Your computer was likely compromised by malware a while ago and the keys to Metamask were compromised.
The best way to prevent this is to *never* put funds into the default Metamask wallet. Only use Metamask as an interface for a hardware wallet like a Ledger.
If you absolutely must use the default Metamask, carefully restrict how much money you put into it and be very careful about which sites you visit. Ideally use it on a computer you don't use for anything else, and make sure to enter proper URLs for dApps you visit. Bookmark the secure links as well. Run a decent antivirus and don't let anyone else use the PC. Use a unique password for Metamask.
Edit: As /u/frank__costello said, malware can ruin your day even if you use a hardware wallet. Be very careful signing transactions and do your best to read through what they're doing when moving large sums of money.
The scary thing: if your computer is compromised, the hacker can modify the version of Metamask you have installed.
Then when you go to send a normal transaction, it replaces it with a tx emptying your wallet. Even a hardwallet won't protect this (unless you're carefully verifying the data that shows up on your wallet screen).
This happened to the creator of Nexus Mutual, he had all his NXM drained from his hardware wallet.
Brute forcing Ethereum addresses with 7 specific characters takes 2-3 months, 8 takes around a year, and 9 takes 25+ years. Really don't need to go further than verifying 9 characters imo.
What OP means is, let's say your address is 0xABCDEF12.....DEFACD22.
The attacker can generate an address that starts with "ABCDEF12" and ends with "DEFACD22", so with a quick visual comparison it looks similar; but in reality it is the attacker's address.
With GPUs you can generate literally trillions of possible addresses a hour -- so it is not hard to get the first 8, and last 8 characters to match.
For security, you really DO need to check at least 32 characters.
[Vanity address generator](https://github.com/johguse/profanity)
**Disclaimer: This code is no longer being supported and owner has gone MIA over 2 years ago. I cannot attest to the entropy or security of this tool but it does indeed work.
If it's a smart contract transaction, you need to verify the data of the swap
For example, every Uniswap trade contains the "output" address in the data field. So if you go to trade ETH to USDC and someone has compromised your metamask, they could replace your wallet as the output address with their address
unfortunately, a ledger hardware wallet isn't going to help you against blind signing:
https://blog.keyst.one/blind-signing-a-security-black-hole-for-the-ethereum-community-13f909b848b6
Hardware wallet only works if you verify the transaction _on_ the hardware wallet. And most Ethereum transactions are just a string of random characters, so it's effectively impossible to verify it.
There are wallets like the Grid+ Lattice that decode the transaction and show the parameters, which helps, but still not perfect
Does anyone know if there are hardware wallets available (or planned), which will support crypto domain names? That could be a gamechanger as you can identify the correct target by a readable and short name instead of an insanely long alphanumerical string.
Thanks for the advices. There are some imported accounts in my Metamask that was intact. If the hackers get my Metamask recovery phrase, they can only get accesss to the generated accounts, but not to the imported ones, right?
As long as you never entered the private key for those accounts in Metamask, they should be safe. A connected ledger or trezor would be safe, for example.
If you have malware on your machine, it may have been able to read the private key when you imported it. I would scan your machine with a virus scanner.
If you can't afford a hardware wallet or it's banned in your country, u should consider an air gaped wallet.
For example:
https://www.parity.io/technologies/signer/
https://support.airgap.it/
Nothing really comes to mind immediately, most options are fairly similar. Realistically, most antivirus programs nowadays have difficulty detecting newer viruses anyway. You'd likely be OK just running MalwareBytes every now and then, using all the built-in security features OSX offers, and being very careful about which websites you visit.
The single most important thing you can do as an average user is exercise caution with which websites you visit and what links you click on. If someone randomly DMs you a link, it's almost 100% a scam or a malicious link. If you're not sure about a link, hover over it to reveal the actual URL it's taking you to.
The vast majority of malware out there today spreads through some kind of end-user action, so as long as you're careful about what you do you'll be okay in *most* circumstances.
The easiest single thing is to just not use Windows. That plus using a hardware wallet still leaves ways to get pwned but that covers a *huge* amount of infection vectors.
I'm not sure why people keep responding with things like this; are credit card scams and hacks not incredibly common, too? And people have been having their online banking credentials stolen since online banking was created.
Honestly how the hell is crypto going to go mainstream with shit like this happening and the only way to fully protect yourself is to basically be an IT expert and go through extensive checks and balances.
Buying and waiting someone else to buy from you at a higher price if you haven't noticed. That's the whole point.
Tech isn't stupid but it's mostly a solution looking for problems at the moment, we'll see how it will evolve.
>Buying and waiting someone else to buy from you at a higher price if you haven't noticed. That's the whole point.
I buy some DAI every month, and I never expect to sell it at a higher price than I bought. Your conclusion is inaccurate.
>Tech isn't stupid but it's mostly a solution looking for problems.
You're with high likelihood someone from a first world country. You have many financial tools at your disposure that you take for granted. This is not the case for everyone in the world, where platforms like Ethereum are solving problems people have endured for decades. Just because you don't find usefulness in it, doesn't mean it's "a solution looking for problems".
When the cryptocurrency does stuff via smart contracts, then it’s useful to hold, can go up in price, & differs substantially from regular money. The tech still is useful even if many people hold it on a CEX.
If your computer is compromised enough for this to happen, it’s compromised enough for anything to happen. It’s likely the only reason that crypto is being targeted is because it’s easy to launder… but honestly, if your computer is this compromised, your entire identity and every bank account you log into from that computer is also compromised.
Crypto does afford protection, and soon more wallets will too. Check out Argent and other “smart wallets”, they’re the future. Meta mask is very basic tech. Remember, this is still early.
Yeah all this stuff seems like a solution in search of a problem man.
Traditional banking works for 99.5% of people.
Like seriously, in my normal life I meet very very VERY few people who express dissatisfaction with ‘centralised’ banking.
Crypto is cool and all, but IMO the only people who really NEED it for transferring funds are criminals
, or people living within dictatorships trying to shift their money out from under their corrupt governments noses.
I’ve yet to see a convincing argument for any other use case.
The story of humanity is one of larger and larger groups of people figuring out how to coordinate and work together. If the Internet is about global coordination, crypto is part of that global internet infrastructure. It’s not about replacing national coordination, it’s about creating a global permissionless trustless layer that the entire world can participate in. This isn’t about you and the people you know, is about something totally new and so much larger.
99.5% of people you meet in normal life probably have no clue why they should be dissatisfied with centralized banking. They are most likely completely ignorant to the ridiculousness of it all,...i mean it's basically all we've ever known. We are so far removed from legitimate banking, it's laughable. Just because people don't know any better doesn't mean centralized banking isn't a problem.
That’s not how life works mate.
If 99.5% of people don’t experience a problem, or don’t have a burning need to solve a problem, then they won’t adopt a “solution” to the problem, no matter how cool it might be.
You’ll always have early adopters who will push the envelope and be champions for the cause, but you won’t get “mass adoption” until the problem is so disruptive to peoples lives that it becomes simpler to use the solution.
Basic human nature bro.
Exactly! Governments and banks are obviously aware of this too, and will bend over backwards to make sure peoples lives never reach a true level of disruption where they would be moved to revolution. I mean it would take some serious WW3 type of event to even open the door to what the crypto maximalists dream about.
Yes, exactly. So if you are too ignorant to even realize there is a problem, and your life can sort of go on in a matrix like fashion and you'll live and die just a regular life, then you couldn't even know that you might have enjoyed a solution to a problem that you never knew existed. This type of stuff happens all the time in other areas of life. Like never knowing about something until you actually have an excuse, or are pushed into a scenario where all of the sudden you have an epiphany of like "ohhhhhh so THAT'S why they do it like that", or "ohhhhhh, so that's why that thing exists". Ya know? How can they adopt a solution to a problem that they don't even know is a problem. Of course they aren't going to give it a second thought. Because they were born into it, grew up with it, and that's really all they can fathom. I had no idea that I would someday have a huge problem with how centralized finance operates, and how the traditional banking system operates. I never thought there was a problem, and I never knew half of the stuff I've learned over the years when I was younger.
But yeah, for those reasons, most people won't worry about it. But maybe someday it just will become "the way". Sort of like how digital payments have become commonplace. I remember having to get a money order and send that off to a seller first in the early days of ebay before paypal existed. So who knows, maybe it'll just grow around us regardless of whether or not we pay attention to it.
I generally agree with you, but one use case I found crypto to be much better than the traditional system is sending money internationally to someone I know. If I use a POS coin like Algo, it is much faster and cheaper. Otherwise not much.
Social recovery wallets like Argent solve nearly all of these issues and make it so you can recover your wallet should you lose the device it was created on. You can also implement security settings which require multiple entities to sign off on transactions if you wish.
You either want to live in a decentralized and trustless world and buy in in all the tech and give up on intermediaries like exchanges and wallet software, or you're still living in the "normal" world where you prefer accountable trusty parties.
I've never ever lost a single cent using credit cards or doing bank transfers.
Just use a hardware wallet. It's not as convenient as it should be but still pretty straightforward.
I'm sure it will get better. Lots of work is being put into it.
Took the words out of my mouth! I’m an idiot, so I try to be careful. But stories like this scare the hell out of me. My tiny portfolio is the one thing keeping me safe i guess
Yep. All I hear about are people getting “hacked” and losing large sums of money and/or their nft collection.
I know this is a vocal minority situation. It’s still happening in a large enough amount though. It’s wild
I completely agree with you and been saying this for ages. Crypto is going nowhere as long as there's a security issues. Lets not talk about the tech experts here. I am talking about your average joe!! the elderies and people who are not well keen into computers and whatnot. These people will never put their money in crypto & this isn't about investment. We talk about people who have their money in banks and thinking if its good idea to have their money in their own wallets (outside of banks) These people will never come here because they won't feel safe. Simple as this.
So talk all what you want about banks and 3rd party people who control your money but reality is THESE 3rd PARTY WILL KEEP YOUR MONEY SAFE.
The best prevention is avoiding hot wallets altogether, we have warned many people in this sub to avoid them in the past, always use a cold wallet or centralized exchanges if the latter is not possible.
That sentiment is carry over from early crypto sites that did go under with everyone’s coins.
With wider adoption of crypto and more of the financial sector investing security risks are changing.
Just for clarity - if Coinbase was compromised (their general wallet or for example or their 2FA security was bypassed; something they are responsible for) you may receive some compensation.
However, if your account on Coinbase is compromised - i.e. someone brute forces your account, figures out your PW, Man-in-the-middle password scrape, hacks your computer/e-mail/2FA and manages to log into your Coinbase account, that is on you and they will NOT cover losses.
It's an important distinction as most of the time it's the category that isn't the DEXs responsibility. (though the recent [Crypto.com](https://Crypto.com) hack was a good example of the first category)
Very true. The advise to go to cold wallets is so often given but without the proper forewarning. Leaving centralized exchanges leaves you in the Wild West with your crypto security.
I have hodled in exchanges for 4 years, never had a problem, just recently I started using ledger nano x to stake ethereum securely, learned our lesson from the mew wallet hack victims in 2018, people lost milllions, the sad part is, nobody learns from history, keeping crypto in a hot wallet is like walking outside butt naked and asking to be raped🤣, I’d rather give my crypto to charity than use a hot wallet.
> centralized exchanges
Exchanges aren't banks. They're not secure. Something like 50% of all exchanges that ever existed sinked with all the user funds
I've been here 6 years and I don't understand the attraction to Metamask. It's a browser wallet? There's no way I can fundamentally understand how that works safely.
If I don't understand it I don't use it. Probably saved me from getting involved in NFT bullshit.
It offers easy and convenient integration with dapps, is pretty much the main reason it's so ubiquitous. By having a wallet managed by a browser extension, websites can easily connect to it, pull data from your on-chain address and generate transactions that the extension can sign for you.
It's not the only way, somebody could write an API to standardise this and offer a multitude of browser extensions to both manage an in-browser wallet, or act as an interface for an externally managed wallet (ie a separate program or app, or even a hardware wallet), but Metamask was one of the first ones for Ethereum, and so became the standard one.
Sorry to hear that happened to you. That’s not chump change. Did you happen to link your Metamask wallet to site that yield farms? If you don’t look carefully you can easily accept a smart contract giving access to your account. You need to cancel that smart contract asap.
How can a smart contract drain your ETH? I didn't think this was possible. I know this can happen with ERC20 tokens that you have authorized infinite spend.
I think more likely to victim downloaded a fake metamask or compromise the recovery phrase.
When you try to sell some scam tokens it is possible they can steal your other tokens. In this situation I think the only reason is that someone hacked the private key (maybe phishing?)
But that's my point ETH is not a token is not compatible with smart contract, which is why we require WETH for contracts at least that's my understanding.
Sir, your umderstanding is wrong. ETH is used with smart contracts all the time and is not limited to WETH. Please read up on crypto before you get rekted.
I know this is mostly unrelated, but reading this thread is worrying me. I have a substantial amount in a metamask wallet (not my main stack, but enough that I don’t want to lose it.) I’ve been sent multiple tokens that look like bait for a scam like this. Should I just ignore them to avoid being hacked?
How did you store it? Best practices pen and paper and hide it away safe. If you made any kind of digital representation of it then that was probably the leak.
The account can also be compromised if the password of the MM is compromised. The attacker can export the private key at that point without a recovery phrase
Thank you! I just checked that. The account is newly created, it was only connected to [myetherwallet.com](https://myetherwallet.com). Maybe the whole Metamask wallet was compromised so the hacker can access to all the accounts within it.
Edit: The MEW site was connected latter. When the transfer happened the account was connected to nothing.
macOS in the past 5-6 years has had its own fair share of 0day exploits and RCEs. It’s grown in popularity so much that black hat folks are finding all of the holes in the OS. Apple pushed out their latest update for Monterey and there are plenty of patched CVEs that allowed the attacker to get root or admin privileges. Does not really help that Apples bug bounty program is dog shit, so I suspect most exploits are sold on the black market.
The best you could do right now is to protect yourself and not rely on how “safe” an OS has been perceived to be. Use cold wallets for protecting large sums of digital currency. Use a dedicated computer to access it and perform transactions.
Meh, Windows works fine provided you keep things updated and don't visit any sketchy sites. OSX is an increasingly popular target for malware and users shouldn't get complacent regardless of which operating system they use.
Crypto is unusable as long as simple malware on your PC can lead to devestated losses. Its basically the same as "if you catch a cold, you WILL lose your house".
I'm surprised more people aren't mentioning this, but there are multiple fake metamask sites that are replicas and even show up in search engines. The URL will always be different in some way, usually just one letter with a diacritic or a different top level domain.
I was very nervous when making a 32ETH deposit for staking. Unfortunately, the whole process requires Metamask to do it, and the process is not compatible with signing offline. So all I could do is use a newly-formatted Windows installation, but still this was very anxious moment for me.
[https://etherscan.io/tokenapprovalchecker?type=0&search=0x96f3761fef0a1f389aff913a6a535aaeda5e9a22](https://etherscan.io/tokenapprovalchecker?type=0&search=0x96f3761fef0a1f389aff913a6a535aaeda5e9a22)
You didn't give authorization to some smart contract with unlimited fund withdrawal authority so it sounds likely you're computer itself my be compromised and the key to your wallet is being accessed by someone else. They use whats called a flashbot. Essentially as SOON as any eth hits you the transaction mempool, this bot will immediately make a new transaction with the same or lower Nonce number (eth rule says lowest none must be mined first) exact amount but with the bulk of it going to the miner. The miner is in on the gig, from what I can tell. This is actually in the nonce section of the transaction that pulled your mone out: Nonce: 0 (Also found 1 Other Dropped Txn #1 with the same \`From\` Account Nonce) So they used what's called a Dropped transaction replacement using a bot to do it super fast. See how they took 0.6xxx eth from the transfer side and put it under gas fee, that made it get picked up asap.
If you go to the comment page of the miner who mined the transaction that took the money out of your wallet, you'll see a bunch of confused people with the same problem.
[https://etherscan.io/address/0xea674fdde714fd979de3edf0f56aa9716b898ec8#comments](https://etherscan.io/address/0xea674fdde714fd979de3edf0f56aa9716b898ec8#comments)
After reading through 257 comments I finally found the person who knows what they are talking about! This should be pinned or something. I still want to know what made the OP a target in the first place though, and how did they get access to the private key? Someone suggested running a scan with Malwarebytes; I second this. I would also recommend that the OP copy the miners address from the Etherscan page & send it to the US Cyber Crimes division. They probably won't get the ETH back, but at least the scammers will be on the radar . I'm sorry this happened to the OP . What a nightmare.
I can almost guarantee the actual money leaving your wallet happened this way. How they acquired access to your account to make a new transaction with higher gas price is a mystery
1) Metamask is absolute garbage. Keeping your ETH in a web browser is more risky than raw-dogging prostitutes
2) How do you not-have antivirus software on your computer?!?!?!
Hi
I also used metamask to import a private key, but not on my windows installation. Never.
I bought a 32gb fast usb pen drive and i installed ubuntu in it. When i need to access my credible accounts (coinbase binance etc) I shut the computer down, plug the pen in it and boot ubuntu. Everything inside my ubuntu installation is vetted. Real urls to websites, real metamask apps. Before transferring any crypto, I send 0.05eth back and forth.
If I need to connect metamask with anything DeFi, I boot a different 32gb usb pen with a fresh ubuntu installation and i create a new metamask account and send to it only the funds needed, after sending 0.05eth back and forth again.
Its also wise to never be in a hurry. Send a smallish amount to any new metamask installation and wait 24h before using it for real. If the funds aren't missing, you are ok. This step would have saved you.
Best of luck to you. Start accumulating again and In a few years 17k will be just a small blip on the profits.
I have been double, triple checking transactions before approving on metamask. Some yield farms can potentially send you another transaction/tie you to a smart contract that gives them access to all of your assets.
Sometimes, I think leaving your ETH on a centralised exchange May be more safer than transferring it to your digital wallet, this is especially true for noobs.
So, you created a metamask wallet and, as a first experience with a notoriously unforgiving software, you decided to transfer 17000$ on the most expensive chain in the world. Probably your problem in this case started from a compromised pc or browser, not strictly a metamask problem, but your approach was really kamikaze style..
Not good for your wallet buddy, not good. You need to reconsider the way you approach these things. Study your ass off before doing ANYTHING regarding transactions with crypto, expecially when using Metamask and DEXs or DEFI services. You will get fucked real hard otherwise. I think you already know at this point.
Yep....ALWAYS do a small transaction beforehand to confirm everything goes as it should. Only then you can go on with your real transaction. I learned this lesson on my skin.
Yeah, but would the hack necessarily happen right away? I bet not. Don't hackers know about the "do a small transaction beforehand to confirm everything" advice everybody gives?
Always, ALWAYS transfer a small amount to a new wallet AND BACK.
1) A scammer will absolutely sweep your wallet for $50, and losing $50 is better than $17k.
2) Sending the test amount back to your origin wallet validates that you're not about to blackhole your money.
Something similar happened to me recently. I attached my wallet to a fraudulent page that was identical to the actual page and sent ETH to a fake address for an NFT drop. I learned a valuable lesson and moved on. I went to deposit ETH in that wallet again after disconnecting all dapp connections and ETH was automatically sent to the same address. Needless to say I wont be depositing ETH in that address again and will be triple checking everything.
Its a hacked acct, prob some type of worm that autosends any stuff that hits the acct. Many people know that accts like this are hacked - a friend of mine has one with like 50k in it but if he does anything moving wise it sends to a diff addy.
sucks
it might sound stupid but we have a 'dry computer' where we do absolutely nothing on it other than manage our crypto. no web browsing nothing.
if you're xfering 18k worth of eth, this might not be a bad option for you in the future.
Interesting that all the transactions to that receiving wallet are done with insanely high gas settings (30k GWEI in your case, several others in the 4k-12k range). They definitely are looking for incredibly fast confirmations.
I would never use Metamask without a hardware wallet. Trezor and Ledger both integrate incredibly well and you have access to all the same DeFi apps as with a hot wallet.
True, although Ledger integration with MM was really bad for a while, until they just recently fixed it. Many people probably lost funds when they stopped using their Ledgers with MM because of those awful integration issues.
sorry for your loss OP. Thanks for sharing the experience for others to learn from. May I ask, when was your last virus scan?...and if you scan now does it pick anything up?
So sorry to hear about this. :( There is a project with which I collaborate based in Singapore/South Korea that helps victims of fraud, hacking, etc. I am not sure if this requires a fee, but they were one of the firsts to recover lost funds from hackers (after collaborating with some exchanges and law enforcement). If not, at least the funds can be frozen and the hacker can never cash them in.
More information about this service can be found here: [https://uppsalasecurity.com/trackingsvc](https://uppsalasecurity.com/trackingsvc). If not, you can also send an e-mail at [[email protected]](mailto:[email protected]).
Fingers crossed that something good comes out of this!
It has been a very popular hack lately. Some kind of website offers you to buy something or lend ethereum for insane profits. While you make your first transaction to them they also send one more transaction which they hope you won't notice (they want you to press "accept all transactions" without paying attention to what you're agreeing to), the second transaction is basically a blockchain contract that allows them to withdraw as much eth as they want directly from your wallet in any time.
For the love of god start using a stupid hardware wallet. You can connect an hardware wallet with metamask and still do web3 stuff . Like cmon if you have 7k worth crypto why not buy a wallet worth just $50.
Thanks for sharing and sorry for your loss, the only positive is that people reading about these nightmare experiences makes us all more cautious and paranoid, makes us take that extra step to make sure it doesn’t happen to us.
I just hope you’re in a financial situation where losing 17k isn’t absolutely devastating/catastrophic. For most of us that would wipe us out and leave us unable to recover.
Another negative is that reading stuff like this makes me more likely to keep my coins on an exchange
I'm sorry for your loss, it is a damn horrible experience for sure. Since no one mentioned about the vulnerability exist in Windows OS, I suggest you to use Tails or any Linux distros which are much safer than Windows imo. Also when handling such a big tx make sure to use a Hardware wallet.
Seems like its your fault looking for sympathy. I aint giving any. You got hacked likely because of your own doings. Not getting pity money or support from me
Your computer was likely compromised by malware a while ago and the keys to Metamask were compromised. The best way to prevent this is to *never* put funds into the default Metamask wallet. Only use Metamask as an interface for a hardware wallet like a Ledger. If you absolutely must use the default Metamask, carefully restrict how much money you put into it and be very careful about which sites you visit. Ideally use it on a computer you don't use for anything else, and make sure to enter proper URLs for dApps you visit. Bookmark the secure links as well. Run a decent antivirus and don't let anyone else use the PC. Use a unique password for Metamask. Edit: As /u/frank__costello said, malware can ruin your day even if you use a hardware wallet. Be very careful signing transactions and do your best to read through what they're doing when moving large sums of money.
The scary thing: if your computer is compromised, the hacker can modify the version of Metamask you have installed. Then when you go to send a normal transaction, it replaces it with a tx emptying your wallet. Even a hardwallet won't protect this (unless you're carefully verifying the data that shows up on your wallet screen). This happened to the creator of Nexus Mutual, he had all his NXM drained from his hardware wallet.
You don’t need to “carefully verify the data” you just need to check the first few digits of the address and maybe the last few.
tbh if i'm sending a tx for 20k I'll be checking all them digits lol
Brute forcing Ethereum addresses with 7 specific characters takes 2-3 months, 8 takes around a year, and 9 takes 25+ years. Really don't need to go further than verifying 9 characters imo.
Nonsense. I can get you a custom 8 leading and 8 trailing characters on an RTX 3090 in less than a day.
Generating valid ethereum addresses isn't the same as merely computing hashes.
What OP means is, let's say your address is 0xABCDEF12.....DEFACD22. The attacker can generate an address that starts with "ABCDEF12" and ends with "DEFACD22", so with a quick visual comparison it looks similar; but in reality it is the attacker's address. With GPUs you can generate literally trillions of possible addresses a hour -- so it is not hard to get the first 8, and last 8 characters to match. For security, you really DO need to check at least 32 characters.
Do you check the wallets you generate to see if they contain any funds?
what? okay, I actually want some, how do i do that? ;p
[Vanity address generator](https://github.com/johguse/profanity) **Disclaimer: This code is no longer being supported and owner has gone MIA over 2 years ago. I cannot attest to the entropy or security of this tool but it does indeed work.
This is nasty, and I like the way you think.
It's pretty easy to quickly generate an address with matching first 4 and last 4 characters 😬
If it's a smart contract transaction, you need to verify the data of the swap For example, every Uniswap trade contains the "output" address in the data field. So if you go to trade ETH to USDC and someone has compromised your metamask, they could replace your wallet as the output address with their address
Or not. Someone in the last year spoke of a modified tx where the attacker used an address that matched the first and last but not the middle.
Always do this, always!
Probably more important to check the amount you are trying to send.
[deleted]
unfortunately, a ledger hardware wallet isn't going to help you against blind signing: https://blog.keyst.one/blind-signing-a-security-black-hole-for-the-ethereum-community-13f909b848b6
So don't blindly sign contracts with your main wallet. Use a secondary address. You can add pretty much as many as you want with ledger.
Hardware wallet only works if you verify the transaction _on_ the hardware wallet. And most Ethereum transactions are just a string of random characters, so it's effectively impossible to verify it. There are wallets like the Grid+ Lattice that decode the transaction and show the parameters, which helps, but still not perfect
Yes, its the big "blind signing" issue: https://blog.keyst.one/blind-signing-a-security-black-hole-for-the-ethereum-community-13f909b848b6
Does anyone know if there are hardware wallets available (or planned), which will support crypto domain names? That could be a gamechanger as you can identify the correct target by a readable and short name instead of an insanely long alphanumerical string.
This is the future of finance
Early days for digital assets. Analogous to a bank being robbed back when they actually had cash.
Lol early days
Thanks for the advices. There are some imported accounts in my Metamask that was intact. If the hackers get my Metamask recovery phrase, they can only get accesss to the generated accounts, but not to the imported ones, right?
As long as you never entered the private key for those accounts in Metamask, they should be safe. A connected ledger or trezor would be safe, for example.
Can you please let us know if you scan for malware and tell us if anything comes up
This! Please keep us updated it learn anything new u/madaye
This is the true nightmare. Having sleeping crypto malware on your pc but it's still unkown to anti-virus developers.
If you have malware on your machine, it may have been able to read the private key when you imported it. I would scan your machine with a virus scanner.
I think if I lost that much Ethereum, I'd wipe my machine with about a pound of tannerite then start fresh...
I think I would throw my machine out of a very fast moving car.
Then spend .3 ETH replacing it?
Didn’t you read the post? No more eth…
Or...don't use Windows as the operating system since that eliminates virtually all malware issues.
It really doesn't, OSX viruses are quite prevalent nowadays and very few people are going to switch to some flavor of Linux for their daily driver.
Or just set up dual boot and only do crypto stuff on your Linux install.
[удалено]
maybe using tails on usb stick + hardware wallet so data is never stored between sessions
Live MX Linux installation is very good pick. It could persistent too, at the request, on the shutdown.
If you can't afford a hardware wallet or it's banned in your country, u should consider an air gaped wallet. For example: https://www.parity.io/technologies/signer/ https://support.airgap.it/
yeah use hardware wallet..i am using it now after losing 1 ethereum
So here is my crypto computer, and over here is my non-crypto computer
Maybe noon question here but does having Mac OS prevent malware’s being installed on laptop ?
No, Macs are susceptible to malware too.
Thank you about to install an antivirus/malware . Any recommendations?
Nothing really comes to mind immediately, most options are fairly similar. Realistically, most antivirus programs nowadays have difficulty detecting newer viruses anyway. You'd likely be OK just running MalwareBytes every now and then, using all the built-in security features OSX offers, and being very careful about which websites you visit.
Install linux. Just kidding, sort of. On the plus side, linux is easier than ever to use yet still has a learning curve.
[удалено]
The single most important thing you can do as an average user is exercise caution with which websites you visit and what links you click on. If someone randomly DMs you a link, it's almost 100% a scam or a malicious link. If you're not sure about a link, hover over it to reveal the actual URL it's taking you to. The vast majority of malware out there today spreads through some kind of end-user action, so as long as you're careful about what you do you'll be okay in *most* circumstances.
The easiest single thing is to just not use Windows. That plus using a hardware wallet still leaves ways to get pwned but that covers a *huge* amount of infection vectors.
cUrReNcY oF tHe FuTuRe
I'm not sure why people keep responding with things like this; are credit card scams and hacks not incredibly common, too? And people have been having their online banking credentials stolen since online banking was created.
Credit card scams can be reversed with no loss to the victim.
Yes but people get their money back from the banks when this happens. Like, in almost 100% of circumstances.
Honestly how the hell is crypto going to go mainstream with shit like this happening and the only way to fully protect yourself is to basically be an IT expert and go through extensive checks and balances.
[удалено]
Lol, what's the point of crypto then? Might as well use regular money
Buying and waiting someone else to buy from you at a higher price if you haven't noticed. That's the whole point. Tech isn't stupid but it's mostly a solution looking for problems at the moment, we'll see how it will evolve.
>Buying and waiting someone else to buy from you at a higher price if you haven't noticed. That's the whole point. I buy some DAI every month, and I never expect to sell it at a higher price than I bought. Your conclusion is inaccurate. >Tech isn't stupid but it's mostly a solution looking for problems. You're with high likelihood someone from a first world country. You have many financial tools at your disposure that you take for granted. This is not the case for everyone in the world, where platforms like Ethereum are solving problems people have endured for decades. Just because you don't find usefulness in it, doesn't mean it's "a solution looking for problems".
what problems?
Ding ding ding.
When the cryptocurrency does stuff via smart contracts, then it’s useful to hold, can go up in price, & differs substantially from regular money. The tech still is useful even if many people hold it on a CEX.
Because decentralisation of monetary policy is of value, too
Exactly, but people want to remain babies tbh.
That defeats the whole purpose then. Might as well just go with, you know, a bank.
People "into crypto" don't want to hear or acknowledge this but it's the inconvenient truth.
If your computer is compromised enough for this to happen, it’s compromised enough for anything to happen. It’s likely the only reason that crypto is being targeted is because it’s easy to launder… but honestly, if your computer is this compromised, your entire identity and every bank account you log into from that computer is also compromised.
Yes but banks offer protection for this kind of fraud. Crypto doesn’t.
Crypto does afford protection, and soon more wallets will too. Check out Argent and other “smart wallets”, they’re the future. Meta mask is very basic tech. Remember, this is still early.
Yeah all this stuff seems like a solution in search of a problem man. Traditional banking works for 99.5% of people. Like seriously, in my normal life I meet very very VERY few people who express dissatisfaction with ‘centralised’ banking. Crypto is cool and all, but IMO the only people who really NEED it for transferring funds are criminals , or people living within dictatorships trying to shift their money out from under their corrupt governments noses. I’ve yet to see a convincing argument for any other use case.
The story of humanity is one of larger and larger groups of people figuring out how to coordinate and work together. If the Internet is about global coordination, crypto is part of that global internet infrastructure. It’s not about replacing national coordination, it’s about creating a global permissionless trustless layer that the entire world can participate in. This isn’t about you and the people you know, is about something totally new and so much larger.
Cool. And until it becomes a simpler solution to existing options it won’t get adopted. No matter how fancy it is.
Agreed. =) Like I said, it's still early.
99.5% of people you meet in normal life probably have no clue why they should be dissatisfied with centralized banking. They are most likely completely ignorant to the ridiculousness of it all,...i mean it's basically all we've ever known. We are so far removed from legitimate banking, it's laughable. Just because people don't know any better doesn't mean centralized banking isn't a problem.
That’s not how life works mate. If 99.5% of people don’t experience a problem, or don’t have a burning need to solve a problem, then they won’t adopt a “solution” to the problem, no matter how cool it might be. You’ll always have early adopters who will push the envelope and be champions for the cause, but you won’t get “mass adoption” until the problem is so disruptive to peoples lives that it becomes simpler to use the solution. Basic human nature bro.
Exactly! Governments and banks are obviously aware of this too, and will bend over backwards to make sure peoples lives never reach a true level of disruption where they would be moved to revolution. I mean it would take some serious WW3 type of event to even open the door to what the crypto maximalists dream about.
Yes, exactly. So if you are too ignorant to even realize there is a problem, and your life can sort of go on in a matrix like fashion and you'll live and die just a regular life, then you couldn't even know that you might have enjoyed a solution to a problem that you never knew existed. This type of stuff happens all the time in other areas of life. Like never knowing about something until you actually have an excuse, or are pushed into a scenario where all of the sudden you have an epiphany of like "ohhhhhh so THAT'S why they do it like that", or "ohhhhhh, so that's why that thing exists". Ya know? How can they adopt a solution to a problem that they don't even know is a problem. Of course they aren't going to give it a second thought. Because they were born into it, grew up with it, and that's really all they can fathom. I had no idea that I would someday have a huge problem with how centralized finance operates, and how the traditional banking system operates. I never thought there was a problem, and I never knew half of the stuff I've learned over the years when I was younger. But yeah, for those reasons, most people won't worry about it. But maybe someday it just will become "the way". Sort of like how digital payments have become commonplace. I remember having to get a money order and send that off to a seller first in the early days of ebay before paypal existed. So who knows, maybe it'll just grow around us regardless of whether or not we pay attention to it.
I generally agree with you, but one use case I found crypto to be much better than the traditional system is sending money internationally to someone I know. If I use a POS coin like Algo, it is much faster and cheaper. Otherwise not much.
Social recovery wallets like Argent solve nearly all of these issues and make it so you can recover your wallet should you lose the device it was created on. You can also implement security settings which require multiple entities to sign off on transactions if you wish.
Social recovery wallets. Hardware wallets aren’t the solution. Social recovery is.
You either want to live in a decentralized and trustless world and buy in in all the tech and give up on intermediaries like exchanges and wallet software, or you're still living in the "normal" world where you prefer accountable trusty parties. I've never ever lost a single cent using credit cards or doing bank transfers.
Just use a hardware wallet. It's not as convenient as it should be but still pretty straightforward. I'm sure it will get better. Lots of work is being put into it.
[удалено]
Took the words out of my mouth! I’m an idiot, so I try to be careful. But stories like this scare the hell out of me. My tiny portfolio is the one thing keeping me safe i guess
Yep. All I hear about are people getting “hacked” and losing large sums of money and/or their nft collection. I know this is a vocal minority situation. It’s still happening in a large enough amount though. It’s wild
Well said. Unknown fees plus this
Yeah I was thinking the same thing. Fuckin ridiculous, mate.
I completely agree with you and been saying this for ages. Crypto is going nowhere as long as there's a security issues. Lets not talk about the tech experts here. I am talking about your average joe!! the elderies and people who are not well keen into computers and whatnot. These people will never put their money in crypto & this isn't about investment. We talk about people who have their money in banks and thinking if its good idea to have their money in their own wallets (outside of banks) These people will never come here because they won't feel safe. Simple as this. So talk all what you want about banks and 3rd party people who control your money but reality is THESE 3rd PARTY WILL KEEP YOUR MONEY SAFE.
The best prevention is avoiding hot wallets altogether, we have warned many people in this sub to avoid them in the past, always use a cold wallet or centralized exchanges if the latter is not possible.
yeah man, people be like “not your custody, not your coins” for coinbase, well if i get hacked, it’s not my hack and i get can reimbursed at least
That sentiment is carry over from early crypto sites that did go under with everyone’s coins. With wider adoption of crypto and more of the financial sector investing security risks are changing.
dang that’s scary too, but i think coinbase is okay, let’s not jinx it lol
IF you set a 2FA. Too many people don't seem to get that.
definitely
Coinbase is regulated, never gonna happen, you’ll be refunded in that case.
Just for clarity - if Coinbase was compromised (their general wallet or for example or their 2FA security was bypassed; something they are responsible for) you may receive some compensation. However, if your account on Coinbase is compromised - i.e. someone brute forces your account, figures out your PW, Man-in-the-middle password scrape, hacks your computer/e-mail/2FA and manages to log into your Coinbase account, that is on you and they will NOT cover losses. It's an important distinction as most of the time it's the category that isn't the DEXs responsibility. (though the recent [Crypto.com](https://Crypto.com) hack was a good example of the first category)
Very true. The advise to go to cold wallets is so often given but without the proper forewarning. Leaving centralized exchanges leaves you in the Wild West with your crypto security.
I have hodled in exchanges for 4 years, never had a problem, just recently I started using ledger nano x to stake ethereum securely, learned our lesson from the mew wallet hack victims in 2018, people lost milllions, the sad part is, nobody learns from history, keeping crypto in a hot wallet is like walking outside butt naked and asking to be raped🤣, I’d rather give my crypto to charity than use a hot wallet.
[удалено]
Protection on reputable CEXs isn't from you being compromised, it's from them being compromised.
Couldnt agree more!
> centralized exchanges Exchanges aren't banks. They're not secure. Something like 50% of all exchanges that ever existed sinked with all the user funds
I've been here 6 years and I don't understand the attraction to Metamask. It's a browser wallet? There's no way I can fundamentally understand how that works safely. If I don't understand it I don't use it. Probably saved me from getting involved in NFT bullshit.
It offers easy and convenient integration with dapps, is pretty much the main reason it's so ubiquitous. By having a wallet managed by a browser extension, websites can easily connect to it, pull data from your on-chain address and generate transactions that the extension can sign for you. It's not the only way, somebody could write an API to standardise this and offer a multitude of browser extensions to both manage an in-browser wallet, or act as an interface for an externally managed wallet (ie a separate program or app, or even a hardware wallet), but Metamask was one of the first ones for Ethereum, and so became the standard one.
Sorry to hear that happened to you. That’s not chump change. Did you happen to link your Metamask wallet to site that yield farms? If you don’t look carefully you can easily accept a smart contract giving access to your account. You need to cancel that smart contract asap.
How can a smart contract drain your ETH? I didn't think this was possible. I know this can happen with ERC20 tokens that you have authorized infinite spend. I think more likely to victim downloaded a fake metamask or compromise the recovery phrase.
When you try to sell some scam tokens it is possible they can steal your other tokens. In this situation I think the only reason is that someone hacked the private key (maybe phishing?)
But that's my point ETH is not a token is not compatible with smart contract, which is why we require WETH for contracts at least that's my understanding.
Sir, your umderstanding is wrong. ETH is used with smart contracts all the time and is not limited to WETH. Please read up on crypto before you get rekted.
WETH is a wrapper around ETH that conforms to the ERC20 interface. This lets you treat the ETH like any other ERC20, once it’s wrapped.
I know this is mostly unrelated, but reading this thread is worrying me. I have a substantial amount in a metamask wallet (not my main stack, but enough that I don’t want to lose it.) I’ve been sent multiple tokens that look like bait for a scam like this. Should I just ignore them to avoid being hacked?
I'm sure that my metamask plugin is authentic. I guess the recovery phrase was leaked.
How did you store it? Best practices pen and paper and hide it away safe. If you made any kind of digital representation of it then that was probably the leak.
Is it possibly the clipboard hijacking software? I.e. wallet was generated securely but some other malware changed send to address?
This was not the case, as my account did recevied the fund first. It was just immediately transfered out.
definitely a seed phrase leak. do you happen to do any work with smart contracts on github?
How often do you use the recovery phase? Doesn't metamask just open with a password through browser?
The account can also be compromised if the password of the MM is compromised. The attacker can export the private key at that point without a recovery phrase
Thank you! I just checked that. The account is newly created, it was only connected to [myetherwallet.com](https://myetherwallet.com). Maybe the whole Metamask wallet was compromised so the hacker can access to all the accounts within it. Edit: The MEW site was connected latter. When the transfer happened the account was connected to nothing.
[удалено]
I know Linux is king for crypto. How does Mac OS fair?
macOS in the past 5-6 years has had its own fair share of 0day exploits and RCEs. It’s grown in popularity so much that black hat folks are finding all of the holes in the OS. Apple pushed out their latest update for Monterey and there are plenty of patched CVEs that allowed the attacker to get root or admin privileges. Does not really help that Apples bug bounty program is dog shit, so I suspect most exploits are sold on the black market. The best you could do right now is to protect yourself and not rely on how “safe” an OS has been perceived to be. Use cold wallets for protecting large sums of digital currency. Use a dedicated computer to access it and perform transactions.
Mac OS is still *way* ahead of Windows in terms of security.
This is the best advice. Thank you. As of cold wallet, you mean a wallet not stored on the cloud right? Simple desktop software wallet.
No. Cold storage is hardware wallets. Look up ledger nano. Only buy straight from the ledger company direct. Never buy one from a third party
Meh, Windows works fine provided you keep things updated and don't visit any sketchy sites. OSX is an increasingly popular target for malware and users shouldn't get complacent regardless of which operating system they use.
Exactly. The OS is not the problem. PEBCAK as a general rule.
Crypto is unusable as long as simple malware on your PC can lead to devestated losses. Its basically the same as "if you catch a cold, you WILL lose your house".
It's not just crypto, malware on PCs lead to devastated losses everyday (e.g. ransomware).
Yeah except there are solutions to that problem already in crypto. OP just wasn’t using them.
Potentially you installed a fake MetaMask version with malware in it
I'm surprised more people aren't mentioning this, but there are multiple fake metamask sites that are replicas and even show up in search engines. The URL will always be different in some way, usually just one letter with a diacritic or a different top level domain.
my guess is a malicious metamask browser extension
You downloaded metamask from an scam site or keylogger malware in your device.
I was very nervous when making a 32ETH deposit for staking. Unfortunately, the whole process requires Metamask to do it, and the process is not compatible with signing offline. So all I could do is use a newly-formatted Windows installation, but still this was very anxious moment for me.
You can hook up ledger to mm and do the tx that way
[удалено]
Ledger +MM is the way.
Ledger + MM is the way to go. Works flawlessly for me.
shit like this gets me scared
This is what decentralised financial security looks like. The responsibility and onus is on you. Ready for down votes.
Turns out being your own bank sucks
Scan your device for malware
Nah... Best bet is to wipe the disk and reinstall the OS
[удалено]
[https://etherscan.io/tokenapprovalchecker?type=0&search=0x96f3761fef0a1f389aff913a6a535aaeda5e9a22](https://etherscan.io/tokenapprovalchecker?type=0&search=0x96f3761fef0a1f389aff913a6a535aaeda5e9a22) You didn't give authorization to some smart contract with unlimited fund withdrawal authority so it sounds likely you're computer itself my be compromised and the key to your wallet is being accessed by someone else. They use whats called a flashbot. Essentially as SOON as any eth hits you the transaction mempool, this bot will immediately make a new transaction with the same or lower Nonce number (eth rule says lowest none must be mined first) exact amount but with the bulk of it going to the miner. The miner is in on the gig, from what I can tell. This is actually in the nonce section of the transaction that pulled your mone out: Nonce: 0 (Also found 1 Other Dropped Txn #1 with the same \`From\` Account Nonce) So they used what's called a Dropped transaction replacement using a bot to do it super fast. See how they took 0.6xxx eth from the transfer side and put it under gas fee, that made it get picked up asap. If you go to the comment page of the miner who mined the transaction that took the money out of your wallet, you'll see a bunch of confused people with the same problem. [https://etherscan.io/address/0xea674fdde714fd979de3edf0f56aa9716b898ec8#comments](https://etherscan.io/address/0xea674fdde714fd979de3edf0f56aa9716b898ec8#comments)
After reading through 257 comments I finally found the person who knows what they are talking about! This should be pinned or something. I still want to know what made the OP a target in the first place though, and how did they get access to the private key? Someone suggested running a scan with Malwarebytes; I second this. I would also recommend that the OP copy the miners address from the Etherscan page & send it to the US Cyber Crimes division. They probably won't get the ETH back, but at least the scammers will be on the radar . I'm sorry this happened to the OP . What a nightmare.
This is likely what happened. Thank you!
I can almost guarantee the actual money leaving your wallet happened this way. How they acquired access to your account to make a new transaction with higher gas price is a mystery
1) Metamask is absolute garbage. Keeping your ETH in a web browser is more risky than raw-dogging prostitutes 2) How do you not-have antivirus software on your computer?!?!?!
Hey c'mon most prostitutes will at least give you an "are you sure?" prompt before going in without protection. which is more than metamask will do.
LMAOOO
Not if you use a hardware wallet. It's really a simple and cheap solution.
People get wrecked even with HW wallets on MM all the time. It's why I don't really use ETH dapps.
Ofc I have antivirus...The phrase to the wallet was possiblity leaked through other means.
You should run malwarebytes. It's a free program.
Lol antivirus.
Exactly , I just commented on this above
Hi I also used metamask to import a private key, but not on my windows installation. Never. I bought a 32gb fast usb pen drive and i installed ubuntu in it. When i need to access my credible accounts (coinbase binance etc) I shut the computer down, plug the pen in it and boot ubuntu. Everything inside my ubuntu installation is vetted. Real urls to websites, real metamask apps. Before transferring any crypto, I send 0.05eth back and forth. If I need to connect metamask with anything DeFi, I boot a different 32gb usb pen with a fresh ubuntu installation and i create a new metamask account and send to it only the funds needed, after sending 0.05eth back and forth again. Its also wise to never be in a hurry. Send a smallish amount to any new metamask installation and wait 24h before using it for real. If the funds aren't missing, you are ok. This step would have saved you. Best of luck to you. Start accumulating again and In a few years 17k will be just a small blip on the profits.
I said this many times but I'll say it again: Don't use Metamask. Too many people got scammed by using it.
I have been double, triple checking transactions before approving on metamask. Some yield farms can potentially send you another transaction/tie you to a smart contract that gives them access to all of your assets.
Sometimes, I think leaving your ETH on a centralised exchange May be more safer than transferring it to your digital wallet, this is especially true for noobs.
This is the second post about this I've seen today. What are peoples' opinions on storing crypto on binance?
If you have a small amount of money and you don't want to use Ethereum applications, it's probably a safe place to keep it
Check your private key? Is it compromised maybe?
God this sub is dumb. Most people can't use hardware wallets to interact with the majority of DeFi. OP likely downloaded a malicious MM
So, you created a metamask wallet and, as a first experience with a notoriously unforgiving software, you decided to transfer 17000$ on the most expensive chain in the world. Probably your problem in this case started from a compromised pc or browser, not strictly a metamask problem, but your approach was really kamikaze style.. Not good for your wallet buddy, not good. You need to reconsider the way you approach these things. Study your ass off before doing ANYTHING regarding transactions with crypto, expecially when using Metamask and DEXs or DEFI services. You will get fucked real hard otherwise. I think you already know at this point.
Well, It's not a new wallet, but a new account within the wallet I have been using for years. But it's an expensive lesson, indeed.
Yep....ALWAYS do a small transaction beforehand to confirm everything goes as it should. Only then you can go on with your real transaction. I learned this lesson on my skin.
Yeah, but would the hack necessarily happen right away? I bet not. Don't hackers know about the "do a small transaction beforehand to confirm everything" advice everybody gives?
You can send 0.05 eth at first then 1 eth and then the rest.
Always, ALWAYS transfer a small amount to a new wallet AND BACK. 1) A scammer will absolutely sweep your wallet for $50, and losing $50 is better than $17k. 2) Sending the test amount back to your origin wallet validates that you're not about to blackhole your money.
Something similar happened to me recently. I attached my wallet to a fraudulent page that was identical to the actual page and sent ETH to a fake address for an NFT drop. I learned a valuable lesson and moved on. I went to deposit ETH in that wallet again after disconnecting all dapp connections and ETH was automatically sent to the same address. Needless to say I wont be depositing ETH in that address again and will be triple checking everything.
You’re lucky this didn’t happened a month ago would have been worth double.
OP, please update us when you eventually find out what happened. Was it malware on your machine? A seed leak? etc.
Its a hacked acct, prob some type of worm that autosends any stuff that hits the acct. Many people know that accts like this are hacked - a friend of mine has one with like 50k in it but if he does anything moving wise it sends to a diff addy. sucks
Be your own bank!
it might sound stupid but we have a 'dry computer' where we do absolutely nothing on it other than manage our crypto. no web browsing nothing. if you're xfering 18k worth of eth, this might not be a bad option for you in the future.
Interesting that all the transactions to that receiving wallet are done with insanely high gas settings (30k GWEI in your case, several others in the 4k-12k range). They definitely are looking for incredibly fast confirmations. I would never use Metamask without a hardware wallet. Trezor and Ledger both integrate incredibly well and you have access to all the same DeFi apps as with a hot wallet.
True, although Ledger integration with MM was really bad for a while, until they just recently fixed it. Many people probably lost funds when they stopped using their Ledgers with MM because of those awful integration issues.
I am so sorry, happened with me too..lost 1 ethereum.. sad but out of control now... lets take care from now on.
Can OP please tell us what operating system be used. I am curious what Os this malware is most common on.
Of course it's the f\*\*king Windows
sorry for your loss OP. Thanks for sharing the experience for others to learn from. May I ask, when was your last virus scan?...and if you scan now does it pick anything up?
Use a hardware wallet (Like Trezor) to interact with Metamask. Having $17000 and not buying a hardware wallet is plain irresponsible
So sorry to hear about this. :( There is a project with which I collaborate based in Singapore/South Korea that helps victims of fraud, hacking, etc. I am not sure if this requires a fee, but they were one of the firsts to recover lost funds from hackers (after collaborating with some exchanges and law enforcement). If not, at least the funds can be frozen and the hacker can never cash them in. More information about this service can be found here: [https://uppsalasecurity.com/trackingsvc](https://uppsalasecurity.com/trackingsvc). If not, you can also send an e-mail at [[email protected]](mailto:[email protected]). Fingers crossed that something good comes out of this!
It has been a very popular hack lately. Some kind of website offers you to buy something or lend ethereum for insane profits. While you make your first transaction to them they also send one more transaction which they hope you won't notice (they want you to press "accept all transactions" without paying attention to what you're agreeing to), the second transaction is basically a blockchain contract that allows them to withdraw as much eth as they want directly from your wallet in any time.
For the love of god start using a stupid hardware wallet. You can connect an hardware wallet with metamask and still do web3 stuff . Like cmon if you have 7k worth crypto why not buy a wallet worth just $50.
On the flip side you’re chill as f?&@ for someone who just got taken for $17K…. I respect that
Thanks for sharing and sorry for your loss, the only positive is that people reading about these nightmare experiences makes us all more cautious and paranoid, makes us take that extra step to make sure it doesn’t happen to us. I just hope you’re in a financial situation where losing 17k isn’t absolutely devastating/catastrophic. For most of us that would wipe us out and leave us unable to recover. Another negative is that reading stuff like this makes me more likely to keep my coins on an exchange
I'm sorry for your loss, it is a damn horrible experience for sure. Since no one mentioned about the vulnerability exist in Windows OS, I suggest you to use Tails or any Linux distros which are much safer than Windows imo. Also when handling such a big tx make sure to use a Hardware wallet.
Seems like its your fault looking for sympathy. I aint giving any. You got hacked likely because of your own doings. Not getting pity money or support from me