April 19 (Cointime) - A cyber heist of $10 million, targeting adept cryptocurrency users, leaves leading security specialists perplexed.

Taylor Monahan, the ex-CEO and founder of Ethereum wallet management platform MyCrypto, disclosed via Twitter on Tuesday that more than 5,000 ETH had been purloined since December.

"Over the past 48 hours, I've been unraveling an extensive wallet-draining operation," stated Monahan, who became a part of MetaMask following MyCrypto's acquisition by ConsenSys, the parent company of the crypto wallet, last year. She further tweeted that the victims were individuals with greater-than-average crypto proficiency and "reasonably secure" measures, yet their funds were still depleted.

In other words, the victims are not inexperienced crypto users falling for blatant phishing scams. Instead, the attack is highly advanced, targeting seasoned crypto individuals who are experiencing significant losses, Monahan explained. “No one knows how.”

Read full thread:

If you are reading this, you're the type to be drained by this.

This is NOT a low-brow phishing site or a random scammer. It has NOT rekt a single noob. It ONLY rekts OGs.

If you have all your stuff under a single Secret Recovery Phrase / Private Key, please be safe migrate.

Afaik, no one has determined the source of their compromise.

Multiple devices have been forensic'd. Nothing.

The only known commonalities are:

- Keys were created btwn 2014-2022

- Folks are those who are more crypto native than most (e.g. multiple addresses, work in space, etc)

I'm tired af but I'll lay out some details of the attacker below.

Really the ONLY thing you need to read is this: PLEASE DON'T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. THE END. Split up your assets. Get a hw wallet. Migrate. Now.

My best guess rn is that someone has got themselves a fatty cache of data from 1+ yr ago & is methodically draining the keys as they parse them from the treasure trove.

But that's just a guess. I *don't* know.

It is NOT cryptographic/entropy related tho, don't waste your time.

The theft and post-theft on-chain movement is VERY distinct. It's incredible. If you've been drained by this attacker you will gasp as you read this. If you don't gasp, this isn't your thief, sorry.

1. Primary theft txns are almost always between 10am–4pm UTC.

2. Secondary thefts and "dust" collecting occurs anytime but usually 4pm-10pm UTC.

Follow-up drains (for assets missed on the initial sweep) usually occur ~4hrs after the initial theft or at ~7am UTC the following day.

Sometimes accounts are re-swept weeks or months later.

3. Except when stealing v large amounts, the attacker will swap your tokens for ETH *inside your wallet* before sending the ETH out. They will use MM

Swaps, Uniswap, or 0x (esp. recently via the 0x labeled as "0x: Exchange Proxy Flash Wallet")

4. The attacker will often miss staked positions, NFTs, or lesser known tokens. Successful rescue missions are COMMON.

Sometimes the attacker will come back to get assets hours, days, months later.

5. For smaller amounts and assets on other EVM-chains, the attacker will often bridge / move from one of your addresses to another, or even from victim 1 -> victim 2 -> victim 3....

Once a sufficient amt of ETH exists in one address, they will move it out.

This means it may look like random ENS-name'd person sent 0.0X ETH for gas and then stole all your funds.

Or that your wallet was drained *to* an ENS-named account.

The random ENS name is NOT your attacker—it's another victim.

DON'T BE LIKE NICK

6. "Out" is always a centralized swapper such as: FixedFloat SimpleSwap SideShift ChangeNOW LetsExchange Unknown swapper @ 0xca60 Other unlabeled swappers nested at Binance Large Dec'22 thefts used RenBridge Final desty is always Bitcoin LTC, XRP, XMR, etc also moves to BTC.

7. ~20-30 drains will consolidate to 4-6 addies on Bitcoin, sit, then over next 0-6++ days go to:

Coinomize

Wasabi

CryptoMixer

BTC movements are more likely to occur earlier in the day (10am-1pm UTC) or as final move after the thefts (10pm UTC or 1am UTC).

8. Except in large sweeps, which are scripted, attacker is sending txns via MM

. Yes, this attacker is draining OG MM users and OG MM employees using MM. Yayyyyy.

(ps: I don't know this bc of some secret MM intel—I know it bc its easily discernible on-chain. Don't even.)

9. Dust remaining in original drained address and/or from other keys under the same seed have been stolen 80+ days after first address was drained.

Known large dust collections from already drained accounts occured on:

Feb 15

Feb 17

Feb 22

Mar 23

Mar 26

Apr 6

10. Recent IPs are a lot of HideMy but a *lot* of IPs & UAs have been seen. VPNs, not VPNs, proxies, unlabeled stuff.

Usually Windows/Chrome but Windows/FF & Mac/Chrome have been seen too. All over the place tbh, its weird af. (MM / Infura DO *NOT* HAVE UAs/IPs. Dont even.)

Lastly, a lot of the thefts seem to take place on the weekend???? I obvs don't have every transaction but it's weird af. I don't know. It's just weird. Dec 18 = Sunday Dec 25 = Sunday Jan 29 = Sunday Feb 17-19 = Friday-Sunday Apr 15 = Saturday

To be completely clear: this is NOT a MM-specific exploit.

Users of *all* wallets, even those created on a hardware wallet or generated for the Ethereum presale, have been impacted by this.

This source of this exploit is unidentified, and I'm trying to identify it.