WiseTumbleweed5448 MetaMask Wallet Hack
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Reddit user WiseTumbleweed5448 reports that his MetaMask wallet was breached and he lost either $6k or $7k worth of funds from there, as well as allowing the attacker to swipe rewards from his StrongBlock nodes. The StrongBlock nodes were unable to be transferred to another wallet, however he was able to work with a bot owner to set up code to automatically swipe the rewards on his behalf.
About WiseTumbleweed5448
TBD
About MetaMask
TBD
About StrongBlock
TBD
About Black Mamba
An Ask Me Anything page notes a question being asked by Black Mamba regarding additional statistics being made available on nodes[1].
The Reality
As much as we all like to believe in our own intelligence, we are often quite able to be fooled by others. In the blockchain space, one must be on their guard at the best, and worst, of times, as a single slip-up is enough to lose all funds in a wallet.
What Happened
According to WiseTumbleweed, the scammer impersonated "Black Mamba", one of the administrators in the StrongBlock project[2].
| Date | Event | Description |
|---|---|---|
| November 30th, 2021 6:56:19 PM MST | First Reddit Mention | The issue is first shared on Reddit. |
| January 26th, 2022 2:53:21 PM MST | Reddit Discussion | The incident is again mentioned on Reddit in response to Khamil1's similar case. He mentions his struggles and inability to migrate, suspend, or freeze any of the six nodes.[3] |
| February 2nd, 2022 6:45:38 AM MST | Video Conference With Bot Owner | WiseTumbleweed5448 reports that he has a video conference with a gentleman from Spain who helped someone else he met, who is going to run an Ethereum bot on his account and prevent the hacker from claiming the rewards. He also provides some additional details about the situation[2]. |
| February 10th, 2022 7:27:59 PM MST | Using A Spaniard | WiseTumbleweed5448 reports that he uses a "guy in Spain on 9 nodes hacked". He is recommending that Reddit user HeroicLife use the same service[4]. |
| February 10th, 2022 8:47:20 PM MST | Providing Security Advice | WiseTumbleweed5448 provides security advice to another user on Reddit, advising them to be sure to use a hardware wallet and do further research on security[5]. |
Technical Details
Details are limited as to exactly how WiseTumbleweed5448 was exploited. The only description provided is that "[s]omeone posing as Black Mamba a legit admin was a scammer", which suggests that this was a phishing attack against an administrator of the StrongBlock project.
Description By WiseTumbleweed5448
. 8 nodes compromised.
Total Amount Lost
WiseTumbleweed5448 lost both Ethereum in his account, and some StrongBlock rewards from his nodes which were locked to the same wallet. The total amount lost has been estimated at $6,000 USD.
Ethereum In Account
WiseTumbleweed5448 has reported the amount lost as both $6,000 USD and $7,000 USD.
StrongBlock Nodes
WiseTumbleweed5448's breach included a wallet with either 6[3], 8[2], or 9[4] StrongBlock nodes. The StrongBlock nodes entitle the holder to rewards, however StrongBlock nodes cannot be moved from one wallet to another. The attacker was therefore able to receive the rewards but unable to steal any of the StrongBlock nodes. Therefore, the losses from the nodes were limited to the rewards received by the attacker instead of WiseTumbleweed5448 during the period before the reward claim bot was set up. It is assumed that these rewards were not material.
Immediate Reactions
WiseTumbleweed5448
shared their experience widely through several Reddit posts.
Sharing Experience on Reddit
"I got swiped for 6k leaving wallet open for too long. Never gave out anything."
"I got hacked on 6 nodes. Have proof they are mine. Even my initials on each node. Contacted support 3 times. Generic message of sorry to hear but no migration at this time and can't freeze or suspend. Money came from my coinbase to mm to nodes. They should be able to work w Coinbase to help verify. If you import hacked seed to Trezor and assign a passphrase and pin won't that help even if seed compromised???????"
Ultimate Outcome
Despite his persistence, WiseTumbleweed5448 has been unable to succeed in requesting a suspension, migration, or freezing of the breached nodes[3]. However, it's possible that WiseTumbleweed5448 may have successfully set up an Ethereum bot which reroutes the claimed rewards.
Advice About Using a Hardware Wallet
"Yes w a hardware wallet yes of course. DONT CONNECT W METAMASK ONLY. CONNECT W A TREZOR OR LEDGER. You will have to physically approve transactions. Please dyor on security!!!!!! Dont make my mistakes"
Setting Up A Bot To Claim Rewards
"Yes...Well partially some great news on that front. Same EXACT thing happened in my case. Someone posing as Black Mamba a legit admin was a scammer. 8 nodes compromised. I have a video conference today w a gentleman out of Spain who helped someone I met. Basically he will put a ETH bot on your account so hacker cannot claim rewards. He re-routes you claimed Strong rewards to another safe wallet per week and you reimburse him for the ETH as he has to pay to claim rewards. You will pay him 10 percent of rewards per week for his work. Once node migration is here, then you should be fine. He gets paid when YOU get paid. Never advance money to these ppl trying to help you first. To note, I have a video call w this expert to helps ppl like us. But I'm happy to have a chance. Of course use a hardware wallet from now on. My email is emk8431@gmail.com if you want further info. I have video conference today 1245 est. I greatly trust the victim who gave me this contact after much research. The guys name is Jose. The victim who gave me contact is on Twitter-@WilksAbram. Just email me and will give you contact info to help you recover your nodes. I may have a sweeper bot on mine so situation is more complex."
"Thats some bs right there. I use a guy in Spain on 9 nodes hacked by these losers. 15% charge and he does everything. Whats better is you set up a zoom call before you do anything. These ppl are insects on dead meat. You need to have technical know how. To launch this yourself is not that easy unless you are computer savy. IMO"
WiseTumbleweer5448 has been spending his time providing security advice to others on Reddit[5].
Total Amount Recovered
The total amount recovered is unknown.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
It's reported that WiseTumbleweed5448 attempted to set up an Ethereum bot which rerouted the claimed rewards.
Individual Prevention Policies
In this case, WiseTumbleweed5448 was tricked by a scammer who impersonated a respected member of the community. While the exact mechanisms are uncertain, they would have had to either provide their seed phrase, sign a malicious transaction, or execute malicious software to be exploited.
Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
In this case, WiseTumbleweed5448 was tricked by a scammer who impersonated a respected member of the community. While the exact mechanisms are uncertain, they would have had to either provide their seed phrase, sign a malicious transaction, or execute malicious software to be exploited. This situation could have been prevented through increased education.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
An industry insurance fund can validate and provide some relief for users who suffer attacks.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
In this case, WiseTumbleweed5448 was tricked by a scammer who impersonated a respected member of the community. While the exact mechanisms are uncertain, they would have had to either provide their seed phrase, sign a malicious transaction, or execute malicious software to be exploited. This situation could have been prevented through increased education.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
An industry insurance fund can validate and provide some relief for users who suffer attacks.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Strong AMA Logs - Van Life Income (Sep 28, 2023)
- ↑ 2.0 2.1 2.2 WiseTumbleweed5448 - "I have a video conference today w a gentleman out of Spain who helped someone I met." - Reddit (Apr 4, 2023)
- ↑ 3.0 3.1 3.2 WiseTumbleweed5448 - "I got hacked on 6 nodes. Have proof they are mine." - Reddit (Apr 3, 2023)
- ↑ 4.0 4.1 WiseTumbleweed5448 - "I use a guy in Spain on 9 nodes hacked by these losers. 15% charge and he does everything." - Reddit (Apr 3, 2023)
- ↑ 5.0 5.1 WiseTumbleweed5448 - "DONT CONNECT W METAMASK ONLY. CONNECT W A TREZOR OR LEDGER." - Reddit (Apr 3, 2023)
Cite error: <ref> tag with name "redditold-10648" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "redditold-10653" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "redditold-10654" defined in <references> is not used in prior text.