News
I Saw Hackers Drain $45,000 From My Wallets: What Did I Do Wrong and Which Cryptocurrencies Need Fixing – DL News
- The malware infected my computer and left my wallets exposed.
- The stolen funds remain intact in the hacker’s wallet.
- I have some ideas on how crypto platforms can better protect investors.
As of noon on May 13, there were $45,000 worth of tokens in my MetaMask crypto wallets.
An hour later, it was all gone.
Sitting at my desk in my home in Lagos, Nigeria, I stared blankly at my computer screen, struggling to register the impact of what had happened.
On multiple open browser tabs on my computer, I could see several crypto transactions going out of my wallet to unknown addresses.
I was confused.
I looked at the timestamps displayed on many transactions and knew I couldn’t initiate them.
This was because I was busy working on another computer for three hours.
My shock quickly gave way to dismay when I realized that I had somehow been hacked. But how?
Join the community to get our latest stories and updates
Pain and guilt
I have been a cryptocurrency reporter for seven years and in this time I have covered many cases of token owners who lost their funds to hackers.
Now, the same thing had just happened to me.
I felt pangs of pain and guilt remembering that most of the funds belonged not to me but to my family.
They began accumulating these crypto tokens — Ether, Tether’s USDT stablecoin, and Jasmy, an altcoin — in 2020, after Covid-19 lockdowns sparked economic volatility.
As the family’s resident expert, it was up to me to take care of their possessions, to keep them safe. I was their cryptocurrency custodian and my record was spotless.
Until now.
As painful as the theft was, it was nothing compared to the anguish I felt as I informed my family of what had happened.
The pain I saw etched on their faces reminded me of my late father’s passing in 2017. My story casts the transparency of public blockchains in a different light.
In just a few swipes at the computer, I can see my stolen cryptocurrency in someone else’s wallet, yet I can’t recover my assets. It’s a macabre reminder of my ordeal.
The reality is that a similar fate has befallen many cryptocurrency users, from professionals to beginners.
‘It’s easy to lose your cryptocurrencies if you make a mistake. In my case it all started with a game.’
Billionaire Mark Cuban last year it lost $870,000 to a hacker after saying he downloaded a MetaMask wallet “with some shit in it.”
In 2023, cryptocurrency investors lost $1.7 billion to thievesaccording to Chainalysis, the blockchain forensics company.
It’s easy you lose your cryptocurrency if you make a mistake like downloading contaminated software that exposes your wallet details.
Sometimes, you can lose your funds if careful hacker poison your wallet address creating a fake wallet that closely matches that of the victim.
In my case it all started with a game.
Keylogger
I had promised to help a younger relative of mine download a game called “Dave The Driver”.
He became impatient and tried to do it himself. The problem was that he used the computer with the browser wallet that contained my family’s crypto assets.
He downloaded a version of the game containing malware and immediately infected my laptop.
The malware likely installed a keylogger, a program that records keystrokes, and exposed the details of my MetaMask wallet, allowing the hacker to steal the encryption.
Many online wallets, including MetaMask, do not use proven security measures to prevent theft, such as fraud alerts and two-factor authentication.
If this was an account at my bank, I would have received a fraud alert as soon as the first transaction was initiated.
The bank would suspend the transaction and give me enough time to confirm whether I had indeed initiated the funds transfer.
Virtually no such preventative features exist for crypto wallets.
Funds staked safely
In fact, the only warning I received from a centralized exchange where I held some tokens. Apparently the hacker was trying to access my assets and the exchange asked him for a two-factor authentication code.
That attempt was unsuccessful and I managed to retain those assets, but it was a small sum. However, here was a situation where two-factor authentication, or 2FA, worked well.
The hacker also tried to steal funds from other wallets I used that had staked cryptocurrencies, but they were unsuccessful.
“Unless the hacker forgets, I would race the thief to secure the assets invested in a new wallet.”
This is because blockchains like Cosmos typically require users to wait 14 to 21 days to withdraw staked assets after they have been unlocked.
The hacker started the unstaking process, but was unable to transfer the tokens to his wallet. I have since rearranged those crypto tokens, but that hardly solves the problem.
(Staking is a process that allows your tokens to be used to validate transactions on a blockchain network.)
Unless the hacker forgets about my assets, I’ll be in a race with the thief to secure those staked assets in a new wallet when they become available for pickup, but that’s a problem for another day.
As for the immediate aftermath, I am grateful that my family did not blame me or my young relative for exposing their assets.
Reflecting on the stories I had written about similar cases, I realized that I hadn’t thought much about the families of people who had lost crypto funds to hackers.
My goal was to explain how the hacks occurred, where the funds went, and possible recovery efforts.
I can see the resources
What was especially frustrating was the fact that I can still see my stolen property three weeks after the crime.
Most of the stolen cryptocurrencies are found in the two addresses belonging to the hacker. They can be seen Here AND Here.
In any case, I contacted a blockchain security company to try to stop the hacker from exchanging the stolen cryptocurrency for cash via a centralized exchange.
They told me it would cost them $2,000 to try to block the hacker’s wallet addresses.
Recovery of stolen cryptocurrencies is usually a lengthy process involving law enforcement action and the cooperation of cryptocurrency exchanges.
My family members decided it was best to absorb the loss.
They were not thrilled at the prospect of spending more money chasing the hacker when there was little or no chance of recovery.
Better safeguards are needed
I have had time to reflect on what happened and there are lessons to be learned from my experience.
First and foremost, keep computers containing valuable crypto wallets away from children!
On a more serious note, crypto wallets need better collateral.
If the goal is large-scale adoption of cryptocurrencies, then secure storage of these digital assets must become easier, especially for those who prefer self-custody.
Self-custody comes with the expectation that you are responsible for keeping your possessions safe.
But users need more help, perhaps in the form of real-time alerts and two-factor authentication.
There are smart contract solutions like Safe’s multi-signature wallet where more than one signer is needed to complete a transaction.
While multi-sig wallets help improve security, individual signers must protect their own keys – again, with self-custody, it is up to the user to ensure the security of the wallet.
Multi-signature to the rescue?
Assuming you had set up a multi-sig deal with the compromised wallets, the hacker would still have been able to steal the funds. They would use each compromised address to sign the transactions needed to move the funds.
The process would have been slower, but they would have gotten away with my family’s money.
However, it is bad practice to set up a multi-sig controlled by a single entity.
Ideally, each signer would be a different family member whose wallets were on separate devices.
And that’s what we did.
Some may point out the mistake of keeping funds in an online wallet prone to hacker attacks. Or suppose the tokens would have to be securely placed in an offline wallet, like the type offered by hardware wallet makers.
That was the plan, even if I had been slow to move.
And now they’ve given me a $45,000 lesson for my lethargy.
Osato Avan-Nomayo is our DeFi correspondent based in Nigeria. He covers DeFi and technology. To share story tips or information, contact him at osato@dlnews.com.