A $10 million hack targeting sophisticated crypto users has top security experts baffled. 

Taylor Monahan, former CEO and founder of Ethereum wallet manager MyCrypto, said on Twitter Tuesday that over 5,000 in ETH had been stolen since December. 

That’s over $10.4 million-worth of crypto at today’s prices. 

The worrying part? It hit hardware wallets of users who prioritized security, according to Monahan. 

“For the past 48 hrs I’ve been unwinding a massive wallet draining operation,” wrote Monahan, who joined MetaMask after MyCrypto was acquired by the crypto wallet’s parent company ConsenSys last year. “Folks are those who are more crypto native than most” and “reasonably secure” were hit by the draining of funds, she tweeted. 

In other words, these aren’t crypto newbies clicking on obvious phishing links that are being drained. The attack is far more sophisticated than that, and it’s OGs who are being “rekt,” Monahan explained. “No one knows how.”

The security team behind popular crypto wallet MetaMask told Decrypt that the “unidentified exploit” hit crypto users “including, but not limited, to MetaMask users.”

“The on-chain behavior heavily suggests a private key compromise,” they said. 

“What current investigations are showing is that it seems that this specific attack vector is pointing towards these users’ secret recovery phrases being compromised somewhere down the line, likely due to unintentionally insecure storage of said phrase.” 

Private keys are used by crypto users to access their funds stored in a wallet—be it digital or physical—and authorize transactions.

Monahan also said that the attack targeted funds held on wallets created from 2014-2022. “My best guess [right now] is that someone has got themselves a fatty cache of data from 1+ [years] ago [and] is methodically draining the keys as they parse them from the treasure trove,” Monahan tweeted. She emphasized that, however, that this is only a guess, and no one yet has been able to “determine the source of their compromise.”

Her best advice? “Please don’t keep all your assets in a single key or secret phase for years,” she said.

MetaMask’s security team added that in order to protect funds, users must not store their private keys anywhere online or on any “internet-enabled device.”

“If you ever get to the point where your wallet is so old that you can’t remember if you’ve been 100% diligent with its keys at all times, then consider creating a new wallet,” they added. 

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.