Getting robbed sucks. Protect your crypto wallets from online thieves. Here is how.

Phishing for Bitcoins

MetaMask is an empowering crypto wallet that allows millions of crypto users and enthusiasts to access the Ethereum and blockchain ecosystem from a web browser extension or mobile device, enabling the wallet holder to easily access Web 3.0 (the next stage of the web evolution ), store and swap cryptocurrency, tokens, and NFT’s.

With this great power comes the great responsibility of safeguarding the crypto wallet and its assets. As a non-custodial wallet, MetaMask and other crypto wallets do not have access to the wallet access key, also known as secret recovery phrase, the wallet’s private keys or any information about the crypto wallet holder. This is why the wallet holder is solely responsible for protecting the wallet, and its secret recovery phrase and private keys.

The main reason why non-custodial wallets are hacked and their assets stolen, is because the holder loses or discloses the wallet’s secret recovery phrase, or their private keys. This secret recovery phrase and private keys allows criminals to have full access to the wallet, and enables them to transfer all the assets to the criminal wallet(s).

These are the current common and successful attacks targeting non-custodial wallet holders at the time of the writing of this article:

Holder gives away their secret recovery phrase or private keys:

1. Holder gives away their secret recovery phrase to criminals. The most common fraud happens when criminals impersonate MetaMask or crypto wallet employees, tech assistance, helpdesk or a benevolent crypto whiz wanting to help with technical issues, preventing an account to be closed, or offering a free token (airdrop) after giving away the seed phrase.
2. Holder types the secret recovery phrase into a phishing website or software, including fake MetaMask websites, tech support forms, coin exchanges and similar systems, which ask for the secret phrase in order to recover wallets, fix errors, make purchases, receive free drops, and any other trick.
3. The holder’s secret phrase or MetaMask Mobile QR code is recorded on video, for example, when a holder writing or typing the secret phrase on a keyboard, device or piece of paper.
4. The victim gives away their private keys. For example, they are asked for their private keys to win rewards or “stake”.

Victim’s device gets infected with a secret recovery phrase or private keys stealer malware

1. Victim opens an infected document, video, software or malicious file received through email, social media message, or chat. Successful infections rely on the victims opening an infected link or file from persons or systems they think they can trust.
2. Victim downloads malicious software that looks like a legitimate blockchain software.

Victim install a bogus MetaMask extension or app

1. Victim installs a bogus wallet or extension, and uses a secret phrase generated by the criminal (rotten seed).
2. Victim installs an infected wallet extension that steals the secret recovery phase.

To protect our community and wallet holders, the MetaMask security team continuously monitors and takes down phishing infrastructure set by criminals, however, criminals can quickly change their tactics and compromise users before they are taken down.

Therefore, the best way to avoid being a victim of cybercrime and lose your wallet and its assets is prevention. Here are the minimum steps that you must follow to keep your wallet safe:

• NEVER share your secret recovery phrase nor private keys with anyone or anything, under any circumstances.
• Protect your devices where you installed your wallet by at minimum installing a reputable antivirus/endpoint protection, enable full disc encryption, automatic updates, password manager, and screen lock for when the device is not in use. This is a good article: https://securityinabox.org/en/guide/malware/
• Install your wallet on trusted devices only.
• Take training to become security aware.
• Consider using a hardware wallet if you have large holdings in your account.
• Do your own diligence when interacting with people or solutions, even if you think you know them or think the solution is secure. Fraudsters are skilled in convincing victims into doing actions that will compromise their wallets, for example:
• Impersonate business proposals, company employees, developers, crypto enthusiasts asking to open infected emails, links, videos, or documents that will take victims to a phishing site or infect the holder’s device.
• Invite victims to overseas locations to attend a business proposal, and coerce them into giving the secret phrase.

Stealing is wrong and people should not do it. But while our community finds new ways to protect our assets and law enforcement enforce better policing and punishments, it is up to you to protect your online assets.