Crypto investor Jonny Reid shared his experience of stealing encrypted assets in his MetaMask wallet on Twitter. Learning from his review of the incident, he believes that he has a “high level of security awareness.”
However, with the help of friends working in cybersecurity, he is still unable to find the hack. So what cybersecurity loopholes did the attacker get access from. The only thing he could do is strengthen security measures since then.
Jonny Reid found that 41 ETH in MetaMask were transferred from MetaMask on 18th May. He emphasized that although he has no hardware wallet, he has been using MEW, MetaMask, and other wallets since 2016, with a high-security awareness. Also, he is very cautious about phishing links, Discord, Telegram, etc., and still not sure why.
The Possible Reason
1# The Web Refresh Apps
Since Reid needs to re-apply for a passport to prepare for the upcoming trip, to apply online on the official website of the British government, he needs to refresh the page to use first constantly, so on 5/16, he downloaded two Chrome extensions to refresh the page automatically. However, he didn’t like the extension very much, so he deleted it and downloaded another.
2# The Web Refresh Apps 2
The second is “Easy auto-refresh.” It took him about 14 hours, and the anti-virus software did not detect any anomaly, no alert window popped up, and everything went smoothly.
Since then, until the hack on 5/18, because Reid was busy with his marriage, he had not used his wallet for more than three days. Afterward, he explored the reasons, including whether the MetaMask wallet was logged in? Has he clicked on a strange link?
Reid’s MetaMask had about eight wallets totaling nearly $130,000, and the hackers dumped about $83,000 (41 ETH).
Reid and his friends had never heard of the “FIXED FLOAT” exchange, and he actively communicated with the exchange’s customer service, but the other party could not provide any details.
Post-event Cybersecurity Analysis
Reid brought in a security friend to check his computer, but neither the laptop nor the personal computer was abnormal. After thinking hard, Reid found some traces after changing all his passwords.
His Gmail notifications were showing suspicious activity on his Google account. After digging deeper, he discovered that Gmail had been logged into a device in Czech before the hack.
He still doesn’t understand why Gmail was hacked (he had 2FA set up) and found that the first webpage refresh software he downloaded was updated on the day of the hack on 5/18, and he was using the old version on 2021/04/11, but this may just be a coincidence.
Final Words: Strengthening Cybersecurity
After the hack, Reid bought a hardware wallet (Ledger Nano X), a laptop dedicated to cryptocurrencies, and reset two old computers. While the exact reason for the hack is still unknown, the crypto community’s response to his tweet.
Either out of pity or a desire to help, it has got a lot of backlashes, primarily if it’s only determined that the Google account has been hacked, which hackers can use to control the MetaMask takes everyone by surprise. Reid also pointed to a previously reported scam, in which scam groups monitor the content of all posts through the Twitter API.
As long as the post contains the words support, help, or assistance asking for help, and crypto-wallets like MetaMask, Phantom, Yoroi, or Trust Wallet, the post will receive a reply from the scam bot within seconds of posting. Reid said that he has been flagged or privately messaged similar scams on Twitter since he posted and urged everyone not to click on the link.
Thank you for reading. May InfoSec be with you🖖.