We should note that there are plenty of strange hacks in the cryptocurrency industry. For example, in August 2022, users of Solana and Etherium blockchain-based wallets began losing money. The scale of the hack was enormous, with thousands of victims and the equivalent of millions of dollars stolen from them.

Alas, the developers of the cryptocurrency wallet Slope were to blame for what was happening. The latter sent their own users’ sid-phrases to the server in an unprotected form, i.e. without encryption. And because these combinations allow access to the contents of users’ wallets, the hacker cracked the security and emptied as many addresses as he could.

By the way, users of hardware wallets were safe then. They were saved by the fact that such devices store the sid-phrases internally and don’t shine them anywhere.

How money is stolen in the cryptocurrency industry

The surge in mysterious attacker activity has occurred over the past few days, as Monahan reported on Twitter. Here’s a relevant rejoinder to the situation.

Over the past 48 hours, I have witnessed a massive scheme to steal funds from wallets. I can’t yet estimate the amount of loss, but since December 2022, this attack method has resulted in the loss of over 5k ETH, as well as an undetermined number of tokens and NFTs in eleven different blockchains. The victims of the attack were my friends and experienced cryptocurrency owners.

In other words, the actions of the hacker or several hackers were not obvious even to crypto-sphere experts. That is, the victims in this case were not newcomers who regularly lose money due to trivial clicks on phishing links and downloads of malicious files.

In an interview with Decrypt staff, cybersecurity analysts from startup MetaMask noted that their wallet users had also fallen victim to the attack. However, it is not limited to the ecosystem of this interface. In this case, clients of other wallets were also affected, which means it’s not just some vulnerability within MetaMask. The experts continue.

The investigation reveals that this particular attack vector led to the disclosure of secret passphrases to restore the wallets of the affected users. Probably due to unintentional unreliable storage of these combinations.


Traditionally, so-called hot wallets, which include MetaMask, are not considered the most secure tools for storing digital assets. The fact is that such interfaces store private keys. And because hot wallets are constantly connected to the Internet, this creates the risk of hackers interfering with what is going on.

In this case, cold wallets are a more secure choice. Their special vault, which holds the user's private keys, is not connected to the internet. This means that it is much safer to conduct transactions with such devices than to keep coins in interfaces that are constantly online.


In her separate investigation, Monahan has only come up with a few guesses so far. Here’s the relevant rejoinder.

No one has actually identified the source of the attack. Several of the victims’ devices have been subjected to forensic analysis. Nothing. The only known commonalities between them are:

– The stolen keys were created between 2014 and 2022;
– The victims are all those who are more experienced with crypto than most. For example, they have multiple addresses, work in the field and so on.

Now I think someone got themselves a fat cache of data from over a year ago and is methodically siphoning off the keys.

This suggests that all those affected have stored their secret combinations in the same database digitally. It’s unlikely, but possible. Maybe their experience with crypto was not a barrier to the common human error of simply exposing an investor’s critical data online. What that database was and how the hacker in theory managed to get to it is also unknown.

???? YOU CAN FIND MORE INTERESTING INFORMATION ON US AT YANDEX.ZEN!

There are also certain commonalities in the attacker’s actions before and after withdrawing funds from the victims’ wallets. According to Monahan, the withdrawals almost always took place between 10:00am and 4:00pm UTC.

At the same time, the hacker most often exchanged tokens for ethers inside the wallet before withdrawing funds, although this did not apply to particularly large batches of tokens. Priority was given to the most liquid assets, which means that stacking positions, NFTs, and obscure tokens were usually left untouched by the attacker.

Coins from several dozen wallets were then converted and sent to 4-6 Bitcoin addresses. After a few more days, the bitcoins are transferred to cryptomixers, which cover their tracks and allow the cryptocurrency to be moved to new addresses. Unfortunately, so far it is impossible to trace all the transfers and try to recover at least some of the funds.

What has happened has dealt a serious blow to the reputation of cybersecurity within the industry. It turns out that even the most seasoned digital asset owners are not immune to skilled hackers.

Whatever the case may be, there are certain conclusions to be drawn from this situation as well. First of all, cryptocurrency investors should use hardware wallets, which better protect users' assets. Well, hot wallets with Internet connection are more reliable for storing coins, which can be lost in case of trouble. Still, in this situation, you probably can't count on a refund.

Let’s hope that the mystery of the break-in will be solved in the near future. Follow the situation in our cryptochat of former rich people. There we also wait for the new bullrun to arrive.