Ledger/MetaMask Hack PowerOfTheGods

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Multiple

The Reddit user PowerOfTheGods reported losing all their cryptocurrency, saved up over the past 5 years, on both their Ledger hardware wallet and 4 separate MetaMask wallets. This allegedly happened while they were checking their balances on the wallets, which they did regularly. While they have extensively reported the theft for investigation, there is no evidence of any funds ever recovered of that the attacker was brought to justice.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]

About PowerOfTheGods

"Reddit user Power[O]fTheGods said he had been investing since 2016 and kept his investments in a Ledger Nano S (a crypto wallet) and four Metamask digital hot wallets." "I've been investing in digital assets since early 2016. I would consider myself pretty knowledgeable on all things related crypto/blockchain. I believe in the tech, I built my portfolio up for years and this is pretty much one of the only things I enjoy in life. I have a hardware wallet (Ledger Nano S) since 2017 and 4 different Metamask "hot" wallets. The hardware wallet consisted of 80% of my portfolio." "$ETH $MATIC $AAVE $TIME $OVR $ENS $ZRX $AVAX"

"My seed phrase is on paper, stored in a safe, which no one has access to. My seed phrase has never been written down anywhere else, no computer, no phone, except on that paper in the safe."

The Reality

Many computers are already infected with malware, and many malware distributors are incredibly skilled at what they do. Hot wallets provide very limited protection against a computer which is already infected with malware.

Only the Ledger hardware device itself can be trusted to display a transaction honestly. Transaction information displayed on the PC could most definitely be inaccurate if there is malware present.

What Happened

PowerOfTheGods found their Ledger wallet and four separate MetaMask wallets emptied within minutes of each other.

Key Event Timeline - Ledger/MetaMask Hack PowerOfTheGods
Date Event Description
December 31st, 2021 2:45:18 PM MST Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

Information which is known from PowerOfTheGods:

  • They insist that they did not share their private key or seed phrase anywhere online, not even a screenshot.
  • The theft involved almost entirely ERC-20 Ethereum-based tokens.


This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?


"PowerOfTheGods wrote he believes he lost his investment after clicking on a malicious link while web surfing. While his ledger was unlocked, a Trojan took control of his browser and wiped his wallet in a matter of minutes." "My only possible conclusion is that I clicked a malicious link while surfing the internet. The trojan must have somehow took control over my Google Chrome browser (or Metamask extension) while I was using it, while my ledger was unlocked. Checking the transactions times they were sent out around the time I had it open. Again, I never was prompted to accept or approve anything that I myself wasn't doing. It is frightening."


Remote Control Malware Hypothesis

It's possible that their computer was already infected with malware at the time of the theft, and had been for some time. For example, downloading a pirated version of the Windows operating system from Official-KPSMICO may include CryptBot malware. Other users have reported being tricked into installing malware via malicious Minecraft mod files or online torrent files.

Through this malware, their computer would remain operating under the full control of a remote attacker. This would allow the attacker to see all of the wallets which they had, every time they went to check their balance.

One option for the attacker at this point would be to empty any hot wallets, however doing so would immediately draw suspicion and lock them out of any further accounts. It seems reasonable that the attacker would have noticed the presence of the ledger hardware wallet with additional funds and that was likely a much larger prize of funds.

MetaMask can be replaced with a malicious application with can display any transaction which is desired, including a transaction which the user has initiated. Many users routinely avoid double checking transactions on their hardware wallets. It's often difficult to evaluate whether a smart contract interaction on the Ledger hardware wallet is the same intended transaction due to the small screen and cryptic way these transactions may be portrayed, so many users can get into a habit of checking transactions on the PC.

Since most of their funds were in ERC20 tokens, requesting authorization could allow the attacker to withdraw them. To do this, they would simply send the ledger a transaction to authorize full access to the Ethereum wallet, however MetaMask would display a legitimate transaction which PowerOfTheGods is expecting to see. Since this is a routine transaction, PowerOfTheGods would likely sign it as part of their normal routine, not realizing what had happened.

Once the Ledger wallet was emptied, the attacker would be free to focus on emptying any remaining hot wallets stored within the PC, which is comparably trivial on a computer running malware.

Malicious MetaMask Extension Hypothesis

It is also possible that they downloaded and installed a malicious MetaMask extension. If they imported their Ledger wallet, this could have given their information to an attacker.

Total Amount Lost

The total amount lost has been estimated at $120,000 USD.

Immediate Reactions

"When he checked his accounts last December, he noticed they were empty. At the time, the currency was valued at more than $120,000." "Yesterday, I used my Metamask to access all my wallets for a balance status check before the new year. Everything seemed normal. After checking again late last night and after seeing one of my accounts showing as zero, I noticed every wallet was wiped." "As I look at all of my wallets today, I see zero balances and I am absolutely crushed. It took all my power to even get out of bed, file reports, and write this post today." "Checking the transactions, it seems like the wallets were completely wiped in a matter of minutes." "I have 4 hot wallets and 1 ledger wallet. Funds were pulled out of all 5."

"As I sit here on the first day of the new year, writing this post, I think to myself how much can one human take before it's just too much? The world can just be an absolutely awful, awful place. I read these "stolen or hacked crypto" posts all the time. I always think, wow that person doesn't know what they're doing, shouldn't be investing in crypto in the first place, or that would never happen to me, because I'm super careful! Maybe they are just lying and trying to just get sympathy? Believe me, I wish I was."

"I mainly write this post to warn others. Even if you think you are safe, you might still be at risk. I guess with these advanced hackers now, all it takes is one wrong click. This was my life savings aside from a few emergency funds in my traditional bank. I don't think I will ever financially, emotionally, or mentally recover from this. It has affected my life tremendously. I hate to sound dramatic and be that guy, but I'm honestly at a point now where life doesn't even seem worth it."

Ultimate Outcome

"I don't recall ever going to the actual Metamask website and definitely not a fake one, but either way thanks for this." "I've been on this computer for years and there's been a few times when accidently clicking something that starts an auto-download. Obviously, I am always quick to delete or disable those files. Maybe a virus file was lying dormant for months or years without my anti-virus catching it? Just waiting for the right opportunity? Maybe it is a Metamask data leak? I'm not sure. I like to think I'm pretty careful about my passwords and security."


"I reached out and filed reports to my local law enforcement and the FBI." "I'm hoping one of the wallets leads to a KYC connection, but obviously a long shot here. Super grateful for any research or help." "Can’t comment on much right now, but learned so far of a new malware that can hack into many of different crypto wallets. Yes, seems like Ledger software too. Potentially promising."


"While the user reported the alleged crime to the authorities, there was nothing they could do because cryptocurrency is still largely unregulated. After he shared his story on Reddit, he found other users who reported similar experiences."

Total Amount Recovered

There do not appear to have been any funds recovered in this case. TBD

Ongoing Developments

TBD

Individual Prevention Policies

One must assume that any computer they use can be compromised. Minimize active management of funds and try to do so only in trusted and exclusive environments. If using a hardware wallet, always take the extra time and care to check even routine transactions on the screen. Malware is a key risk with downloading any pirated software. Linux is a great and free alternative to Windows that can be safely downloaded for free from an official source, under full scrutiny of a technical community.

Greater security can be achieved by storing most funds on a separate fully-offline wallet which is never interacted with. There is no need to check the balances regularly or share their existence with others. Advanced users can also set up a multi-signature wallet with multiple devices required for withdrawal.

Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Storing funds offline is the best practice to help secure your assets, though it was already being done in this case.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Improved education can assist users in better securing their funds. An industry insurance fund can assist in the event of loss, and ensure that more incidents are reported for investigation.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Improved education can assist users in better securing their funds. An industry insurance fund can assist in the event of loss, and ensure that more incidents are reported for investigation.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. https://fortune.com/2022/03/08/crypto-scam-risk-and-how-to-stay-safe/ (May 2, 2022)
  2. Got compromised and lost over $120k in crypto; AMA : CryptoCurrency (Jun 1, 2022)
  3. 0x365DB2B5722d13F431224066898b4CF8cA7AdFe5 - Blockscan address (Jun 3, 2022)
  4. https://etherscan.io/address/0x365DB2B5722d13F431224066898b4CF8cA7AdFe5 (Jun 4, 2022)
  5. https://etherscan.io/address/0xcf3c72fb2b320ec127289bb539e1daca489f1878 (Jun 4, 2022)
  6. https://etherscan.io/tx/0x24dc3b3962cab5a83cb44aae1da1bf2d777455c95b247ad2b8f5969ff612f533 (Jun 4, 2022)
  7. https://etherscan.io/tx/0xc3d1d261df80261e3fa0fdc83debac956693285d8747670d97374515d0911e5f (Jun 4, 2022)
  8. https://etherscan.io/tx/0x54d2fa342effe867c50eb6ab1889c070effe9f597330eda74eb49ce4f7faa47b (Jun 4, 2022)
  9. https://etherscan.io/tokenapprovalchecker?type=0&search=0xcf3c72fb2b320ec127289bb539e1daca489f1878 (Jun 4, 2022)
  10. https://ca.trustpilot.com/review/official-kmspico.com (Jun 4, 2022)
  11. 24-Word Seed Phrases by wjmelements · Pull Request #7987 · MetaMask/metamask-extension · GitHub (Jun 4, 2022)
  12. How Does Your Seed Phrase Work? - YouTube (Jun 4, 2022)
  13. There's way more to these MetaMask Hackers... - YouTube (Jun 4, 2022)
  14. Got compromised and lost over $120k in crypto; AMA : CryptoCurrency (Jun 26, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ledger/MetaMask_Hack_PowerOfTheGods&oldid=4925"