The founder of DeFi insurance protocol Nexus Mutual has published a postmortem on a targeted attack using MetaMask that resulted in the personal loss of $8 million in crypto assets.
On Dec. 14, Nexus Mutual founder Hugh Karp had a nasty surprise when he was tricked into making a transaction to an attacker’s address via MetaMask. This resulted in the loss of 370,000 Nexus Mutual tokens (NXM) worth around $8.4 million at the time.
Karp has now detailed the attack in the hope that others will not fall victim to the same scam.
Windows PC and MetaMask Compromised
The DeFi expert stated that he was using a Ledger connected via MetaMask to interact with the Nexus Mutual application at the time on a computer running Microsoft Windows.
A few days earlier, Karp noticed some screen flickering while composing an email but didn’t pay it much attention. An hour later, on Dec. 11, the MetaMask extension was altered from disk and replaced with a malicious version.
On the day of the attack he went to claim some shield mining rewards through the MetaMask extension which popped up a spoof transaction instead of one to the intended destination. The transaction appeared on the Ledger and had gone through but there was no confirmation from the Nexus Mutual app which is when the penny dropped.
He added that he should have been more careful in checking the transaction details, but the vulnerability was his PC which was likely hijacked by malware.
“While most Metamask attacks phish your private keys by tricking you into downloading a malicious version, this was not the case here.”
Karp has been working with cybersecurity experts at Kaspersky but the actual exploit is still unknown. He added that MetaMask, which has begun beefing up its security, is a clear target of many attacks, and;
“DeFi power users should probably assume Metamask is compromised at all times unless they are running it on a separate clean machine that does nothing but sign transactions.”
Ledger Users Be Warned
Following the recent Ledger data breach, anyone owning this hardware wallet is likely to become a similar target. Hackers now have access to their emails, phone numbers, and address details thanks to slack security from the French wallet manufacturer.
Some of the community set up a Gitcoin grant to compensate Karp for some of his losses, however, he stated that he doesn’t feel that he should be compensated. He suggested raising a bounty to fund the development of a highly secure solution for interacting with smart contracts designed for retail users.
No such luxuries are available to Ledger owners who get hacked. The company has already stated it has no intention of offering refunds or assistance.