A sophisticated wallet drainer has stolen more than $10M worth of assets since December 2022 across 11 different blockchains.
The exploit appears to target experienced users who created their wallets between 2014 and 2022, according to MyCrypto founder and CEO Taylor Monahan.
The attack vector remains undetermined, however. MetaMask, the leading wallet provider, said that its security team is working in tandem with other wallet providers to figure out the source of the exploit.
Monahan urges Web3 users to remain vigilant and avoid holding all their assets in wallets secured by the same seed phrase.
Exploit Pattern
The attacker swapped users’ tokens for ETH, routing the trades through MetaMask Swap, Uniswap, or 0x.
They usually don’t drain NFTs, staked assets, and other low-cap tokens. However, in some cases, the leftover assets were stolen later.
Users with smaller amounts on Ethereum-compatible chains would have their assets bridged and moved out once the attacker had gathered enough ETH to pay for gas fees. The assets would then get converted into Bitcoin using services like FixedFloat, SideShift and SimpleSwap.
Within a week after the conversion, the assets would be run through a Bitcoin privacy mixer such as Coinomize, Wasabi, or CryptoMixer.
Monahan concluded by saying that the exploit is not specific to Metamask and that all wallets, including hardware wallets, are affected by this unknown yet active exploit.
On April 16, security firm SlowMist said they are investigating the issue after a user reported that their LQTY tokens were stolen in November 2022.
Crypto Exploits
Exploits are a major cause of concern for Web3 participants as there is usually little to no recourse after a user loses their funds.
On March 14, Euler Finance suffered a $200M exploit, although the protocol was later able to recover the majority of the stolen assets.
And just yesterday, antivirus provider Kaspersky revealed a critical bug on Apple devices, which could potentially steal funds from crypto wallets.
In 2022, crypto investors lost an eye-watering $3.2 billion to scams and exploits.
Read More: thedefiant.io