This week, Taylor Monahan published an analysis in which she identified thefts from numerous cryptocurrency wallets on 11 different blockchains, without being able to define the cause. What do we know about these curious hacks
Multiple thefts affect cryptocurrency wallets
This week, MyCrypto founder and CEO Taylor Monahan published her on-chain analysis showing that since last December, the equivalent of 5,000 ETH has been drained from a multitude of wallets on 11 different blockchains.
What is interesting is that from the analysis, it seems difficult to establish commonalities between the victims, but many similarities have been discovered in the modus operandi.
The impacted portfolios were created between 2014 and last December:
If you are reading this, you’re the type to be drained by this.
This is NOT a low-brow phishing site or a random scammer. It has NOT rekt a single noob. It ONLY rekts OGs.
If you have all your stuff under a single Secret Recovery Phrase / Private Key, please be safe migrate. pic.twitter.com/o50pcBaUWT
– Tay (@tayvano_) April 18, 2023
The exploited flaw has not yet been discovered, but a worst-case scenario where the flaw is related to the encryption of private keys is ruled out. Indeed, if a hacker managed to carry out such an exploit, the damage would be much greater.
According to the analyses, the majority of these thefts take place between 10 a.m. and 4 p.m. UTC for the main assets, while the smaller sums are generally siphoned off between 4 p.m. and 10 p.m. UTC. Moreover, a large proportion of these thefts are said to take place at weekends:
Lastly, a lot of thefts seem to take place on the weekend I obvs don’t have every transaction but it’s weird af. I don’t know. It’s just weird.
Dec 18 = Sunday
Dec 25 = Sunday
Jan 29 = Sunday
Feb 17-19 = Friday-Sunday
Apr 15 = Saturday pic.twitter.com/b4TEAMjmdO
– Tay (@tayvano_) April 18, 2023
It is also interesting to note that sometimes assets are sent from one victim’s address to another, in order to consolidate the loot. For example, funds stolen from victim A are sent to victim B, whose funds and those of A are sent to a victim C.
In addition, the attacker would keep things simple, often leaving out NFTs or open positions in any decentralised finance (DeFi) protocols. However, there have been instances where the attacker will revert to an address previously visited.
How to protect yourself from such an attack
In theory, this type of theft mainly concerns hot wallets such as MetaMask, xDeFi or Rabby, but it is important to note that none of them seem to be specifically targeted.
In truth, it is the way in which the wallet’s private key is stored that will be decisive. As hot wallets store the private key in a file hosted on the user’s machine, they are easier targets. However, if the seed phrase of a hardware wallet is stored in a text file on the user’s computer, it is no less vulnerable.
In general, it is therefore prudent to diversify the locations of one’s funds, so that the addresses where they are located do not depend on a single seed phrase. In addition, it may be wise to regularly move assets to addresses created from new seed phrases in case the last one is compromised.
Furthermore, while the most prudent course of action is to use hardwares wallets, seed phrases should never be saved on a machine with Internet access.
While we await further information on this wave of account siphoning, it is advisable to limit the amount of funds stored in hot wallets as much as possible, while renewing them at regular intervals.
*** Translated with www.DeepL.com/Translator (free version) ***