While away from my keyboard, enjoying a trip to Hawaii, I lost ~$3800 in Crypto assets from my multisig wallet (app.safe.global).
I was eventually notified by my gnosis safe mobile app of a transaction moving some ENS out of my safe to an unknown address. Upon investigation I found my entire safe emptied.
The “attacker” as I’ll call them for now, began withdrawing funds from my multisig wallet on Ethereum at 0xec819F77d464aeeF84A204F88CA85284D96A3acF. The withdraws started the same day I left for my trip on the 16th of June 2023. Each day following around the same time another unique token in that wallet was moved to an address I was unfamiliar with (0x3851bb469Eb2fF35D3C8415d321a425e1E967858).
I was genuinely confused at first, because I am a very security conscious person and had no clue how one of my private keys associated with the multisig became compromised. Upon inspection I knew I didn’t own the address the coin was heading to and noticed the transactions were signed by my “backup” address (0xe0b4Ff23f7268508Eb5923C3Cb415F531110C42f).
I began wracking my brain while cruising threw the mountains of Oahu trying to remember everything I knew about how I setup this multisig safe and my “backup” wallet.
Mistake #1
When I created the safe wallet initially, mpoletiek.eth was the only address listed as an owner on the wallet and when I added the backup wallet I never adjusted the required number of confirmations for any transaction from 1 to say… 2. Had I done this, the “attacker” wouldn’t have been able to move the funds without an additional confirmation from my primary wallet.
I also remembered that I stored the private key to the backup wallet on a fully encrypted hard drive that could only be unlocked with a key stored on another fully encrypted device. That is pretty secure. Each device required physical access to read and I only ever imported the private key to the backup wallet once to validate it’s usability with the multisig safe. I used Metamask, which is a non-custodial wallet and immediately removed the wallet from Metamask when I was finished so even if my browser was compromised (It wasn’t) my private keys were safe.
Even after realizing my first mistake I was still confused as to how the “attacker” got ahold of my backup wallet’s private key. To be honest $3800 is not enough of a bag to tie up a ton of compute power to brute force so they must’ve easily nabbed the private key from my browser?
I did a ton of research as fast as I could. Were there any known security issues with Metamask? With Gnosis multisig wallets?? None that I could find. I don’t sign transactions at sketchy websites. I do a ton of research before hand and typically wouldn’t use my “secret” “backup” wallet to test a sketchy website….
Wait…. How did I even create this “backup” wallet? Since I was able to delete it from Metamask, I must’ve imported it, which means I didn’t use Metamask to create it….. Oh crap…. I’m such an idiot.
Mistake #2
While I don’t entirely remember exactly how I created this “backup” wallet, I definitely didn’t use localized software like ‘geth’ or even my Metamask plugin.
I most likely created this wallet a long time ago and stored the private key as a “backup”, but did so using some website like ethereumaddressgenerator or paperwalletcrypto.
The likelihood that small, simple websites like these are run by bad actors is very high. Additionally, it’s also highly likely that they are easily hacked without the owners knowledge and are stealing the private keys of any address created for later inspection.
Why I trusted this at the time is beyond me now, but I can only guess that in the past my involvement in Crypto and the amount of risk I was taking was relatively low compared to the $3800 I just watched vanish from my multisig. Still, probably chump change compared to the scores this individual is getting if this has been going on for as long as I can imagine.
While there wasn’t much I could do in Hawaii to validate the rest of my security profile, I did a little research into some of the addresses associated with the transactions that drained my multisig wallet.
I reached out to Gnosis Safe to validate that they didn’t see anything additional or had any other perspective on how these transactions were initiated. From what both of us could tell, it was and could only have been initiated from someone with the private key to my “backup” wallet.
Once I knew that I dug into the address the crypto was shipped to. At the time of this writing (06-25-23) the address (0x3851bb469Eb2fF35D3C8415d321a425e1E967858) still has all my crypto.
The “attacker” hasn’t moved the crypto out yet it seems.
I did some more digging and noticed an ENS address that was interacting with the address (0xtrippy76.eth).
Now I don’t want to make any claims that 0xtrippy76 is the attacker, but I will say that compared to other transactions this one is suspicious.
First, when knowingly taking crypto that wasn’t theirs, they spent a week withdrawing all the coin and have since held onto it for about another week. I’m comparing this to the transaction of almost 4billion PEPE from 0xtrippy76 and immediately shipping it to Uniswap (a decentralized exchange).
I did a quick search and found a twitter user by that same handle. If this is the attacker, that PEPE transaction must’ve been a mistake.
I figured it wouldn’t hurt to ask…..
They seem to be fairly active on twitter and a huge fan of PEPE so I’m hopeful they will reply. 🙂
Taking Action
So, I’m fairly certain I’ll never see that coin again, but am grateful for the lesson and have taken the following steps to ensure one of my multisigs doesn’t get compromised again.
- Create a new multisig with wallets I created myself that requires 3 confirmations before any transaction is executed. To withdraw crypto I will confirm the transaction from 3 separate devices (this is probably overkill). Safe!
- Isolate my wallets to the devices they reside on. No need to maintain 1 wallet on all of my devices. Crypto isn’t “spending” money yet in today’s economy, it’s more a store of value and an investment today (with more utility arriving daily), so we will “store” our crypto in our multisig and withdraw what we need, when or before we need it. Smart!
- Setup notifications on etherscan.io. The Gnosis safe app was very slow to notify me of the transactions happening. With notifications from etherscan.io I would have caught the first transaction and saved myself ~$1500 in pain. Alert!
In the end 2 big mistakes lost me $3800 USD of crypto at the current valuation. The lessons learned lead to 3 big steps in improving my crypto security posture.
Sometimes we wish we didn’t have to make mistakes to learn our lessons, but I know better these days and while it hurts, it’s just money in the end and I didn’t get my lunch stolen. I have spent enough time in security to know that the paranoia can destroy ya so I quickly shift to hardening my posture and charging forward, better armed, and equipped to go farther and longer for my people.
May I share appreciations to my enemies for keeping me sharp and strong.
To be continued?…… We’ll see.