Help me understand how I got hacked

I just got my entire MM wallets drained.

I have been in crypto since 2017 and always do my due diligence before approving any contract, I just had all my wallets 10+ drained, now I understand that if I did approve any malicious contract then only that wallet which I approved on would be phished.

The only other possible scenario is my seed phrase was stolen or compromised, but I only keep that written safely on a piece of paper and hidden in a safe at my home, I went to check it and it was safely there, help me understand how this happened please 🙏

another scenario I can think of is my laptop being hacked or a virus was installed, as soon as I got knowledge of the drain happening I deleted my metamask, turned off Wi-Fi and shut down the computer, but I kept getting drained on different wallets through different chains.

EDIT: I’m looking for a way to move out my staked funds on arbitrum safely, seems that there’s a sweeper bot on my wallets that instantly takes out any funds added, I’ve read about a script to front run that bot but not sure how to go on about that.

View Source

25 thoughts on “Help me understand how I got hacked”

  1. First, my condolences and that really sucks to hear.

    If you use metamask with a seed phrase, all accounts are created using private keys derived from the same seed phrase.

    Losing this says to me is that your seed phrase may have been compromised. If it was a malicious protocol or permission, then we would expect only a few wallets to be drained.

    Metamask stores the seed phrase on your computer [here](https://ethereum.stackexchange.com/questions/52658/where-does-metamask-store-the-wallet-seed-file-path), and in extension files [here](https://github.com/MetaMask/metamask-extension/issues/2749) it is encrypted but if the attacker can:

    * Get access to your files
    * Get your MM password

    They can decrypt your seed.

    So potentially you entered your MM password into a malicious site, which could have given an attacker the ability to decrypt your seed. I need to check how chrome extensions work but it may also have been possible for the attacker to request access to your encrypted keystore. Something you might want to flag with MM.

    In terms of suggestions to remedy this for the future – people have mentioned hardware wallets. I also use a gnosis safe with a few signators with isolated seeds to store my main funds. This is more cumbersome but makes it more likely your savings are kept safe even if your main account is compromised.

    Reply
  2. Was your MetaMask secured by a hardware wallet, or were you just using the 12 word phrase that MetaMask generated for you?

    Reply
  3. Possible you could had a keylogger put in your system. So even if you had your stuff written down once you put it in your infected computer, the hacker has it.

    Reply
  4. Have you ever taken a picture of your seed phrase? You likely got phished. Someone has your seed phrase somehow

    Anyone else know about your seed phrase location ?

    Reply
  5. I suspect sketchy download. MM stores wallet info in local storage.

    You don’t seem the type to give out each seed phrase for every single wallet, so theorising someone/something scraped your data and phoned it home.

    — —

    Maybe worth changing all passwords on accounts. From a fresh browser. Also investigate task manager, services, scheduled tasks.

    You’re bound to see something running you don’t recognise. Hopefully it’ll lead to the HOW of it all..

    – Maybe you tried open a pdf that wasn’t really a pdf? ( Renamed exe, renamed script to download malicious tools)

    – Maybe you clicked a sketchy discord link?

    – Maybe a fake “login to metamask” popup? Tho I’ve not seen that one personally.. always seemed an obvious vector to phish users MM global pass..

    Sucks man!

    — —

    I would be curious to see on chain the drainers activity too, surely you’re not the only target. And their wallet(s) may likely be flagged as deployer of token contract you know.

    Reply
  6. So in the past 3 months, have you connected with any sites, swapped any tokens or approved anything at all on any sites whatsoever?

    Reply
  7. To me the most likely candidate is a compromised pc. Key logger or remote access. Usually it’s because people do something dumb like store their seed phrase in Gmail or icloud but doesn’t sound like that was it.

    Reply
  8. Can you remember any situation where you had to put your MM password twice to work or the login resetted for any reason?

    Reply
  9. There’s plenty of malicious websites posing as defi platforms, that’s probably how your wallet was exposed. I’d be very wary of new defi projects in the future and stick to the already known and established ones if I were you.

    Reply
  10. Sorry for your loss. Please let us know if you figure out the answer. Stories like this always make me nervous about my funds.

    Reply
  11. If your wallet is being drained, turning off your WiFi and computer is the equivalent of closing your eyes and pretending like everything is fine..

    Reply
  12. Just use a hardware wallet but we are still at risk of seed phrase compromise. This is why DeFi needs to integrate ID management solutions to streamline the login process and minimize complexity without compromising decentralization.

    Reply
  13. Sorry to learn about your experience. I advice that going forward, you should use intermediary wallets that contain little or no crypto to interact with platforms and never use your “savings” wallet to interact with any platform. Only transfer from your savings wallet to your intermediary wallet. That way, if your intermediary wallet is compromised, your assets remain safe in your savings wallet.

    Reply
  14. Question: say I have crypto stored in a hot (Trust) wallet. The key is safe, offline. Wallet generated around 2018. At one point, I input the key phrase via a trusted computer to port wallet to metamask to experiment w a couple DeFi projects. Metamask wallet has been since deactivated. Assuming there was no type of malware/keystroke recorder present, is my wallet at risk by some link to metamask?

    Reply

Leave a Comment