Dear Reader👐
☛Nothing is as devastating as losing your life savings to a hacker, let alone if it happens on Metamask, a non custodial wallet, which essentially means if your bag is gone, it’s gone.
Hardly ever goes a day without a pleb’s Metamask getting hacked. The wallet gets cleaned out and honestly this is enough to make you sick every time you think about it. I mean, watching your coins leave your wallet on Etherscan and see them disappear is just so much fun. Are you kidding me!
On a serious note though, this has happened to so many people over the last few months. You’d be forgiven for thinking the wallet has a major vulnerability that Metamask devs are not owning up to.
If Metamask is like those vintage leather wallets that leak coins, it would be best to just toss it in the garbage and forget about it. Problem solved!
Not so fast, bruh! This is 2021.
There is a huge craze around DeFi and NFTs and Metamask is a must have if you want in.
This newsletter is free!💯
✳The Elusive Malware
Thus far, there’s no conclusive answer why there are so many hacking incidents on Metamask.
So, it’s rather disheartening whenever a troll yells, it’s always a user error, you don’t just get “hacked”. Mind you, this is directed to someone who’s devastated because they woke up to get their MetaMask cleaned out.
Though such a crude response makes sense in a clear phishing attack incident, it fails to explain other incidents where the victims themselves demonstrated geek level computer skills and still got hacked.
I mean, if you’re a gamer with a computer science degree and created a few meme coins for fun, you’d be dumbfounded if a hacker took off with your bag, and also shocked if you are unable to explain what happened no matter how hard you try to retrace your steps.
What is clear though, hackers orchestrate most of the top level breaches through Metamask’s browser extension. Particularly, the Chrome Browser extension seems to be more impacted.
The mobile app, available on iOS and Android, has proved to be more resilient, save for phishing attacks which can be hard to detect.
Call it what you want if someone’s funds got stolen because they downloaded the app from unknown sources on the internet. But it will blow your mind when you get the app from Play Store and still get phished.
The thing is, you may be on Apple Store or Play Store and still end up with a scam app that appears totally legit.
Even on such highly curated mobile application stores, scam apps make their way in and trick people. Uploading a fake Metamask wallet to a mobile store is a simple but effective way to steal funds.
➡The easiest way to download the legit mobile app is to get it via metamask.io/download.html. This is the official download link that then takes you to the legit app on Google Play Store.
As earlier mentioned, the extension is where things get freaking scary. The lengths hackers go to just to steal could make you quit the crypto world.
✳Computer is Compromised
On the web, the common mistakes that most people make is clicking unnecessary links related to airdrops and interacting with dodgy sites.
But there are other scenarios. For example you could get rootkited. Many rootkits will enter your PC by piggybacking on a software you trust. The problem is, If you get rootkited, it won’t matter what malware or phising protection you have.
In fact, having an antivirus will be your biggest drawback in this scenario because a rootkit, worm or keylogger will go undetected and you’ll be oblivious of the lurking danger.
To give you an example, this Redditor by the name archeactive says that he once had an issue with his PC and some type of worm continued causing issues, so he changed hardware and ram. When that didn’t work, he formatted the entire thing, even changed the router (cause some malicious viruses can integrate there too and spread) and in the end, the worm was installed to the wireless mouse’s usb.
It sounds insane and rare, but it can happen. People would look anywhere but their mouse-usb for a virus.
So, if you fall victim to something equally rare and advanced, it would only be a matter of time before your Metamask is wiped clean.
I mean what would you do if you woke up only to find your savings had vanished. As for me, I’d rather not wake up.
✳Decentralized Hot Wallet
Metamask is a hot wallet because it is essentially connected to the internet. While the wallet makes it easy to execute trades faster, being connected to the internet makes it more vulnerable to attacks than cold wallets.
Just so we’re clear, Metamask, like all crypto wallets, doesn’t store cryptocurrencies. Your assets live in the blockchain. Wallets only hold private keys safely. This information allows you to send or receive crypto from other users.
Metamask comes both as a browser extension and a mobile app and its decentralized nature makes it the go-to wallet for anyone interacting with Ethereum smart contracts. Well, Metamask also comes in handy with other networks like the Binance Smart Chain and Polygon, just that Ethereum is more popular in Decentralized Finance.
Non-custodial wallets such as Metamask differ from exchange wallets because they provide the user with a Secret Recovery Phrase or the seed phrase, which provides proof of ownership.
Two factor authentication or 2FA which is popular with exchanges does not work for MetaMask because it’s decentralized. In other words, the Secret Recovery Phrase, which controls your assets, is not stored in a centralized server.
MetaMask stores your seed phrase encrypted with your password. This is a slight edge in that an attacker with full access to your computer would also need to record your password to have the wallet unlocked so as to be able to move your funds.
✳I Was Hacked
☞To begin with, Metamask is not as secure as you may think. It’s a hot wallet afterall.
Sometimes, people claim they’ve been hacked, no idea how, but it could be they were either socially manipulated into approving a transaction to a scammer.
☞Another possible mistake is leaking the seed phrase online either by taking a picture or placing it in front of a camera of a compromised computer.
☞It’s also likely that some users type a weak password to secure Metamask, an easy pass for a hacker because the wallet’s private key is encrypted with the password.
⚠️Or it could be this:
Disclaimer: This is just a tentative opinion, zero proof, until a better explanation comes about.
Your seed phrase is stored in your browser’s data folder. I believe there’s some sort of malware that’s harvesting the seed phrase from the browser data folder, and is also running a keylogger to harvest the password. Pretty much every one of these unfortunate victims had been using the Chrome extension, so I believe that’s where the issue is. This is happening way too often lately, and more with Metamask than any other it seems. ~ Bggnslngr
✳Parting Shot
☞It’s pretty obvious that hot wallets like Metamask are in some way insecure. This is because when your machine is on the internet, it could be accessed remotely, and keys could be stolen.
To mitigate the risk, just store only what you can afford to lose on Metamask.
Metamask itself recommends that you get a hardware wallet once you have enough funds which you could fret losing.
After transacting with MetaMask, it’s wise to transfer that value back to a cold wallet in order to eliminate the risk involved.
At this stage, it also sounds like a great idea to use a separate computer for crypto trading as it seems hackers mainly target people who use their computer for everything.
Setting aside a separate laptop for crypto will save you a lot of trouble and you have to ensure it stays that way. Nothing should be installed on the web browser of that pc other than Metamask. You also have to do due diligence on any contracts you sign and interact with. Especially, if these contracts are related to a large amount of your funds.
Additionally, the permission-less nature of blockchains means anyone can upload contracts.
With this in mind, it’s imperative to approach the blockchain world like the real world. Just like the real world, you have to make sure the agreement or the smart contract is not a bad deal or an outright scam.
Stay safe out there.
Disclaimer
This post is for informational purposes only and should not be taken as financial advice. Any purchase of financial products should be done at your own discretion.
Credits
pyh00ma, Bbtorz65, archeactive, excelance, Sarah Holt, hober-mallow-1337, Bggnslngr.