Ledger/MetaMask Hack PowerOfTheGods: Difference between revisions

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Multiple

The Reddit user PowerOfTheGods reported losing all their cryptocurrency, saved up over the past 5 years, on both their Ledger hardware wallet and 4 separate MetaMask wallets. This allegedly happened while they were checking their balances on the wallets, which they did regularly.

One of the potential theories for how this happened was that they downloaded from Official-KPSMICO, which is a way to get a pirated version of the Windows operating system that is also featuring seriously dangerous CryptBot malware. From this point forward, their computer operated under the full control of a remote attacker. They insist that they did not share their private key or seed phrase anywhere online, not even a screenshot, and the theft involved almost entirely ERC-20 Ethereum-based tokens. It therefore seems more probable that, at some point, they were tricked into authorizing a malicious smart contract to have full access to each of their wallets, including their Ledger hardware wallet. A malware having full control over their PC could easily swap a legitimate routine transaction for such an approval, showing the intended transaction on the PC side. It's often very difficult to evaluate whether a smart contract interaction on the Ledger hardware wallet is intended due to the small screen and cryptic way these transactions are often portrayed, so conceivable that they may not have noticed one approval. All approvals remained dormant and unnoticed until the hacker had sufficient certainty that they had captured all wallet balances, gaining awareness of the hardware wallet balance and each MetaMask from the regularly balance checking, and choosing the most patient/lucrative timing to exercise their withdrawal.

While they have extensively reported the theft for investigation, there is no evidence of any funds ever recovered of that the attacker was brought to justice.

This is a global/international case not involving a specific country. ^{[1][2][3][4][5][6][7][8][9][10][11][12][13][14]}

About Multiple

"Reddit user Power[O]fTheGods said he had been investing since 2016 and kept his investments in a Ledger Nano S (a crypto wallet) and four Metamask digital hot wallets." "I've been investing in digital assets since early 2016. I would consider myself pretty knowledgeable on all things related crypto/blockchain. I believe in the tech, I built my portfolio up for years and this is pretty much one of the only things I enjoy in life. I have a hardware wallet (Ledger Nano S) since 2017 and 4 different Metamask "hot" wallets. The hardware wallet consisted of 80% of my portfolio." "$ETH $MATIC $AAVE $TIME $OVR $ENS $ZRX $AVAX"

"My seed phrase is on paper, stored in a safe, which no one has access to. My seed phrase has never been written down anywhere else, no computer, no phone, except on that paper in the safe."

"When he checked his accounts last December, he noticed they were empty. At the time, the currency was valued at more than $120,000." "Yesterday, I used my Metamask to access all my wallets for a balance status check before the new year. Everything seemed normal. After checking again late last night and after seeing one of my accounts showing as zero, I noticed every wallet was wiped." "As I look at all of my wallets today, I see zero balances and I am absolutely crushed. It took all my power to even get out of bed, file reports, and write this post today." "Checking the transactions, it seems like the wallets were completely wiped in a matter of minutes." "I have 4 hot wallets and 1 ledger wallet. Funds were pulled out of all 5."

"As I sit here on the first day of the new year, writing this post, I think to myself how much can one human take before it's just too much? The world can just be an absolutely awful, awful place. I read these "stolen or hacked crypto" posts all the time. I always think, wow that person doesn't know what they're doing, shouldn't be investing in crypto in the first place, or that would never happen to me, because I'm super careful! Maybe they are just lying and trying to just get sympathy? Believe me, I wish I was."

"PowerOfTheGods wrote he believes he lost his investment after clicking on a malicious link while web surfing. While his ledger was unlocked, a Trojan took control of his browser and wiped his wallet in a matter of minutes." "My only possible conclusion is that I clicked a malicious link while surfing the internet. The trojan must have somehow took control over my Google Chrome browser (or Metamask extension) while I was using it, while my ledger was unlocked. Checking the transactions times they were sent out around the time I had it open. Again, I never was prompted to accept or approve anything that I myself wasn't doing. It is frightening."

"I don't recall ever going to the actual Metamask website and definitely not a fake one, but either way thanks for this." "I've been on this computer for years and there's been a few times when accidently clicking something that starts an auto-download. Obviously, I am always quick to delete or disable those files. Maybe a virus file was lying dormant for months or years without my anti-virus catching it? Just waiting for the right opportunity? Maybe it is a Metamask data leak? I'm not sure. I like to think I'm pretty careful about my passwords and security."

"I mainly write this post to warn others. Even if you think you are safe, you might still be at risk. I guess with these advanced hackers now, all it takes is one wrong click. This was my life savings aside from a few emergency funds in my traditional bank. I don't think I will ever financially, emotionally, or mentally recover from this. It has affected my life tremendously. I hate to sound dramatic and be that guy, but I'm honestly at a point now where life doesn't even seem worth it."

"I reached out and filed reports to my local law enforcement and the FBI." "I'm hoping one of the wallets leads to a KYC connection, but obviously a long shot here. Super grateful for any research or help." "Can’t comment on much right now, but learned so far of a new malware that can hack into many of different crypto wallets. Yes, seems like Ledger software too. Potentially promising."

"While the user reported the alleged crime to the authorities, there was nothing they could do because cryptocurrency is still largely unregulated. After he shared his story on Reddit, he found other users who reported similar experiences."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

• Known history of when and how the service was started.
• What problems does the company or service claim to solve?
• What marketing materials were used by the firm or business?
• Audits performed, and excerpts that may have been included.
• Business registration documents shown (fake or legitimate).
• How were people recruited to participate?
• Public warnings and announcements prior to the event.

Don't Include:

• Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
• Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Total Amount Lost

The total amount lost has been estimated at $120,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

One must assume that any computer they use can be compromised. Minimize active management of funds and try to do so only in trusted and exclusive environments. If using a hardware wallet, always take the extra time and care to check even routine transactions on the screen. Malware is a key risk with downloading any pirated software. Linux is a great and free alternative to Windows that can be safely downloaded for free from an official source, under full scrutiny of a technical community.

Greater security can be achieved by storing most funds on a separate fully-offline wallet which is never interacted with. There is no need to check the balances regularly or share their existence with others. Advanced users can also set up a multi-signature wallet with multiple devices required for withdrawal.

References