MetaMask Ethereum Hacked Sup 55: Difference between revisions
(Created page with "{{DISPLAYTITLE:MetaMask Ethereum Hacked Sup_55}} {{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/metamaskethereumhackedsup55.php}} {{Unattributed Sources}} thumb|MetaMaskReddit user Sup_55 had their Ethereum taken from their MetaMask wallet. The exact mechanism of the theft is presently unknown. There are several potential transactions which could have been the theft. This is a global/international case not involving a sp...") |
(Another 30 minutes complete. Prevention added and much more research.) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{DISPLAYTITLE:MetaMask Ethereum Hacked Sup_55}} | {{Case Study Under Construction}}{{DISPLAYTITLE:MetaMask Ethereum Hacked Sup_55}}[[File:Metamask.jpg|thumb|MetaMask]]Reddit user Sup_55 had their Ethereum taken from their MetaMask wallet. The exact mechanism of the theft is presently unknown. There are several potential transactions which could have been the theft. | ||
[ | == About Sup_55 == | ||
Sup_55 was born in February 2002<ref>[https://old.reddit.com/r/teenagers/comments/ssyqln/was_feelin_myself_here/hx0kwhj/ Sup_55 - "this was a few days after my 20th bday" - Reddit] (Aug 22, 2023)</ref> and lives in The Hague, Netherlands near Laakhaven<ref>[https://old.reddit.com/r/TheHague/comments/13aq1u3/is_this_a_safe_neighborhood_for_a_student_to_live/jjgj2ok/ Sup_55 - "Yes! I live literally in that circle. I am a guy though" - Reddit] (Aug 22, 2023)</ref>. He has a tattoo inspired by One Piece<ref>[https://old.reddit.com/r/OnePiece/comments/v0acni/my_first_tattoo_inspired_by_one_piece/ Sup_55 - "My first tattoo inspired by One Piece!" - Reddit] (Aug 22, 2023)</ref>. | |||
== About MetaMask == | == About MetaMask == | ||
== The Reality == | == The Reality == | ||
TBD | |||
== What Happened == | == What Happened == | ||
| Line 50: | Line 16: | ||
!Event | !Event | ||
!Description | !Description | ||
|- | |||
|December 31st, 2021 11:52:54 PM MST | |||
|First Transaction To Attacker Wallet | |||
|The very first transaction happens to the attacker's wallet, where it is funded by 0.227498685696200008 ETH<ref>[https://etherscan.io/tx/0xf1b8593e3fe0dea6ff8115e7d80af58e646f1b12878d33afc1a59aecdee1f44a Attacker Wallet Initially Funded With 0.227498685696200008 ETH - Etherscan] (Jul 23, 2023)</ref>. | |||
|- | |||
|January 6th, 2022 11:30:30 AM MST | |||
|Transfer To Attacker's Wallet | |||
|The attacker's wallet receives 1.224395983208325075 ETH<ref name="etherscan-11191" />. | |||
|- | |||
|January 9th, 2022 1:55:51 AM MST | |||
|Transfer To Attacker's Wallet | |||
|The attacker's wallet receives 0.220123840391726 ETH<ref name="etherscan-11190" />. | |||
|- | |||
|January 9th, 2022 2:02:35 AM MST | |||
|Transfer To Attacker's Wallet | |||
|The attacker's wallet receives 0.093420801498595 ETH<ref name="etherscan-11189" />. | |||
|- | |||
|January 9th, 2022 5:35:25 AM MST | |||
|Transfer To Attacker's Wallet | |||
|The attacker's wallet receives 0.078 ETH<ref name="etherscan-11188" />. | |||
|- | |||
|January 10th, 2022 1:37:15 AM MST | |||
|Transfer To Attacker's Wallet | |||
|The attacker's wallet receives 1.014009665159184041 ETH<ref name="etherscan-11187" />. | |||
|- | |- | ||
|January 10th, 2022 2:55:02 AM MST | |January 10th, 2022 2:55:02 AM MST | ||
|Reddit Post | |Reddit Post | ||
|Incident is posted about on Reddit. | |Incident is posted about on Reddit<ref name="redditold-11185" />. TBD more comment review. | ||
|- | |||
|January 10th, 2022 3:35:33 AM MST | |||
|Unanswered Questions | |||
|Sup_55 is asked whether they have "been trading any NFTs or connected and approved transactions on any sites recently" or if they may have given away their seed phrase<ref name=":0">[https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/hs1pb67/ PotentialBreakfast34 - "Have you been trading any NFTs or connected and approved transactions on any sites recently? Or have you given your seed phrase to anyone?" - Reddit] (Jul 23, 2023)</ref>. This question is never answered. | |||
|- | |||
|January 31st, 2022 7:20:16 AM MST | |||
|Attacker Wallet Funds Transferred | |||
|The reported attack wallet transfers their Ethereum funds (totaling 5.312751225715968609 ETH) to another wallet address<ref name=":1">[https://etherscan.io/tx/0xb1b158b3d09404e6d99550c7799814bebbec28261dfc4a78fe5d2f55ee4226e9 Transfer Of Funds To New Wallet - Etherscan] (Jul 23, 2023)</ref>. | |||
|} | |} | ||
== Technical Details == | == Technical Details == | ||
<ref name="etherscan-11186" /> | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | ||
"This is the wallet address of the hacker: | |||
0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286 | |||
=== Attacker Wallet Cleared Out === | |||
The attacker moved all funds to a new wallet address<ref name=":1" />. | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 66: | Line 73: | ||
== Immediate Reactions == | == Immediate Reactions == | ||
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | ||
=== Opening Ticket With MetaMask === | |||
Sup_55 reportedly opened a ticket with MetaMask<ref>[https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/hs1mt43/ Sup_55 - "I've opened a ticket with them and I gave them the wallet address of the scammer/hacker and the transaction ID of how much was taken and when from my account to their's." - Reddit] (Aug 22, 2023)</ref>. TBD expand. | |||
=== Incident Posted On Reddit === | |||
Sup_55 posted on the ethereum subreddit with limited details of what had transpired<ref name="redditold-11185" />.<blockquote>"This is the wallet address of the hacker: | |||
0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286 | |||
Please beware and any info and what do to can help! I've already sent Metamask the info of the transactions. Now I'm just suffering in silence (F in the chat)"</blockquote> | |||
=== Community Reactions on Reddit === | |||
<ref name=":0" /><ref name="redditold-11184" />. | |||
<blockquote>Have you been trading any NFTs or connected and approved transactions on any sites recently? Or have you given your seed phrase to anyone?</blockquote><blockquote>Leave a comment on there wallet address asking for the crypto back . Not much can be done unless it ends up in a exchange and they are willing to help somehow</blockquote>TBD: Review when archive back online: <ref>https://web.archive.org/web/20220110100240/https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/hs1ml9h/</ref> | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
TBD | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There do not appear to have been any funds recovered in this case. | There do not appear to have been any funds recovered in this case. | ||
== Ongoing Developments == | == Ongoing Developments == | ||
TBD | |||
== Individual Prevention Policies == | == Individual Prevention Policies == | ||
The exploit was most likely the result of Sup_55 providing their seed phrase to a scammer, installing malware on their computer, or approving a malicious transaction. Offline storage provides an alternative for a cryptocurrency user to massively reduce their risk. | |||
{{Prevention:Individuals: | {{Prevention:Individuals:Never Share Private Keys}} | ||
{{Prevention:Individuals:Always Verify Executables}} | |||
{{Prevention:Individuals:Double Check Transactions}} | |||
{{Prevention: | |||
{{Prevention: | {{Prevention:Individuals:Store Funds Offline}} | ||
{{Prevention:Individuals:End}} | |||
{{Prevention: | |||
== Platform Prevention Policies == | |||
Platforms have a responsibility to educate new users and ensure understanding. They can work together to create an industry insurance fund to assist affected users. | |||
{{Prevention:Platforms:Cryptocurrency Safety Quiz}} | |||
{{Prevention:Platforms:Establish Industry Insurance Fund}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
Regulators have a responsibility to educate their citizens and ensure understanding. Regulators can encourage platforms to create an industry insurance fund to assist affected users. | |||
{{Prevention:Regulators:Cryptocurrency Education Mandate}} | |||
{{Prevention:Regulators:Establish Industry Insurance Fund}} | |||
{{Prevention:Regulators:End}} | |||
<ref name="etherscan-11191">[https://etherscan.io/tx/0xc29a6a0c0e15e27fbc0053efa56f6aec32b617b0039426fa383eef63d44e52f7 | == References == | ||
<references> | |||
<ref name="redditold-11184">[https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/hs1ukbw/ Tradegrow - "Leave a comment on there wallet address asking for the crypto back . Not much can be done unless it ends up in a exchange and they are willing to help somehow" - Reddit] (Oct 3, 2022)</ref> | |||
<ref name="redditold-11185">[https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/ Sup_55 - NEED HELP! Hacked Metamask account - Reddit] (Jun 1, 2023)</ref> | |||
<ref name="etherscan-11186">[https://etherscan.io/address/0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286 Reported Hacker's Address - Etherscan] (Jun 1, 2023)</ref> | |||
<ref name="etherscan-11187">[https://etherscan.io/tx/0xe971e2660a412228d029b41aa36d6b012b97b6adee2625a2ed5c1d9c0b515c13 Transfer of 1.014009665159184041 ETH - Etherscan] (Jun 1, 2023)</ref> | |||
<ref name="etherscan-11188">[https://etherscan.io/tx/0x20df2128202838826ae9ad8eaea0193dcb56675da28a369ddb76ca85da77a29f Transfer Of 0.078 ETH - Etherscan] (Jun 1, 2023)</ref> | |||
<ref name="etherscan-11189">[https://etherscan.io/tx/0x9de8803930e9b8e01a530dddc8cd164b6f075f72afae0f4b04ab22fc837d6553 Transfer Of 0.093420801498595 ETH - Etherscan] (Jun 1, 2023)</ref> | |||
<ref name="etherscan-11190">[https://etherscan.io/tx/0x78983788ec1f37ee408ad419dcf6ce7faf104c3833bc62ed2e32d1144eb3b9bc Transfer Of 0.220123840391726 ETH - Etherscan] (Jun 1, 2023)</ref> | |||
<ref name="etherscan-11191">[https://etherscan.io/tx/0xc29a6a0c0e15e27fbc0053efa56f6aec32b617b0039426fa383eef63d44e52f7 Transfer Of 1.224395983208325075 ETH to Attacker's Wallet - Etherscan] (Jun 1, 2023)</ref> | |||
</references> | |||
Latest revision as of 16:28, 22 August 2023
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Reddit user Sup_55 had their Ethereum taken from their MetaMask wallet. The exact mechanism of the theft is presently unknown. There are several potential transactions which could have been the theft.
About Sup_55
Sup_55 was born in February 2002[1] and lives in The Hague, Netherlands near Laakhaven[2]. He has a tattoo inspired by One Piece[3].
About MetaMask
The Reality
TBD
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| December 31st, 2021 11:52:54 PM MST | First Transaction To Attacker Wallet | The very first transaction happens to the attacker's wallet, where it is funded by 0.227498685696200008 ETH[4]. |
| January 6th, 2022 11:30:30 AM MST | Transfer To Attacker's Wallet | The attacker's wallet receives 1.224395983208325075 ETH[5]. |
| January 9th, 2022 1:55:51 AM MST | Transfer To Attacker's Wallet | The attacker's wallet receives 0.220123840391726 ETH[6]. |
| January 9th, 2022 2:02:35 AM MST | Transfer To Attacker's Wallet | The attacker's wallet receives 0.093420801498595 ETH[7]. |
| January 9th, 2022 5:35:25 AM MST | Transfer To Attacker's Wallet | The attacker's wallet receives 0.078 ETH[8]. |
| January 10th, 2022 1:37:15 AM MST | Transfer To Attacker's Wallet | The attacker's wallet receives 1.014009665159184041 ETH[9]. |
| January 10th, 2022 2:55:02 AM MST | Reddit Post | Incident is posted about on Reddit[10]. TBD more comment review. |
| January 10th, 2022 3:35:33 AM MST | Unanswered Questions | Sup_55 is asked whether they have "been trading any NFTs or connected and approved transactions on any sites recently" or if they may have given away their seed phrase[11]. This question is never answered. |
| January 31st, 2022 7:20:16 AM MST | Attacker Wallet Funds Transferred | The reported attack wallet transfers their Ethereum funds (totaling 5.312751225715968609 ETH) to another wallet address[12]. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
"This is the wallet address of the hacker:
0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286
Attacker Wallet Cleared Out
The attacker moved all funds to a new wallet address[12].
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Opening Ticket With MetaMask
Sup_55 reportedly opened a ticket with MetaMask[14]. TBD expand.
Incident Posted On Reddit
Sup_55 posted on the ethereum subreddit with limited details of what had transpired[10].
"This is the wallet address of the hacker:
0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286
Please beware and any info and what do to can help! I've already sent Metamask the info of the transactions. Now I'm just suffering in silence (F in the chat)"
Community Reactions on Reddit
Have you been trading any NFTs or connected and approved transactions on any sites recently? Or have you given your seed phrase to anyone?
Leave a comment on there wallet address asking for the crypto back . Not much can be done unless it ends up in a exchange and they are willing to help somehow
TBD: Review when archive back online: [16]
Ultimate Outcome
TBD
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
TBD
Individual Prevention Policies
The exploit was most likely the result of Sup_55 providing their seed phrase to a scammer, installing malware on their computer, or approving a malicious transaction. Offline storage provides an alternative for a cryptocurrency user to massively reduce their risk.
Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.
Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Platforms have a responsibility to educate new users and ensure understanding. They can work together to create an industry insurance fund to assist affected users.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
Regulators have a responsibility to educate their citizens and ensure understanding. Regulators can encourage platforms to create an industry insurance fund to assist affected users.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Sup_55 - "this was a few days after my 20th bday" - Reddit (Aug 22, 2023)
- ↑ Sup_55 - "Yes! I live literally in that circle. I am a guy though" - Reddit (Aug 22, 2023)
- ↑ Sup_55 - "My first tattoo inspired by One Piece!" - Reddit (Aug 22, 2023)
- ↑ Attacker Wallet Initially Funded With 0.227498685696200008 ETH - Etherscan (Jul 23, 2023)
- ↑ Transfer Of 1.224395983208325075 ETH to Attacker's Wallet - Etherscan (Jun 1, 2023)
- ↑ Transfer Of 0.220123840391726 ETH - Etherscan (Jun 1, 2023)
- ↑ Transfer Of 0.093420801498595 ETH - Etherscan (Jun 1, 2023)
- ↑ Transfer Of 0.078 ETH - Etherscan (Jun 1, 2023)
- ↑ Transfer of 1.014009665159184041 ETH - Etherscan (Jun 1, 2023)
- ↑ 10.0 10.1 Sup_55 - NEED HELP! Hacked Metamask account - Reddit (Jun 1, 2023)
- ↑ 11.0 11.1 PotentialBreakfast34 - "Have you been trading any NFTs or connected and approved transactions on any sites recently? Or have you given your seed phrase to anyone?" - Reddit (Jul 23, 2023)
- ↑ 12.0 12.1 Transfer Of Funds To New Wallet - Etherscan (Jul 23, 2023)
- ↑ Reported Hacker's Address - Etherscan (Jun 1, 2023)
- ↑ Sup_55 - "I've opened a ticket with them and I gave them the wallet address of the scammer/hacker and the transaction ID of how much was taken and when from my account to their's." - Reddit (Aug 22, 2023)
- ↑ Tradegrow - "Leave a comment on there wallet address asking for the crypto back . Not much can be done unless it ends up in a exchange and they are willing to help somehow" - Reddit (Oct 3, 2022)
- ↑ https://web.archive.org/web/20220110100240/https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/hs1ml9h/