This post will be updated as and when more information becomes available.

Image for post
Image for post

Background

On Monday 14th of December at 9:40am UTC, I was tricked into approving a single transaction that sent 370,000 NXM to a hacker instead of what I thought was claiming some mining rewards. The hacker has subsequently liquidated the majority of the NXM into ETH/BTC and has been dispersing it to many different addresses and exchanges.

I was using a Ledger connected via Metamask to interact with the Nexus Mutual application at the time. Computer was Windows OS.

Private keys on the Ledger remain safe.

The Nexus Mutual smart contracts and funds are completely unaffected, this attack is a personal one only.

Storyline so far

In what we believe is a targeted attack, here is what we know:

  1. At around 10:20 UTC time on Friday 11th December I was writing an email and my computer screen went black for 2–3 seconds. It returned to normal and I simply assumed something weird happened and continued on.
  2. Roughly an hour later at 11:20 UTC my Metamask extension was altered from disk and replaced with an infected version. See the background.js file and this diff for details.
  3. I did not conduct any transactions via the Metamask extension until Monday 14th December.
  4. On Monday at 9:40am UTC I went to claim some shield mining rewards on the Nexus Mutual application. As usual, Metamask pops-up asking for confirmation, nothing appears odd at this point, as Metamask presents the information I expect. However, it is in fact hiding a spoof transaction that it will send to the Ledger. I hit confirm as all looks ok.
  5. The spoof transaction now appears on the Ledger and I click through the transaction info and hit approve. If I checked the “To” address and other info I could have seen something wrong at this point. But as NXM is not supported by Ledger directly it didn’t pre-fill human readable info.
  6. I then received the Metamask notification that the transaction had completed but the Nexus Mutual application was still waiting for confirmation. So I proceeded to check Etherscan and then discovered what had actually happened.

Step 5 is where I made the mistake and should have been more careful, so it’s entirely my responsibility. I would note that it’s very hard to double check this information as you need to be quite technical, especially as it’s presented in hex format and not human readable. I have enough technical knowledge that I could have done it, but regular users would not really stand any chance here.

In addition, as I was only claiming rewards on a website I trusted (Nexus Mutual app) I believed I was conducting a rather low risk transaction. This attack vector means you have to double check all transactions regardless of value.

At this point we started investigating what happened and tracing funds with the help from many others in the community. Thanks everyone for your support!

In particular, Sergej Kunz, Julien Bouteloup, Harry Sniko, Richard Chen, Banteg and others I won’t name right now.

Summary of Findings

  • While most Metamask attacks phish your private keys by tricking you into downloading a malicious version, this was not the case here. My computer was compromised and Metamask was altered from disk. This means the browser extension warning would not flag.
  • The malicious extension’s configuration was fetched from coinbene.team, that domain can be tracked to the following IPs
Image for post
Image for post
History of IP’s hosting coinbene.team
  • My browser had been put into developer mode. I’m not a developer so this was most likely performed by the hacker.
  • There are connections with other victims of what we believe are similar attacks.
  • The attack appears to be highly targeted, as they didn’t take the full amount of NXM they could have, so it seems like a prepared transaction payload was deployed specifically for me.

Hacker addresses are here (most relevant ones only):

Ethereum

0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1

0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b

0x09923e35f19687a524bbca7d42b92b6748534f25

0x0784051d5136a5ccb47ddb3a15243890f5268482

0x0adab45946372c2be1b94eead4b385210a8ebf0b

BTC

3DZTKLmxo56JXFEeDoKU8C4Xc37ZpNqEZN

Messaging (?) Channel

0x756c4628e57f7e7f8a459ec2752968360cf4d1aa

What we don’t know

1. How my machine was compromised in the first place.

Along with experts from Kaspersky we have been spending a large portion of the past week running full diagnostics on the machine, this remains a work in progress.

2. Who the hackers are.

From what we’ve seen the hackers are extremely sophisticated, and this is an ongoing issue that is impacting many others. The hacker/s are very talented and quite likely working as part of a larger group.

We have had short Telegram conversations with one of the hackers and we believe they are based in an Asian timezone based on transaction activity.

We are continuing the investigations and will share more info if/when it becomes available.

Learnings

  • DeFi power users should probably assume Metamask is compromised at all times, unless they are running it on a separate clean machine that does nothing but sign transactions.
  • Metamask is a clear target of many attacks and I’ve always been very careful on downloading from the correct source. Even so, it didn’t help me here.
  • Separate funds into different accounts wherever possible to minimise the damage should an issue like this occur.
  • Check hardware wallet transaction info before signing (easier said than done with smart contract interactions).
  • As a community we don’t have open source intelligence on bad actors. Etherscan labeling addresses is a great first step but more can be done.

What next?

I know there are lots of teams looking at the best options from both a UX and security perspective, but as a community we clearly have some way to go on this front. I’m not in a position to recommend a particular solution over another, but what I will do is use any funds raised as part of the following donation grant for a bounty.

Details of the bounty will be forthcoming but it will encourage solutions and/or technical progress related to personal wallet security.

Image for post
Image for post

Open Letter to the Hacker

You’ve used very sophisticated techniques to steal a lot of funds from not just myself, but many others in the Ethereum community. I have no expectation of getting any funds back as I know you’ve sent them to those you work for.

As I’m sure you’re aware, there are many white-hat hackers in the Ethereum community that operate anonymously, earn substantial rewards from bounties and have achieved significant notoriety for their efforts. Based on your demonstrated skills you would be a very strong addition to this group and would no longer have to send your ill-gotten gains to your superiors.

I urge you to put those skills to a positive use and get some credit from the community for the right reasons.

Hugh

Written by

Founder at Nexus Mutual. Blockchain. Insurance. https://nexusmutual.io/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store