MetaMask Ethereum Hacked Sup 55: Difference between revisions
(Created page with "{{DISPLAYTITLE:MetaMask Ethereum Hacked Sup_55}} {{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/metamaskethereumhackedsup55.php}} {{Unattributed Sources}} thumb|MetaMaskReddit user Sup_55 had their Ethereum taken from their MetaMask wallet. The exact mechanism of the theft is presently unknown. There are several potential transactions which could have been the theft. This is a global/international case not involving a sp...") |
(Another 30 minutes complete. Additional sources merged in.) |
||
| Line 1: | Line 1: | ||
{{DISPLAYTITLE:MetaMask Ethereum Hacked Sup_55}} | {{Case Study Under Construction}}{{DISPLAYTITLE:MetaMask Ethereum Hacked Sup_55}}[[File:Metamask.jpg|thumb|MetaMask]]Reddit user Sup_55 had their Ethereum taken from their MetaMask wallet. The exact mechanism of the theft is presently unknown. There are several potential transactions which could have been the theft. | ||
== About Sup_55 == | |||
== About MetaMask == | == About MetaMask == | ||
== The Reality == | == The Reality == | ||
TBD | |||
== What Happened == | == What Happened == | ||
| Line 50: | Line 15: | ||
!Event | !Event | ||
!Description | !Description | ||
|- | |||
|December 31st, 2021 11:52:54 PM MST | |||
|First Transaction To Attacker Wallet | |||
|The very first transaction happens to the attacker's wallet, where it is funded by 0.227498685696200008 ETH<ref>[https://etherscan.io/tx/0xf1b8593e3fe0dea6ff8115e7d80af58e646f1b12878d33afc1a59aecdee1f44a Attacker Wallet Initially Funded With 0.227498685696200008 ETH - Etherscan] (Jul 23, 2023)</ref>. | |||
|- | |||
|January 6th, 2022 11:30:30 AM MST | |||
|Transfer To Attacker's Wallet | |||
|The attacker's wallet receives 1.224395983208325075 ETH<ref name="etherscan-11191" />. | |||
|- | |||
|January 9th, 2022 1:55:51 AM MST | |||
|Transfer To Attacker's Wallet | |||
|The attacker's wallet receives 0.220123840391726 ETH<ref name="etherscan-11190" />. | |||
|- | |||
|January 9th, 2022 2:02:35 AM MST | |||
|Transfer To Attacker's Wallet | |||
|The attacker's wallet receives 0.093420801498595 ETH<ref name="etherscan-11189" />. | |||
|- | |||
|January 9th, 2022 5:35:25 AM MST | |||
|Transfer To Attacker's Wallet | |||
|The attacker's wallet receives 0.078 ETH<ref name="etherscan-11188" />. | |||
|- | |||
|January 10th, 2022 1:37:15 AM MST | |||
|Transfer To Attacker's Wallet | |||
|The attacker's wallet receives 1.014009665159184041 ETH<ref name="etherscan-11187" />. | |||
|- | |- | ||
|January 10th, 2022 2:55:02 AM MST | |January 10th, 2022 2:55:02 AM MST | ||
|Reddit Post | |Reddit Post | ||
|Incident is posted about on Reddit. | |Incident is posted about on Reddit<ref name="redditold-11185" />. TBD more comment review. | ||
|- | |||
|January 10th, 2022 3:35:33 AM MST | |||
|Unanswered Questions | |||
|Sup_55 is asked whether they have "been trading any NFTs or connected and approved transactions on any sites recently" or if they may have given away their seed phrase<ref name=":0">[https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/hs1pb67/ PotentialBreakfast34 - "Have you been trading any NFTs or connected and approved transactions on any sites recently? Or have you given your seed phrase to anyone?" - Reddit] (Jul 23, 2023)</ref>. This question is never answered. | |||
|- | |||
|January 31st, 2022 7:20:16 AM MST | |||
|Attacker Wallet Funds Transferred | |||
|The reported attack wallet transfers their Ethereum funds (totaling 5.312751225715968609 ETH) to another wallet address<ref name=":1">[https://etherscan.io/tx/0xb1b158b3d09404e6d99550c7799814bebbec28261dfc4a78fe5d2f55ee4226e9 Transfer Of Funds To New Wallet - Etherscan] (Jul 23, 2023)</ref>. | |||
|} | |} | ||
== Technical Details == | == Technical Details == | ||
<ref name="etherscan-11186" /> | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | ||
"This is the wallet address of the hacker: | |||
0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286 | |||
=== Attacker Wallet Cleared Out === | |||
The attacker moved all funds to a new wallet address<ref name=":1" />. | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 66: | Line 72: | ||
== Immediate Reactions == | == Immediate Reactions == | ||
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | ||
=== Incident Posted On Reddit === | |||
Sup_55 posted on the ethereum subreddit with limited details of what had transpired<ref name="redditold-11185" />.<blockquote>"This is the wallet address of the hacker: | |||
0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286 | |||
Please beware and any info and what do to can help! I've already sent Metamask the info of the transactions. Now I'm just suffering in silence (F in the chat)"</blockquote> | |||
=== Community Reactions on Reddit === | |||
<ref name=":0" /><ref name="redditold-11184" />. | |||
<blockquote>Have you been trading any NFTs or connected and approved transactions on any sites recently? Or have you given your seed phrase to anyone?</blockquote><blockquote>Leave a comment on there wallet address asking for the crypto back . Not much can be done unless it ends up in a exchange and they are willing to help somehow</blockquote> | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
| Line 76: | Line 94: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
TBD | |||
== Individual Prevention Policies == | == Individual Prevention Policies == | ||
{{Prevention:Individuals:Placeholder}} | {{Prevention:Individuals:Placeholder}} | ||
{{Prevention:Individuals:Never Share Private Keys}} | |||
{{Prevention:Individuals:Always Verify Executables}} | |||
{{Prevention:Individuals:Double Check Transactions}} | |||
{{Prevention:Individuals:Store Funds Offline}} | |||
{{Prevention:Individuals:End}} | {{Prevention:Individuals:End}} | ||
| Line 84: | Line 110: | ||
== Platform Prevention Policies == | == Platform Prevention Policies == | ||
{{Prevention:Platforms:Placeholder}} | {{Prevention:Platforms:Placeholder}} | ||
{{Prevention:Platforms:Cryptocurrency Safety Quiz}} | |||
{{Prevention:Platforms:Establish Industry Insurance Fund}} | |||
{{Prevention:Platforms:End}} | {{Prevention:Platforms:End}} | ||
| Line 89: | Line 119: | ||
== Regulatory Prevention Policies == | == Regulatory Prevention Policies == | ||
{{Prevention:Regulators:Placeholder}} | {{Prevention:Regulators:Placeholder}} | ||
{{Prevention:Regulators:Cryptocurrency Education Mandate}} | |||
{{Prevention:Regulators:Establish Industry Insurance Fund}} | |||
{{Prevention:Regulators:End}} | {{Prevention:Regulators:End}} | ||
== References == | == References == | ||
<references><ref name="redditold-11184">[https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/hs1ukbw/ Tradegrow | <references> | ||
<ref name="redditold-11184">[https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/hs1ukbw/ Tradegrow - "Leave a comment on there wallet address asking for the crypto back . Not much can be done unless it ends up in a exchange and they are willing to help somehow" - Reddit] (Oct 3, 2022)</ref> | |||
<ref name="redditold-11185">[https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/ NEED HELP! Hacked Metamask account | <ref name="redditold-11185">[https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/ Sup_55 - NEED HELP! Hacked Metamask account - Reddit] (Jun 1, 2023)</ref> | ||
<ref name="etherscan-11186">[https://etherscan.io/address/0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286 Reported Hacker's Address - Etherscan] (Jun 1, 2023)</ref> | |||
<ref name="etherscan-11186">[https://etherscan.io/address/0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286 Address | <ref name="etherscan-11187">[https://etherscan.io/tx/0xe971e2660a412228d029b41aa36d6b012b97b6adee2625a2ed5c1d9c0b515c13 Transfer of 1.014009665159184041 ETH - Etherscan] (Jun 1, 2023)</ref> | ||
<ref name="etherscan-11188">[https://etherscan.io/tx/0x20df2128202838826ae9ad8eaea0193dcb56675da28a369ddb76ca85da77a29f Transfer Of 0.078 ETH - Etherscan] (Jun 1, 2023)</ref> | |||
<ref name="etherscan-11187">[https://etherscan.io/tx/0xe971e2660a412228d029b41aa36d6b012b97b6adee2625a2ed5c1d9c0b515c13 | <ref name="etherscan-11189">[https://etherscan.io/tx/0x9de8803930e9b8e01a530dddc8cd164b6f075f72afae0f4b04ab22fc837d6553 Transfer Of 0.093420801498595 ETH - Etherscan] (Jun 1, 2023)</ref> | ||
<ref name="etherscan-11190">[https://etherscan.io/tx/0x78983788ec1f37ee408ad419dcf6ce7faf104c3833bc62ed2e32d1144eb3b9bc Transfer Of 0.220123840391726 ETH - Etherscan] (Jun 1, 2023)</ref> | |||
<ref name="etherscan-11188">[https://etherscan.io/tx/0x20df2128202838826ae9ad8eaea0193dcb56675da28a369ddb76ca85da77a29f | <ref name="etherscan-11191">[https://etherscan.io/tx/0xc29a6a0c0e15e27fbc0053efa56f6aec32b617b0039426fa383eef63d44e52f7 Transfer Of 1.224395983208325075 ETH to Attacker's Wallet - Etherscan] (Jun 1, 2023)</ref> | ||
</references> | |||
<ref name="etherscan-11189">[https://etherscan.io/tx/0x9de8803930e9b8e01a530dddc8cd164b6f075f72afae0f4b04ab22fc837d6553 | |||
<ref name="etherscan-11190">[https://etherscan.io/tx/0x78983788ec1f37ee408ad419dcf6ce7faf104c3833bc62ed2e32d1144eb3b9bc | |||
<ref name="etherscan-11191">[https://etherscan.io/tx/0xc29a6a0c0e15e27fbc0053efa56f6aec32b617b0039426fa383eef63d44e52f7 | |||
Revision as of 12:04, 23 July 2023
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Reddit user Sup_55 had their Ethereum taken from their MetaMask wallet. The exact mechanism of the theft is presently unknown. There are several potential transactions which could have been the theft.
About Sup_55
About MetaMask
The Reality
TBD
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| December 31st, 2021 11:52:54 PM MST | First Transaction To Attacker Wallet | The very first transaction happens to the attacker's wallet, where it is funded by 0.227498685696200008 ETH[1]. |
| January 6th, 2022 11:30:30 AM MST | Transfer To Attacker's Wallet | The attacker's wallet receives 1.224395983208325075 ETH[2]. |
| January 9th, 2022 1:55:51 AM MST | Transfer To Attacker's Wallet | The attacker's wallet receives 0.220123840391726 ETH[3]. |
| January 9th, 2022 2:02:35 AM MST | Transfer To Attacker's Wallet | The attacker's wallet receives 0.093420801498595 ETH[4]. |
| January 9th, 2022 5:35:25 AM MST | Transfer To Attacker's Wallet | The attacker's wallet receives 0.078 ETH[5]. |
| January 10th, 2022 1:37:15 AM MST | Transfer To Attacker's Wallet | The attacker's wallet receives 1.014009665159184041 ETH[6]. |
| January 10th, 2022 2:55:02 AM MST | Reddit Post | Incident is posted about on Reddit[7]. TBD more comment review. |
| January 10th, 2022 3:35:33 AM MST | Unanswered Questions | Sup_55 is asked whether they have "been trading any NFTs or connected and approved transactions on any sites recently" or if they may have given away their seed phrase[8]. This question is never answered. |
| January 31st, 2022 7:20:16 AM MST | Attacker Wallet Funds Transferred | The reported attack wallet transfers their Ethereum funds (totaling 5.312751225715968609 ETH) to another wallet address[9]. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
"This is the wallet address of the hacker:
0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286
Attacker Wallet Cleared Out
The attacker moved all funds to a new wallet address[9].
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Incident Posted On Reddit
Sup_55 posted on the ethereum subreddit with limited details of what had transpired[7].
"This is the wallet address of the hacker:
0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286
Please beware and any info and what do to can help! I've already sent Metamask the info of the transactions. Now I'm just suffering in silence (F in the chat)"
Community Reactions on Reddit
Have you been trading any NFTs or connected and approved transactions on any sites recently? Or have you given your seed phrase to anyone?
Leave a comment on there wallet address asking for the crypto back . Not much can be done unless it ends up in a exchange and they are willing to help somehow
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
TBD
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.
Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Attacker Wallet Initially Funded With 0.227498685696200008 ETH - Etherscan (Jul 23, 2023)
- ↑ Transfer Of 1.224395983208325075 ETH to Attacker's Wallet - Etherscan (Jun 1, 2023)
- ↑ Transfer Of 0.220123840391726 ETH - Etherscan (Jun 1, 2023)
- ↑ Transfer Of 0.093420801498595 ETH - Etherscan (Jun 1, 2023)
- ↑ Transfer Of 0.078 ETH - Etherscan (Jun 1, 2023)
- ↑ Transfer of 1.014009665159184041 ETH - Etherscan (Jun 1, 2023)
- ↑ 7.0 7.1 Sup_55 - NEED HELP! Hacked Metamask account - Reddit (Jun 1, 2023)
- ↑ 8.0 8.1 PotentialBreakfast34 - "Have you been trading any NFTs or connected and approved transactions on any sites recently? Or have you given your seed phrase to anyone?" - Reddit (Jul 23, 2023)
- ↑ 9.0 9.1 Transfer Of Funds To New Wallet - Etherscan (Jul 23, 2023)
- ↑ Reported Hacker's Address - Etherscan (Jun 1, 2023)
- ↑ Tradegrow - "Leave a comment on there wallet address asking for the crypto back . Not much can be done unless it ends up in a exchange and they are willing to help somehow" - Reddit (Oct 3, 2022)