MetaMask Ethereum Hacked Sup_55

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

MetaMask

Reddit user Sup_55 had their Ethereum taken from their MetaMask wallet. The exact mechanism of the theft is presently unknown. There are several potential transactions which could have been the theft.

About Sup_55

Sup_55 was born in February 2002[1] and lives in The Hague, Netherlands near Laakhaven[2]. He has a tattoo inspired by One Piece[3].

About MetaMask

The Reality

TBD

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - MetaMask Ethereum Hacked Sup_55
Date Event Description
December 31st, 2021 11:52:54 PM MST First Transaction To Attacker Wallet The very first transaction happens to the attacker's wallet, where it is funded by 0.227498685696200008 ETH[4].
January 6th, 2022 11:30:30 AM MST Transfer To Attacker's Wallet The attacker's wallet receives 1.224395983208325075 ETH[5].
January 9th, 2022 1:55:51 AM MST Transfer To Attacker's Wallet The attacker's wallet receives 0.220123840391726 ETH[6].
January 9th, 2022 2:02:35 AM MST Transfer To Attacker's Wallet The attacker's wallet receives 0.093420801498595 ETH[7].
January 9th, 2022 5:35:25 AM MST Transfer To Attacker's Wallet The attacker's wallet receives 0.078 ETH[8].
January 10th, 2022 1:37:15 AM MST Transfer To Attacker's Wallet The attacker's wallet receives 1.014009665159184041 ETH[9].
January 10th, 2022 2:55:02 AM MST Reddit Post Incident is posted about on Reddit[10]. TBD more comment review.
January 10th, 2022 3:35:33 AM MST Unanswered Questions Sup_55 is asked whether they have "been trading any NFTs or connected and approved transactions on any sites recently" or if they may have given away their seed phrase[11]. This question is never answered.
January 31st, 2022 7:20:16 AM MST Attacker Wallet Funds Transferred The reported attack wallet transfers their Ethereum funds (totaling 5.312751225715968609 ETH) to another wallet address[12].

Technical Details

[13]

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

"This is the wallet address of the hacker:

0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286

Attacker Wallet Cleared Out

The attacker moved all funds to a new wallet address[12].

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Opening Ticket With MetaMask

Sup_55 reportedly opened a ticket with MetaMask[14]. TBD expand.

Incident Posted On Reddit

Sup_55 posted on the ethereum subreddit with limited details of what had transpired[10].

"This is the wallet address of the hacker:

0x2e12C82E41e99a0eC69721D5E582AD3Db1F2A286

Please beware and any info and what do to can help! I've already sent Metamask the info of the transactions. Now I'm just suffering in silence (F in the chat)"

Community Reactions on Reddit

[11][15].

Have you been trading any NFTs or connected and approved transactions on any sites recently? Or have you given your seed phrase to anyone?

Leave a comment on there wallet address asking for the crypto back . Not much can be done unless it ends up in a exchange and they are willing to help somehow

TBD: Review when archive back online: [16]

Ultimate Outcome

TBD

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

TBD

Individual Prevention Policies

The exploit was most likely the result of Sup_55 providing their seed phrase to a scammer, installing malware on their computer, or approving a malicious transaction. Offline storage provides an alternative for a cryptocurrency user to massively reduce their risk.

Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.

Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Platforms have a responsibility to educate new users and ensure understanding. They can work together to create an industry insurance fund to assist affected users.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Regulators have a responsibility to educate their citizens and ensure understanding. Regulators can encourage platforms to create an industry insurance fund to assist affected users.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Sup_55 - "this was a few days after my 20th bday" - Reddit (Aug 22, 2023)
  2. Sup_55 - "Yes! I live literally in that circle. I am a guy though" - Reddit (Aug 22, 2023)
  3. Sup_55 - "My first tattoo inspired by One Piece!" - Reddit (Aug 22, 2023)
  4. Attacker Wallet Initially Funded With 0.227498685696200008 ETH - Etherscan (Jul 23, 2023)
  5. Transfer Of 1.224395983208325075 ETH to Attacker's Wallet - Etherscan (Jun 1, 2023)
  6. Transfer Of 0.220123840391726 ETH - Etherscan (Jun 1, 2023)
  7. Transfer Of 0.093420801498595 ETH - Etherscan (Jun 1, 2023)
  8. Transfer Of 0.078 ETH - Etherscan (Jun 1, 2023)
  9. Transfer of 1.014009665159184041 ETH - Etherscan (Jun 1, 2023)
  10. 10.0 10.1 Sup_55 - NEED HELP! Hacked Metamask account - Reddit (Jun 1, 2023)
  11. 11.0 11.1 PotentialBreakfast34 - "Have you been trading any NFTs or connected and approved transactions on any sites recently? Or have you given your seed phrase to anyone?" - Reddit (Jul 23, 2023)
  12. 12.0 12.1 Transfer Of Funds To New Wallet - Etherscan (Jul 23, 2023)
  13. Reported Hacker's Address - Etherscan (Jun 1, 2023)
  14. Sup_55 - "I've opened a ticket with them and I gave them the wallet address of the scammer/hacker and the transaction ID of how much was taken and when from my account to their's." - Reddit (Aug 22, 2023)
  15. Tradegrow - "Leave a comment on there wallet address asking for the crypto back . Not much can be done unless it ends up in a exchange and they are willing to help somehow" - Reddit (Oct 3, 2022)
  16. https://web.archive.org/web/20220110100240/https://old.reddit.com/r/ethereum/comments/s0gh4i/need_help_hacked_metamask_account/hs1ml9h/
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=MetaMask_Ethereum_Hacked_Sup_55&oldid=4904"