i have somebody helping me out on this this is far from my thousand dollars getting stolen this is something that needs to be taken very very serious think about it if i found an account with 31 million dollars imagine how many wallets are out there with just millions and millions of dollars all stolen funds we sent this to my hacker hello sir my friends in the crypto influencer industry have shared some info with me that your company is offering some free gaming keyboards and other gaming hardware while i am a crypto investor but not a crypto influencer is it possible for me to still participate in this offer and then we just said some stuff about twitch blah blah blah so we were sitting waiting hoping to hear back and uh within five minutes boom hi your advertising campaign is there ain't no providing repair oh i've seen that email before god they got my ass man we emailed the same address that reached out to me and scammed me but then they responded back with a different email so i just kind of thought that was interesting and i should add that but why exactly were we trying to get the email i already had the virus why were we trying to get the email again well right after i got the virus and stuff obviously i wake my whole entire computer i literally wipe my whole entire wi-fi my phone everything like everything is restored i mean my whole life's restored means all my passwords i mean everything everything everything everything it's all fresh it's all new i'm gonna be securing my assets i'm getting my ledger delivered one friday so you don't want to miss out on that i'm gonna have a video several videos i'm gonna have one setting it up i'm gonna have one how to set it up i'm gonna have one talking about why you should use it i'm not even joking once i hit like let's say 30 000 subscribers i'll give out three ledgers i want to use this opportunity to save people in the future that's what all of this is about and it's also about trying to get to the bottom of this so let's get back into it and see exactly what happened you know me i like to ramble i'm sorry okay so a day passed and we didn't get any leads i was thinking like oh [ __ ] they're not even right back they're probably like suspicious or something i don't know okay so they finally wrote back the next day but the file didn't work then i had me thinking like did they send like a real document to just like kind of act like it's real to cover themselves a little more i don't know i was just going pretty deep into my thoughts you know what i mean like trying to cover it up is like oh no this is actually real we never scanned anybody maybe they were suspicious first from that email that we sent them i don't all speculation just the way my brain works so what we did was email them again and we said hello sir it seems like we can't access your amazing catalog and then we said can you please send it again but they didn't respond so we were stuck pretty much for a whole day with no leads nothing to really go off of we pretty much tracked all the wallets down that we could kind of got stuck there i was thinking like damn this is pretty much probably it but no no no at two in the morning we received the pdf they sent us an email saying the error is erased and they sent us the actual file so what we did with the new device we bought specifically for this investigation we opened up the file we encrypted it we broke it all down i don't know whatever that all i know is we got information out of it and uh yeah i'll get to that one second so yeah i was told he'll update me soon you know when you get a text and you have that little preview up at the top yeah this is like what the preview looked like all i saw was i have identified the attackers right then and there i just had this feeling inside of me like oh here i thought we kind of hit a brick wall and we're stuck i didn't really know how we could go forward and i see this pop up i have identified the attacker's allospaces on his attack server associated with the malware security community refers to the attacker by the name mr santa mr santa this is the username he uses on various forms that he sells stolen data on and that's what i'm trying to explain here like this guy didn't just sit here all day and try to get like my metamask with a thousand dollars he wants a thousand people this hacking group is stealing millions and millions i'm an ant to this whole entire thing this is huge this is the real deal like i said if i can find an account with 31 million dollars 2 000 of them with 20 million so this group or this person isn't just targeting metamask wallets they're targeting your data below me right here is the operating system for the mr santa when i first made that video about me just like talking about a thousand dollars i lost in time wonderland i never would have thought that like all of this would become a thing and none of this would be possible without the person that's helping me on this so i just want to say thank you so so much and i wouldn't have met this person if i didn't post that initial videos by me making that video and reaching out to other people it allowed me to meet all these people and kind of like create this community of pretty much victims like we're all victims to this all the people watching these videos they've went through the exact same thing that i went through or worse most of them worse i only lost a thousand dollars i was talking to a 68 year old yesterday he's probably watching this video shout out to you and he was telling me the saddest story like he was in these crypto projects really really early and he accumulated like over a hundred thousand dollars and instantly it got wiped i mean that's just one story i have a video coming out soon where i'm putting together all of these stories in hopes that somebody sees it and does something about this at metamask there needs to be two-step verification and just a lot more things overall to protect their customers and yeah you can say to me well you can get a hard wallet i know that i know that and i'm going to tell people all the time to get one of those because it's the most important thing why would somebody that's only trying to invest a couple hundred dollars want to spend 200 on a ledger yeah that sounds ignorant of me but there's just got to be something else to protect people at least just a little bit more that's all i'm saying but we're trying to discover what information this whole entire virus thing is stealing from people because if it's taking your data your metamask like what is it actually taking what exactly happened when i clicked that like what happened that's what we're trying to get to the bottom of it's a shame that this keeps happening i'm doing everything i can every single day i'm informing myself on crypto security and just internet security in general so i can teach you guys i've been working on a ton of different projects and a ton of different things to get somebody to do something about all this only time change happens in the world is when everybody comes together as one and i know we can do so thank you guys for watching this video grab a thumbs up on it though it can get shared with the world we need this out there and we got to put a stop to this thank you guys for watching this video always keep your head up and stay positive i'll see you guys in the next one peace [Music] you"


==== The PDF Crypto Scam Just Went To A Whole New Level. ====
</blockquote>
"I Whisper task and make comparisons starting today I'm hearing from you better understand more about New Year the treatment of installed and every single day out for the community of span the documents Yoona For Fun and is also Good morning Avril Lavigne to check my email and Write nudist disman have you Channel this wonderful and usage in Advertising Company I love your Manager weekend in its performance in Advertising campaign for new players Are You Now Company And introducing The bestest avernus people in the world with that were also for you got any further servicetag Supper styling and animal nurse your new Universe of that you just email kamigami fruits of responsibility of your eyes and Kelvin kwan advantages of using many people travel food lovers anh thú Soda zebra đi tìm for her much will take that money someone like you think you're speaking Night the squares and uses information mammon coremedia console against other studies the other well it now begun Pasteur Block puzzle game that way to get to the leaves is important that won't think have to ask My and therefore not to make sure that Person is an Evil series Inverter your purpose the things started to you everything in my heart with a world that many years to pdf file xin file save your personal phycatol Begin the Brothers The huntresses the new version you evaluate kebbel use the National route Will Find other countries and their treatment gentle blemish spot Essence segments unlocker michel Ange tuteur a little trees and right people in that And Father travel to think centre which participants to Switch action is intended for documents and subjected nosara jaw Vina computer system for some money buying activesync finest work tomorrow and gone and you will fall in Vietnam Idol Queen Pearl Shell store You Nothing You're My Soul to use and even the public When were gone ahead and reshiram adwords tear us apart in my video of the game just come around is used to make dr.dre Monster research Manager position on the power sand and tricks in the Woods and use your first I Scream and Advanced minister The waterfall Dragon and supports and me this way protein email the youths comments for her study finds out that food and permission a scam email vk Me it's just three Of The universe pudding caramen will you the nao xin Stories of the stores the beaver businesses need your trust What we used to get it might of treatment or you'll find ourselves in mechanical know that nothing and people about a person to you Happy birthday to you different uses it when you wish upon your my cos I wish I never Listen My ID ornare viverra thinkin about our instant noodles and equitable descending Ocean game What's the word that meet you study of any type of this Installer for love and very inter persian virus amazed when i don't need and travel Back Together on turn our Core Westlife nice work useful email most important to stay in touch me now I have Eyes were never think I Have Nothing To National day But if you want to find the intention is edible and fungal tomorrow The Voice power for use as the voice intervals Secret passage what to wear PS Viettel music catalogue jean top five information see receipt printer Brand New Canon Castle season villages and sisters is pain away my kids to learn and tell me this way to the morning with laughter vestiges of At least I trivium respects The internet to prepare your Bank information edestus picture series ungeziefer everything predictions about the medicos and the weather is enough for potential in things like that Will Keep adding more Advanced đối với city we need you develop their particular and get to play or damaged nigricans i ai hờ this game is lying in the work better let you to bring someone say là chibi YouTube maidstone whether you and compelling directly to memories quotes English phrasal stayed out all night of many people recommend this Wood of the way to protect her to the Messenger used to mean it depends on the Missing Words can indicate mother and we have described the sentinel Delta Tell me about it come my love im Yoona Mission and want to be with you I can't afford the Formula that not to treat them are Used across the kop diaz committees find anything like you not Connect with you my knees if you see that of the other self learning English welcome I presume indeterminate automatically apply can't make sure of pineapple understand Winner tannacomp Ultimate 300k Lâm iPhone sticky password khi nó báo được xin nói use the monster obby solzhenitsyn as paper or take the work work work with people who use your smartphone with nadir Angeles Together staples this happen in the other two days And ganesh One Piece I [âm nhạc]"


== Ultimate Outcome ==
== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?


CryptoJordin continued to post more videos on his situation as it developed. As he would state, he saw this as part of a broader mission of educating the cryptocurrency space.<blockquote>
"i want to take my mistake and turn it into something positive and allow people to learn from it"</blockquote>
=== Update on The Hackers Who Wiped My MetaMask Wallet ===
In this video<ref name="unnamed-10585" /><ref name=":13">[https://quadrigainitiative.com/casestudy/cryptojordin-transcripts.txt CryptoJordin Video Transcripts Text File] (Jan 15, 2024)</ref>, CryptoJordin concludes he fell victim to a sophisticated scam involving a fake sponsorship offer. The scam involved receiving an email from a supposed gaming accessories company, offering free products in exchange for creating an advertising video. He details how he clicked a link provided in the email, which led to the installation of malware on his computer via a manipulated PDF catalog, granting the scammers full control of his computer and ultimately his MetaMask wallet. The speaker emphasizes the professionalism of the scam and notes ongoing investigations, including collaboration with a blockchain security engineer at Binance. He promises future updates on the case and urge viewers to prioritize securing their assets. The video serves as a cautionary tale and a call for vigilance within the crypto community.
=== S'''hocking Details About My MetaMask Hackers''' ===
CryptoJordin provided an update on their investigation<ref name=":11" /><ref name=":13" /> into a hacking incident involving their MetaMask wallet. He shares that he's received over 100 messages from others experiencing similar issues. He is currently collaborating with a blockchain security engineer at Binance to gather information about the hackers. Despite the difficulty in tracking funds that haven't reached an exchange, he discovered a chain of transactions indicating greed on the part of the hackers. The investigator identifies multiple exchange accounts associated with the attacker and recommends reporting the wallet to Binance for further investigation. CryptoJordin urges viewers to report identified wallets to exchanges, emphasizing the importance of collective action. He expressed his commitment to continuing the investigation and be a voice for those affected by similar scams. The video ends with an emotional response to the impact of such crimes on people's lives.
=== We Baited The MetaMask Hacker... ===
CryptoJordin discusses his heightened anxiety and paranoia<ref name=":12" /><ref name=":13" />. He emphasizes the pervasive fear of online scams and express their struggle to trust even innocent interactions. He updates viewers on their ongoing investigation with the help of a collaborator, revealing that they have detected information about the hacker. He explains the process of baiting the hacker through a decoy email and receiving a PDF file. The file, decrypted using a separate device, provides details about the attacker's operation, including a username "mr santa" associated with selling stolen data. CryptoJordin acknowledges the scale of the hacking group, emphasizing that they target not just individual wallets but also user data. He expresses gratitude to his collaborator and shares stories from other victims, highlighting the need for increased security measures and user protection. He calls for collective action to address the issue, expressing hope for positive change. The video concludes with a plea to share the information and work together to combat scams in the cryptocurrency space.
=== The PDF Crypto Scam Just Went To A Whole New Level ===
TBD - YouTube hilariously fails at preparing a transcript for this video<ref name=":10" /><ref name=":13" />.
== Total Amount Recovered ==
== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?


== Ongoing Developments ==
== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
CryptoJordin has vowed to continue investigating the scammers.
== Individual Prevention Policies ==
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}
The primary issue was that CryptoJordin was storing his cryptocurrency funds along with a backup of his seed phrase online. He used the same computer to answer emails and perform other uncontrolled activities. This meant that once the device was compromised, all of the funds in his hot wallet were able to be taken. Seed phrases are meant to be stored completely offline, and it is recommended to only ever access cryptocurrency in a heavily controlled environment.
 
{{Prevention:Individuals:Always Verify Executables}}
 
{{Prevention:Individuals:Store Funds Offline}}


{{Prevention:Individuals:End}}
{{Prevention:Individuals:End}}


== Platform Prevention Policies ==
== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}
Increasing the education level for cryptocurrency users can help prevent loss. In the event of loss, an industry insurance fund can assist and provide some relief.
 
{{Prevention:Platforms:Cryptocurrency Safety Quiz}}
 
{{Prevention:Platforms:Establish Industry Insurance Fund}}


{{Prevention:Platforms:End}}
{{Prevention:Platforms:End}}


== Regulatory Prevention Policies ==
== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}
Increasing the education level for cryptocurrency users can help prevent loss. In the event of loss, an industry insurance fund can assist and provide some relief.
 
{{Prevention:Regulators:Cryptocurrency Education Mandate}}
 
{{Prevention:Regulators:Establish Industry Insurance Fund}}


{{Prevention:Regulators:End}}
{{Prevention:Regulators:End}}
Line 157: Line 213:
== References ==
== References ==
<references>
<references>
<ref name="unnamed-10585">[https://www.youtube.com/watch?v=_2YaM-TD44g CryptoJordin - Update on The Hackers Who Wiped My MetaMask Wallet. - YouTube] (Mar 3, 2023)</ref>
<ref name="unnamed-10585">[https://www.youtube.com/watch?v=_2YaM-TD44g CryptoJordin - Update on The Hackers Who Wiped My MetaMask Wallet. - YouTube] (Jan 5, 2023)</ref>
</references>
</references>

Latest revision as of 12:50, 15 January 2024

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

CryptoJordin on YouTube

YouTuber CryptoJordin was targeted by a spearphishing attack which claimed to be from a representative of Canyon Gaming, a company that specializes in gaming accessories. CryptoJordin was tricked into installing Redline malware via a malicious PDF file. By exploiting a vulnerability which caused the PDF to automatically install malware, the attacker was able to gain access to CryptoJordin's computer and ultimately drain his MetaMask cryptocurrency hot wallet.

About Crypto Jordin

CryptoJordin is from the United States and runs a YouTube channel where he discusses different cryptocurrency projects and news[1][2].

About Canyon Gaming

Canyon, founded in the Netherlands in 2003, offers stylish yet affordable accessories and wearables[3]. Canyon promotes individuality, eco-friendliness, and mindful consumption[3]. Their products are designed for young urban individuals who appreciate smart consumption and seek innovation[3]. Canyon encourages users to be themselves, emphasizing that they are cooler than the brands they use and can prioritize what matters to them[3].

They provide a range of gadgets, including smartwatches for fitness and outdoor activities, USB hubs to extend PC and Mac functionality, and Bluetooth audio devices for high-quality sound and design[3]. They offer charging stations for a clutter-free desktop, power banks for portable device charging, and Canyon Gaming accessories known for their quality, original design, and affordability[3].

Canyon Gaming offers a range of high-quality PC accessories designed for gamers, including mice and keyboards[4], headsets that provide an immersive experience for long gaming sessions, gamepads compatible with popular consoles and PCs, and a selection of Sport Battle chairs to suit various budgets, equipped with essential gamer-friendly features[5]. These devices are known for their unique design, extended functionality, and affordability[4]. They are constructed from top-notch materials and designed for ergonomic comfort[4].

Canyon Gaming peripherals come with extra features such as programmable buttons, onboard memory modules, and a distinct style[4]. The company prioritizes providing an enjoyable user experience and using quality materials that are accessible to the average user[4]. As a result, Canyon Gaming tools are suitable not only for gaming but also for everyday work[4].

You can find drivers, e-catalogs, news, certificates, and more on their website[3].

Canyon Gaming Advertising Campaign

Crypto Jordin received an email which claimed to be from Canyon Gaming.

"hi I represent canyon gaming and I'm responsible for launching an advertising campaign to promote new technologies developed by our company"

The Reality

The email received by CryptoJordin was not from Canyon Gaming. It is believed to have originated from a malicious actor known as Mr.Santa. It contained a malicious PDF file with Redline malware.

What Happened

CryptoJordin installed the Redline malware by mistake, and this allowed the attacker to gain access to drain his cryptocurrency hot wallets on his computer.

Key Event Timeline - Crypto Jordin Redline PDF Spearphishing Email
Date Event Description
December 1st, 2021 6:30:53 AM MST Last Avalanche Transaction The last reported transaction on CryptoJordin's avalanche wallet prior to the malicious transaction[6][7].
December 4th, 2021 4:29:00 PM MST Response To Promotional Offer CryptoJordin receives an email reporting to be from Canyon Gaming, offering him a potential partnerships with them[8]. He is reportedly able to pick out 3-4 items from a new private catalog in exchange for recording a video about their products. The email requests that he responds if he's interested and they will send him the catalog.
December 4th, 2021 4:55:48 PM MST KuCoin Withdrawal A small amount of BSC is withdrawn from the KuCoin hot wallet to CryptoJordin's main wallet address on the Binance smart chain[9].
December 4th, 2021 4:58:48 PM MST BUSD Tokens Transferred In an unrelated transfer, CryptoJordin[8] transfers 396.46602051 BUSD tokens from his MetaMask wallet to another wallet[10] via the Binance Smart Chain.
December 5th, 2021 5:57:00 AM MST CryptoJordin Email Response CryptoJordin responds to the email requesting to look at the catalog to say he "would love to see the new collection & create videos"[8].
December 5th, 2021 10:58:00 AM MST Catalog Email Received CryptoJordin receives a response which provides the catalog with the "product line" for him to download, and reportedly including a "non-disclosure agreement" to be signed. Upon clicking on the PDF to view it, an installation bar briefly appeared before showing a catalog. The PDF contained a full catalog which also described everything he had to do for the commercial[8].
December 5th, 2021 12:21:00 PM MST Transfer In Avalanche The attacker transfers 0.300561904654125746 Avalanche tokens (AVAX) into CryptoJordin's wallet on the Avalanche blockchain. These Avalanche tokens are likely necessary to cover transaction fees[7][11].
December 5th, 2021 12:22:48 PM MST Time Balance Unstaked The attacker unstakes CryptoJordin's balance of 0.16149775 TIME[7][12].
December 5th, 2021 12:31:49 PM MST Trader Joe Swap Completed CryptoJordin's unstaked 0.16149775 TIME balance and 974.24359663155504615 magic internet money (MIM) in his wallet are swapped for 11.519380960436277797 AVAX[7][13].
December 5th, 2021 12:34:22 PM MST Malicious Transaction The entire 11.811348845090403543 AVAX resulting from the swap are swept from CryptoJordin's wallet[7][14].
December 8th, 2021 9:27:37 AM MST Video About Missing Tokens CryptoJordin posts a video reporting the missing wonderland tokens[15]. He reports that his TIME wonderland balance has been wiped from his wallet. A few days after he got the malware, CryptoJordin noticed his time balance was gone and wondered if it's a glitch. The malware has full control over his computer, and is still siphoning his personal information and activities during this time[16].
December 9th, 2021 8:20:49 AM MST Another Video Uploaded CryptoJordin uploads his first video explaining the situation and what happened titled "Update on The Hackers Who Wiped My MetaMask Wallet."[8].
December 11th, 2021 10:09:31 AM MST Video Detailing Size of Operation CryptoJordin produces and launches another video with "Shocking Details About My MetaMask Hackers." which goes through how his funds were joined into a wallet with over $31m worth of other funds[17].
December 11th, 2021 8:37:00 PM MST Security Expert Discussion CryptoJordin discusses his situation and the Redline Malware with a cryptocurrency expert, and is advised of the full extent of the risks[16].
December 12th, 2021 6:08:00 AM MST Security Expert Discussion In discussions with the security expert, he asks about any storage of the seed phrase. At that point, CryptoJordin recalls having a screenshot saved on his phone, and it's speculated that the screenshot might have been taken from the phone[16].
December 12th, 2021 8:55:00 PM MST Security Expert Discussion CryptoJordin discusses more about the theft with the security expert[16]. The hacker is revealed as Mr. Santa, a name he uses on many forums where he sells stolen data on. The attack was more of a "malicious virus" and the malware uncovered was called Redline. Multiple Chrome extensions are downloaded, which attempts to capture all the saved passwords from the browser. CryptoJordin was not saving any of his passwords on his browser. The attacker tried to get access to the WiFi, which was replaced by Comcast. There were 3-4 days where his computer was compromised and he didn't know. It was also revealed that he had stored a picture of his seed phrase on his phone. He's very glad to only have the single wallet taken. He wants to bring justice against hackers and references a recent arrest of hackers. The hackers are exploiting information to steal funds and selling information they don't want to less sophisticated scammers/hackers. CryptoJordin gives incorrect information about how the malware could have infected his Ledger.
December 14th, 2021 2:14:07 PM MST Video Baiting Scammer CryptoJordin reports on baiting the hacker into sending a malicious PDF with the malware included[18].
January 1st, 2022 12:56:28 PM MST Update Video Published CryptoJordin publishes a video with an update on the incident for his followers on YouTube "There's way more to these MetaMask Hackers..."[16].
January 4th, 2022 11:15:13 AM MST Another PDF Email Received CryptoJordin reports on receiving another malicious PDF email in a new video. This email included 3 other YouTubers in the videos[19]. In this video, CryptoJordin reports that he felt something was funny when reviewing the original email, however still clicked the PDF file.
April 4th, 2022 2:49:35 PM MDT Video About Scam Emails CryptoJordin posts another video about scam emails. He goes over cooperation business emails which claim to offer him a partnership. He reviews a phishing email from MetaMask which is claiming that his wallet is unverified and needs to be upgraded. He reviews a comment from a fake recovery service. He also indicates that they are currently "in contact with the hackers"[20]. Some scammers offering cryptocurrency recovery scams commented on the video and had their comments liked by CryptoJordin.

Technical Analysis

CryptoJordin was tricked into installing Redline malware on his computer, which allowed attackers access to his files and data on his computer. It is believed that his seed phrase was obtained through an image backup which he kept on his computer. Once access to his MetaMask account was obtained, the attackers sent in Avalanche tokens and used those to unstake and withdraw all balances, which were then liquidated. CryptoJordin started his investigation only after noticing that all of his funds had disappeared from his wallet.

Blockchain Transaction Details

Avalanche: [6][7][11][14][21]

BNB: [9]

Information From Security Researcher

From the video [16].

"I have identified the attackers alias base on his attack server associated with the malware. Security community refers to the attacker by the name Mr.Santa. This is the username he use on various forums that he sells stolen data on"

"The second stage malware file downloads and installs multiple .crx files (which is the file extension type for chrome browser extensions.) malicious extensions cannot be detected by AV because they do not run at the device system level. Chrome extension run within the chrome application. The way the google has developed chrom prevents AV from inspecting .crx files."

"The chrome extensions installed have very likely captured any bank account details from you device. If you have ever used your pc for personal banking please change your online banking password"

"This malware also tries to discover your active wifi connection. This means the the attacker is trying to discover other devices on your network. So please change the password on you home router as well."

"If you live with your family or house mates or your girlfriend or something please ask them to also change their online banking passwords"

"It is impossible for me to know if the attacker has compromised your wifi router without forensically inspecting the device and I cannot walk you through this process as you do not have the equipment required."

"Absolutely - people aren't security conscious with regular IT, let alone crypto security. Some people have millions of dollars staked with metamask. Its ridiculous."

"Can I also ask, did you store the seed phrase locally? as a text file of screenshot? I just trying to understand the level of info that the REDLINE malware can collect from the metamask application."

"okay interesting. If that screen shot was exfiltrated from your device that is highly likely the way they were able to rebuild your wallet on another device. Since I cant see that the metamask wallet stores the seed phrase"

"Yeah the security community refers to this bad actor as mr.Santa because he uses that username on hacking forums. He sells your pc profile and stolen info after he takes want he wants or what is most valuable. It's very common. Skilled hackers are the apex and they sells to less technical script kiddies that don't know how to hack themselves"

Risks To Hardware Wallet

In a discussion with a security expert, CryptoJordin shows a screenshot which states[16]:

So in cases like your's where you computer was infected with malware - a hardware wallet would not have prevented you from being hacked. Because as soon as you plugged your USB wallet into your infected computer the malware would have copied the .log file... In some cases malware will copy the log file and delte it from the USB so that the victim cannot access the wallet...unless they also wrote the seed phrase down on paper and reimported the wallet into metamask.

While it is certainly possible for an attacker to cause the hardware wallet to not work with that particular PC, and to trick a user into entering their seed phrase or signing a malicious transaction, it's not possible for the PC to damage the hardware wallet[22].

Total Amount Lost

CryptoJordin shows a screenshot of his wallet, which has a transaction transferring 11.811348845090403543 avalanche tokens[8][14]. The historic closing market price of avalanche on December 5th, 2021 was $85.79[23]. This makes a total loss of $1,013.30 USD.

A separate transaction the day prior to the exploit for $396.47 BUSD[10] is likely unrelated. While the attacker may have had access to that wallet due to the same compromised private key, this transaction happened just moments after a transfer from KuCoin[9], which was likely initiated by CryptoJordin, and was also prior to CryptoJordin's original response to the attacker[8]. There is no suggestion of his KuCoin account being compromised. In a video uploaded on December 8th, CryptoJordin says he "lost $400 yesterday from trying to transfer something" which may be related to this transaction[15]. The discrepancy related to the timeline is likely because CryptoJordin took a couple of days to edit his content before sharing it online.

The total amount lost has been estimated at $1,000 USD.

Immediate Reactions

CryptoJordin describes his initial reactions when first encountering the theft in his video.

it got me really worked up and I wanted to make a video on it, but, I also wanted to calm down first before I even thought about making a video, because I didn't want to make an immature video like freaking out and I wanted to get to the bottom of the problem before I actually made a video on it. Because, you know how badly I wanted to jump on here and just freak out and ramble, but I knew it wasn't the right thing. I had to really just calm my thoughts, and just, breathe. But um, basically I went on my wonderland account, to, um, just see how my stake balance was doing, to see how much money it was. I typically check on it like once a week or so, just to see how it's performing. So, I went on and I noticed this 'zero time zero' memo - just a wiped account. So obviously I thought to myself 'Oh I'm not connected to my MetaMask' or 'I'm on the wrong network.' because if you get connected to the Binance network [or] ethereum network it doesn't really work. It'll say you're wrong network. I was connected to the avalanche network. I was on my right account. I was connected. But I did notice that I had no avax and I did have, like point, like something, like I always keep a little bit in here for transactions and stuff.

My $Time Wonderland Balance Was Wiped

CryptoJordin created a video just a few days after his loss[15], explaining that upon checking his account, he discovered a balance of zero AVAX (Avalanche) and observed suspicious transactions. Despite being connected to the correct network, he found no activity in their account history and realized that someone had accessed their account, unstaked their assets, wiped out their Wonderland balance, and transferred the funds to a different address. He expresses frustration and plans to secure his accounts better, emphasizing the importance of securing assets and suggesting viewers do the same. He concludes by acknowledging personal responsibility for the situation and call for collective learning and education in the crypto space.

"Hey. What is up, guys? It's Jordin. Welcome back to another uh investigation video. To be honest, I haven't got much sleep - probably about four to five hours last night. I've honestly just been stressed about this whole situation."

"Today we investigate who stole crypto from my #MetaMask wallet. This is one of many scams. We will get to the bottom of this. This is far from over... stay tuned"

Ultimate Outcome

CryptoJordin continued to post more videos on his situation as it developed. As he would state, he saw this as part of a broader mission of educating the cryptocurrency space.

"i want to take my mistake and turn it into something positive and allow people to learn from it"

Update on The Hackers Who Wiped My MetaMask Wallet

In this video[8][24], CryptoJordin concludes he fell victim to a sophisticated scam involving a fake sponsorship offer. The scam involved receiving an email from a supposed gaming accessories company, offering free products in exchange for creating an advertising video. He details how he clicked a link provided in the email, which led to the installation of malware on his computer via a manipulated PDF catalog, granting the scammers full control of his computer and ultimately his MetaMask wallet. The speaker emphasizes the professionalism of the scam and notes ongoing investigations, including collaboration with a blockchain security engineer at Binance. He promises future updates on the case and urge viewers to prioritize securing their assets. The video serves as a cautionary tale and a call for vigilance within the crypto community.

Shocking Details About My MetaMask Hackers

CryptoJordin provided an update on their investigation[17][24] into a hacking incident involving their MetaMask wallet. He shares that he's received over 100 messages from others experiencing similar issues. He is currently collaborating with a blockchain security engineer at Binance to gather information about the hackers. Despite the difficulty in tracking funds that haven't reached an exchange, he discovered a chain of transactions indicating greed on the part of the hackers. The investigator identifies multiple exchange accounts associated with the attacker and recommends reporting the wallet to Binance for further investigation. CryptoJordin urges viewers to report identified wallets to exchanges, emphasizing the importance of collective action. He expressed his commitment to continuing the investigation and be a voice for those affected by similar scams. The video ends with an emotional response to the impact of such crimes on people's lives.

We Baited The MetaMask Hacker...

CryptoJordin discusses his heightened anxiety and paranoia[18][24]. He emphasizes the pervasive fear of online scams and express their struggle to trust even innocent interactions. He updates viewers on their ongoing investigation with the help of a collaborator, revealing that they have detected information about the hacker. He explains the process of baiting the hacker through a decoy email and receiving a PDF file. The file, decrypted using a separate device, provides details about the attacker's operation, including a username "mr santa" associated with selling stolen data. CryptoJordin acknowledges the scale of the hacking group, emphasizing that they target not just individual wallets but also user data. He expresses gratitude to his collaborator and shares stories from other victims, highlighting the need for increased security measures and user protection. He calls for collective action to address the issue, expressing hope for positive change. The video concludes with a plea to share the information and work together to combat scams in the cryptocurrency space.

The PDF Crypto Scam Just Went To A Whole New Level

TBD - YouTube hilariously fails at preparing a transcript for this video[19][24].

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

CryptoJordin has vowed to continue investigating the scammers.

Individual Prevention Policies

The primary issue was that CryptoJordin was storing his cryptocurrency funds along with a backup of his seed phrase online. He used the same computer to answer emails and perform other uncontrolled activities. This meant that once the device was compromised, all of the funds in his hot wallet were able to be taken. Seed phrases are meant to be stored completely offline, and it is recommended to only ever access cryptocurrency in a heavily controlled environment.

Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Increasing the education level for cryptocurrency users can help prevent loss. In the event of loss, an industry insurance fund can assist and provide some relief.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Increasing the education level for cryptocurrency users can help prevent loss. In the event of loss, an industry insurance fund can assist and provide some relief.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. CryptoJordin - My Crypto Addiction - YouTube (Nov 14, 2023)
  2. CryptoJordin - Dont be fooled… Kaspa CRASH is coming! - YouTube (Nov 15, 2023)
  3. 3.0 3.1 3.2 3.3 3.4 3.5 3.6 About - Canyon.eu (Sep 13, 2023)
  4. 4.0 4.1 4.2 4.3 4.4 4.5 About Canyon Gaming (Sep 13, 2023)
  5. Canyon Gaming Homepage (Sep 13, 2023)
  6. 6.0 6.1 Last Transaction of CryptoJordin Staking Avalanche - SnowTrace (Mar 3, 2023)
  7. 7.0 7.1 7.2 7.3 7.4 7.5 CryptoJordin's Avalanche Wallet - SnowTrace (Mar 3, 2023)
  8. 8.0 8.1 8.2 8.3 8.4 8.5 8.6 8.7 CryptoJordin - Update on The Hackers Who Wiped My MetaMask Wallet. - YouTube (Jan 5, 2023)
  9. 9.0 9.1 9.2 Withdrawal From KuCoin To CryptoJordin's Wallet - BSCScan (Mar 3, 2023)
  10. 10.0 10.1 Transfer of 396.466 BNB (Unrelated) - BSCScan (Mar 3, 2023)
  11. 11.0 11.1 Malicious Attacker Transfers In 0.300561904654125 Avalanche - SnowTrace (Mar 3, 2023)
  12. Avalanche Transaction Unstaking TIME Balance - SnowTrace (Nov 15, 2023)
  13. Trader Joe Swap Of 0.16149775 TIME And 974.24359663155504615 MIM for 11.519380960436277797 Wrapped AVAX in CryptoJordin's Wallet - SnowTrace (Nov 15, 2023)
  14. 14.0 14.1 14.2 Transfer of 11.811348845090403543 AVAX From CryptoJordin's Avalanche Wallet - SnowTrace (Mar 3, 2023)
  15. 15.0 15.1 15.2 CryptoJordin - My $Time Wonderland Balance Was Wiped. - YouTube (Mar 3, 2023)
  16. 16.0 16.1 16.2 16.3 16.4 16.5 16.6 CryptoJordin - There's way more to these MetaMask Hackers... - YouTube (Jan 5, 2023)
  17. 17.0 17.1 CryptoJordin - Shocking Details About My MetaMask Hackers. - YouTube (Mar 3, 2023)
  18. 18.0 18.1 CryptoJordin - We've Baited My MetaMask Hacker... - YouTube (Mar 3, 2023)
  19. 19.0 19.1 CryptoJordin - The PDF Crypto Scam Just Went To A Whole New Level. - YouTube (Mar 3, 2023)
  20. CryptoJordin - Do Not Fall For This MetaMask Scam. - YouTube (Mar 3, 2023)
  21. Transaction History For CryptoJordin's Wallet - SnowTrace (Nov 15, 2023)
  22. Redline Malware Defeating Wallet Security? - Reddit (Jan 9, 2024)
  23. Avalanche Historic Market Price - CoinMarketCap (Mar 3, 2023)
  24. 24.0 24.1 24.2 24.3 CryptoJordin Video Transcripts Text File (Jan 15, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=MetaMask_Redline_PDF_Spearphishing_Email_CryptoJordin&oldid=5382"