My MetaMask Wallet was Emptied!
What can someone do when their MetaMask wallet is hacked? Apparently nothing. You know that sickening feeling you get when you lose something like your wallet or phone? You feel like you to want to puke, your mind starts racing… “What should I do?”… a little denial, anger, bargaining, then acceptance. You have to start doing an inventory and cancelling accounts. It fucking sucks!
On 2 January, 2021 my MetaMask wallet was emptied (see the Etherscan). My name is Mike. I live in San Diego California, I am 57 years old. I own my own small business. In November of 2020, I started buying cryptocurrency. I have built and upgraded my own computers, built my own websites and websites for others. I use the Linux Ubuntu operating system. No Microsoft Windows for me. I have never used Apple so I can’t comment on Apple products or software. I am a little more experienced and skilled with computers than the average computer user. That is why I am quite comfortable stating that MetaMask is not safe for an average computer user. And I will tell you what I would do if I used MetaMask again (with the benefit of hindsight). Just to be clear, I will not use MetaMask ever again. I have purchased a hardware “wallet” that I will use from now on. But even a hardware “wallet” is not safe if you don’t know some basic safeguards.
Ultimately, I am responsible for my internet security. Therefore I take full responsibility for my loss. I feel like a $700 loss is not as bad as it could have been. Experience — the test comes before the lessons. I failed the test and learned the lessons. I provide the reader with a few of the lessons I learned here in this article. This article is not intended to be a comprehensive list of “do’s and don't s”, I am just sharing my experience. That being said, people should know how easy and common it is for bad actors to steal from the MetaMask browser extension. If you are an average computer user, I strongly urge you — DON’T USE METAMASK! But if you do…
“The beginning of wisdom is to call things by their proper name.”
First, let’s define a few terms and make clear a some concepts. From the MetaMask website: MetaMask is a crypto wallet & gateway to blockchain apps Start exploring blockchain applications in seconds. Trusted by over 1 million users worldwide.
The term “wallet” . As most of us know the word wallet: a smallish flat pocket-sized folding case, for holding paper money. MetaMask is not a “wallet” in the normal sense of the word. MetaMask is a web browser extension. Generally speaking, a cryptocurrency “wallet” is really a software program. The program is usually secured with a seed phrase and private key. If your seed phrase and/or private key fall into the wrong hands, you can lose whatever that software has access to. Because cryptocurrency doesn’t exist in a physical form, your “wallet” doesn’t actually hold any of your coins — instead, all transactions are recorded and stored on the blockchain.
What is a browser extension? According to Brave (a cool web browser that doesn’t spy on you like Google Chrome, and uses BAT cryptocurrency), “Browser extensions are like specialized agents working with the flow of information through your browser. They may work to organize your notes, protect you from malicious actors, or just transform how that information appears. Of course, browser extensions by nature have access to all of the myriad things we do online, from shopping to checking our bank account. A poorly-secured browser or a malicious extension can expose personal information to unscrupulous eyes, risking identity theft or fraud.”
What is a “blockchain”? In the case of cryptocurrency (like Bitcoin), the blockchain is a ledger. It spans across many computers and is a growing list of records called blocks. Each block contains encrypted records of the previous block (like a timestamp and other transaction data). So what MetaMask does is access the blockchain to make changes to the ledger. Not really a “wallet”.
This is my first point on why MetaMask is not safe for an average computer user. MetaMask is poorly secured and does not protect you from “malicious actors”. Instead of holding paper money, MetaMask gains access to a blockchain. MetaMask is an unsecured browser extension that collects massive amounts of personal and valuable information (why do you think it’s “free”?) MetaMask exposes you to “unscrupulous eyes” and makes a ton of money doing it.
I use several web browser extensions. Add blockers (uBlock Origin), online shopping discount finder (Honey), and more. All web browser extensions collect your information. Providing your personal and private information as an asset that can be sold is how you pay for everything from your Gmail account to a browser extension like MetaMask. Do I really have to say nothing is free?
The Heist: USDC is a type of cryptocurrency that is referred to as a stablecoin. You can always redeem 1 USDC for $1.00(USD). On 1 January, 2021 just a few minutes before midnight, I pulled $600 in USDC, from my NEXO account. By the way, I love NEXO! I hold much of my cryptocurrency in my NEXO account. Of course, any company and any person can be hacked. But I feel the two factor authentication and security measures on the NEXO site are top notch! And you get great rates of interest on coin/token held there. Also, you can make use of your money while it stored on NEXO. For example, you can borrow against your deposit at a great rate as low as 5.9% without liquidating your cryptocurrency investment. Why on Earth would anyone keep their crypto on an unsecured web browser extension, when they can earn great interest in an insured and secured company “vault”? As well as a dividend on their tokens, but I digress.
I wanted to buy some alt coins (alt coin is a cryptocurrency other that bitcoin) I had been researching. I can’t be sure how but by 2:30 AM (PST) my MetaMask “wallet” was emptied. Total loss was about $700 USD (at that time, but since the price has gone up so has the value of the loss). The most likely hack was through an exchange I had signed up for that may have been a fake or hacked. I couldn’t find the alt coin I wanted on the exchanges I normally use (Coinbase and Binance). I searched for an exchange that traded the token I wanted. I would need to do a deep dive into the browser history to see what exchanges I found at that time. I might still do that.
Lesson 1: Don’t use the MetaMask “wallet” to store coin/tokens. If I had only used MetaMask as a transfer point to buy the alt coin, thieves would not have the opportunity to steal from my dumb web browser information collector AKA MetaMask. After I gave the MetaMask web browser extension access to $600 USDC, I took a couple of hours to eat and do some work. That is when an address got unlimited access to my MetaMask key that held my coins/tokens. Since this debacle I keep my coins/tokens on NEXO and an offline hardware “wallet”. MetaMask is not “smart” in the tech sense. All it does is collect your information, access a blockchain, and expose you to hackers.
What is a DApp? And why is it important to know what a DApp does? Well for the average computer user who is venturing into cryptocurrency, it’s not important to know what Dapps do. What is important to know is that these decentralized applications (also known as “smart contracts”) can have unlimited access to your cryptocurrency. From the Token Allowance Checker website: “Many DApps have the habit of requiring you to approve effectively unlimited amount of tokens. This helps improving the user experience, as you only have to sign off an approval once and it will be enough for all future transactions.” What you need to know is what DApps and/or smart contracts have access to your cryptocurrency. And how to stop a DApp should you need to do so.
TAC is a useful tool! And you should use it right now!
Token Allowance Checker (TAC) shows all approvals for your ERC20-compliant coin/tokens, and the option to change the approved amount — or completely zero it. The average computer user has no idea what “ERC20-compliant coin” is, or that there is no concept of expiring approvals. Once approved, the approval will remain forever. The point here is if you do not trust a DApp or its operators anymore, there is usually no easy way to remove the approval. MetaMask knows this but the average computer user doesn’t have a clue!
Lesson 2: Periodically check the TAC (Token Allowance Checker). See what has unlimited access to your coin/tokens. I checked Token Allowance Checker and found the address that gained unlimited spending access .
I’m not sure how the hacker’s address got unlimited spending authority in my MetaMask web browser extension. I suspected it was from trying to sign up for bitswapdex.io or another exchange gate.io. There are plenty of fakes and imposter sites. Always double and triple check the site URL on exchanges. One of the most popular ways a hacker gains access is by creating fake sites that look like the site you want to visit. Remember, MetaMask offers NO SAFEGUARDS! MetaMask is a unsecured browser extension that collects massive amounts of personal and valuable information. It gives you access to blockchains and DApps (AKA smart contracts) that can get unlimited access to all of your coins/tokens).
From the MetMask site: Reason number four you got hacked.
You gave a web3 site / smart contract unlimited access to your funds (check who you gave access to and revoke here). This is a link to the Token Allowance Checker.
More from the MetaMask site:
“Try to analyze your browser history and scan your computer to eliminate any further breach of information.” If you discover any suspicious phishing websites please notify us at Metamask Support Form so we can prevent this from happening to other users in the future. If you have any further information after your own investigation please let us know.
- install MetaMask on another browser (or create another profile on your current browser of choice), or create a new account from a fresh download of the mobile app.”
REALLY?!?! Is the average computer user expected to do your work for you? Yes! Apparently so. MetaMask is not in the business of investigating how you lost you cryptocurrency. You, the average computer user, will have to make sure the sites, exchanges, and/or whomever is legit. In the hours after my MetaMaask browser extension was hacked, I went to reddit and discord to find out if others had a similar experience. I have heard from many people in the course of researching and writing this article that you will get a response from MetaMask, but it’s usually an automated reply. What do you want? It’s a “free” browser extension, right?
Lesson 3: If you feel like you still need to use MetaMask, don’t install the MetaMask browser extension on more than one browser. First I had the MetaMask browser extension my desktop default browser (Firefox). Then I put the extension on the Brave browser because I use it a lot. Next, I put it on Google chrome. Then I put it on my laptop browsers. Also I had the app on my phone. Don’t do that! I made a half dozen access points where hackers can attack. If you still feel you can safely use MetaMask, limit the number of access points to the phone app and one browser. One of the most likely ways a hacker gets to your currency through MetaMask is if you have the seed phrase on a text document on your computer, or keystroke malware. You’re not likely to store a text document on your phone.
The bottom line is: I lost about 600 USDC, some ETH, BAT, and some LINK (totalling about $700 USD at the time). And I will never use MetaMask ever again. In fact, I am going to scream at the top of my online lungs for everyone to either never install or immediately uninstall MetaMask on every social media platform, every online community and forum, and in every YouTube comment section, as well as make my own YouTube video warning everyone. I think it’s an obvious weakness there there isn’t something like a two factor authentication for all MetaMask transactions. It wouldn’t be hard to add a few lines of code that would make my wallet pop up in my browser or phone, or send a notification, to ask me to approve of a transaction. The MetaMask wallet verifies other things like connection to other “wallets”. That is an obvious weakness in my opinion. And judging by the massive numbers of people who have had the same and or similar experience (looking at reddit and discord), the MetaMask “wallet” has obvious security weaknesses.
An average computer user is completely defenseless against hackers who know how to exploit MetaMask. The average computer user will copy and paste the seed phrase somewhere, store in a text file on a hacked machine, or some cloud service. I think the developers and owners at MetaMask know this to be true. I believe the owners and developers at MetaMask know millions of dollars in coin/tokens are stolen from MetaMask “wallets” every year, and have no incentive to change that. They (MetaMask developers) could have implemented an extra layer of security to MetaMask but choose not to so. They are guilty of neglect. MetaMask can add extra layer of security like an opt in — check this box to authenticate transactions over $xyz (even if you have my credentials). I have credit cards that get my approval before approving “suspicious activity”. The credit reporting agencies warn me of suspicious activity. There is no reason MetaMask can’t do the same.
FACT: As it (MetaMask) is configured now, millions of dollars in cryptocurrency is lost every year though MetaMask transactions. That is a FACT. Whether it’s people leaving the seed words and or the private key on a text document on their computer and the computer is hacked, or logging on to a fake exchange site, or any other way, the fact is there is no safeguard. My contention is, safeguards can be added and should be added because it is way to easy for a hacker to get the seed words and or private key. That is the obvious weakness of MetaMask!
No one is asking for censoring transactions. I have heard from some people during the research and writing of this article that adding safeguards would be impossible without having MetaMask act as a censor. That is just not true. I’m not a software developer, but I can imagine a few lines of code added to their algorithms would be all that is takes to make a “popup” asking for additional approval. And if it is too costly to add additional safeguards, MetaMask could offer a “MetaMask-Premium”. Why not charge say $10 USD for a more secure "wallet"? It's a great selling campaign. "We at MetaMask are aware the net is full of bad actors yada yada yada. Millions in cryptocurrency is stolen every year bla bla bla. So we are launching a multi signature safeguard The new MetaMask-Premium is a two factor authorization through bio-metric approval on you phone. HOORAY!
I just bought an $80 (USD after tax and delivery) hardware "wallet". I 'd , and many would (in my opinion), pay $10 USD for two factor authorization. The MetaMask web browser is an unsafe browser extension that holds the key to millions of dollars in value. Truth be told, I never felt that the web browser "wallet" was secure. I only wished I had listened to my intuition. Since I didn't, I feel it's my duty to warn the "average computer user" - in the final analysis, MetaMask (as it is currently configured) is unsafe for an average computer user.
UPDATE 11:51AM PST 5 January 2021
On 2 January 2021 at 7:02 AST I emailed MetaMask to report the hack and stolen currency. I received a reply on 4 January 17:41 AST from “Allen”. The reply was: “Hi there, We apologize that this happened to you as this is something we would never want to happen to any of our users. If you were hacked or phished this would most likely be due to a few reasons:” Then the same information as the website.
Good day Allen,
Thank you for the reply. I anticipated your response would be of little help. I am gathering information from many many people on Reddit, Twitter, and Discord, as well as other social media platforms, to warn as many people as possible that MetaMask is not safe for the average computer user. First I will write an article on the Medium platform and produce a video for my YouTube channels.
I knew as soon as I saw my MetaMask “wallet” was emptied there was nothing that could be done. In the last few days I have found many many similar stories. The bottom line is I have concluded that MetaMask is unsafe for the average computer user. I believe the developers and leadership at MetaMask know millions of dollars in coin/tokens are stolen from people using MetaMask. MetaMask collects unbelievable amounts of personal information through the web browser that is worth untold millions of dollars, but offers no safeguards for the users. MetaMask knows its browser extension is an easy access point for bad actors. That is negligence!
I will shout at the top of my online lungs — METASMASK IS NOT SAFE FOR AN AVERAGE COMPUTER USER! (and that is the title of my article). My coin is gone, and nothing can be done about that, but what I can do — I am making it my mission to tell as many people as possible to buy a hardware wallet and not use MetaMask.
To be fair to your company, I request a response to the article. Please contact me if someone at MetaMask is interested so I can send you the article before I publish it (and before I make the accompanying video).
Good day Sir.
Soon after that email I got a reply. Allen asked for some information including my browser history. I gave him everything he asked for. The next email:
Jan 5, 2021, 15:27 AST
Thanks for getting back to me, it would be good to try and pinpoint where you got that allowance from in case you decide to file a report with law enforcement. If you do find it, please let me know. Please note that this has nothing to do with the inherent security of metamask, but since users control their private keys and seed phrase locally, it is imperative to be very careful when signing for allowances on your account, for example.
Support @ MetaMask 🦊 | Consensys
Never give your seed phrase or private key to anyone or any site ever!
Make sure you have your seed phrase written down and stored someplace safe.
The “allowance” Allen referred to was the address I found on the TAC (see the Token Allowance Checker screenshot above).
While I was not that surprised I got someone at MetaMask to pay some attention to my loss once I sent them the link to this article, that has not in any way changed my opinion that MetaMask is not safe for an average computer user. I will update this article if any significant developments arise.
Update 5AM 7 January, 2021:
Upon Further Review
The MetaMask representative requested to see my browser history and I use more than one browser, so I sent him the histories. As I mentioned earlier in this article, I suspected the hack came from one of two sources. One is bitswapdex.io and one is gate.io.
Also I mentioned that I build and upgrade my computers. I remembered the night my MetaMask browser extension was hacked I was working on a computer that I am going to use for a HTPC (home theater PC). I recently bought a six terabyte drive for it and I was loading and organizing movies, TV shows, music, pictures, so I can easily find them. What good is having all this great content if you can find it? BTW, I love KODI for my HTPC. Anyway, the point is I was using the HTPC computer that night. I checked the Firefox browser history and found something that caught my untrained investigative eye.
This screenshot of my Firefox browser history shows a URL from one of the exchanges I suspect is compromised (gate.io). Remember the TAC (Token Allowance Checker) shows “ChainLink Token 0.00 LINK — and an address having allowance “unlimited”. And the gate.io URL ends with deposit/LINK. So I went to that URL and found something very suspicious.
A screenshot of the gate.io login verification shows there is no Anti-phishing code. But I had set up an “Anti-phishing code when I signed up on the gate.io site. The URL with the /myaccount/deposit/LINK was in fact taking my to a site that may be a fake site or is in some way compromised. My anti-phishing code should be there. But wait, there’s more…
I opened the Brave browser on the HTPC and I found that I had installed the MetaMask browser extension on it. I opened the MetaMask browser extension, and there is was! The “Approve LINK spend limit” from bitswapdex.io. As I said near the beginning of this article, I was looking for a specific alt coin and I signed up for two exchanges. One was gate.io and the other was bitswapdex.io. I had been trading LINK on binance.us earlier that evening and withdrew it to my MetaMask browser extension. And remember we discovered DApps are “smart contracts” that have a habit of getting unlimited access inside your MetaMask web browser extension. So I believe that I unwittingly gave approval to the hack on my MetaMask browser extension through the bitswapdex.io app.
In conclusion: My contention from the start of the research and writing of the article (and in production YouTube video), is that it is highly unlikely that my computer was hacked, I did not give the seed words and or private key to anyone. The reasonable conclusion is the MetaMask web browser extension is not safe for an average computer user. I think I have proven my contention beyond any reasonable doubt. I emailed Allen (the representative from MetaMask) the screenshots and following:
Jan 6, 2021, 10:04 AST
So far every piece of forensic evidence points to the “ChainLink token” Allowance target 0xf740b67da229f2f10bcbd38a7979992fcc71b8eb (shown on the TAC) as the culprit. And it got access through MetaMask either from the gate.io site, or the bitswapdex.io site (as I had suspected all a long).
Please let me know if you agree with my assessment.
Jan 6, 2021, 11:20 AST
I believe you are correct in your research, some kind of phish or malicious redirect interacting with one of these.
Support @ MetaMask 🦊 | Consensys
The bottom line is: My internet security is ultimately my responsibility. The MetaMask web browser extension offers no protection from malicious redirects and or phishing attacks. Unless and until the MetaMask web browser extension adds better security and protections from “bad actors”, the MetaMask web browser extension is unsafe for an average computer user.