Written by @mathMakesArt
In recent weeks you may have heard about the rise of a new scam targeting cryptocurrency users, specifically artists and NFT collectors.
This attack is based on a combination of malware (specifically for Metamask wallet users on Windows) and social engineering. The malware component has keylogging and clipboard monitoring capabilities, along with the ability to read (if not also write) data on your machine. Users were tricked into installing this malicious software on their own PCs, through a series of social engineering tactics.
How did these attacks happen?
The attacker initiated conversation with victims on social media, convincing them to download and extract a password-protected ZIP file from Google Drive. The password protection ensures that Google Drive’s virus scanning capabilities are not able to see into the contents of the ZIP file (but the scammer provided their victims with a password directly through channels like Twitter DMs). Once the victim extracted the file and ran a malicious screensaver file, malicious code infected their system. Upon the victim accessing their Metamask wallet, their password would be grabbed by the program. This information along with the user’s seed phrase (which is stored on the computer within your browser extension storage) was sent to a program which allowed the hacker(s) to automatically drain their victims’ funds.
Why does this keep happening?
A defining trait of decentralized platforms, whether for finance or art, is their lack of reliance on any central authority. Unlike your bank account, there is no “fraud department” to help you in case of theft. Scammers and hackers are well aware of this fact, and they know that it’s common for new cryptocurrency users (and even experienced ones) to misunderstand or ignore security procedures.
Despite the recent uptick in visibility surrounding these scams, the sad truth is that they are happening constantly and have been happening for years. This is by no means the first instance of malware designed to steal private keys from browser wallet software.
How can I make sure it doesn’t happen to me?
The short answer is to ensure that your private key (or seed phrase) is never stored on any device with any internet connection. There easiest and most straightforward way to do this is via a physical device known as a “Hardware Wallet”, which stores your private key in special internal storage which is inaccessible from the outside (even when plugged into your computer, EVEN if you have a virus).
Hardware wallets can be “imported” into many of the standard wallet softwares, including Metamask (Ethereum), Temple (Tezos) and Kukai (Tezos). When a hardware wallet is imported, you can carry out all of the same transactions that any software wallet would normally support. Crucially, transactions will only ever happen following your physical button presses on the hardware wallet device.
What is a private key or seed phrase? How does it work?
If you’re a cryptocurrency user who maintains custody of your own coins (with actual wallet software, as opposed to giving custody to a centralized exchange like Coinbase), then you have at least one private key. You might have more than one private key, e.g. one for your Ethereum wallet(s) and a second one for your Tezos wallet(s). In the case of Ethereum, private keys are 64 random hexadecimal characters (0 through 9 and A through F).
You might have a “seed phrase” or a “secret key phrase” or a “mnemonic phrase” depending on what your wallet provider calls it. These typically range in length from 12 words to 24 words, and by default are typically taken from the BIP39 English Wordlist (https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt) of 2048 total words.
If you have one (or more) of these phrases, this effectively serves as your private key.
A seed phrase encodes for all the same information as the 64 random hexadecimal characters in an Ethereum private key, but it’s easier to remember some words versus a string of random numbers and letters.
Lastly, if you have a seed phrase then it may be encrypted with a password. This is sometimes referred to as a “25th word” or a “13th word”. The net result is that your coins will be stored in a different wallet address (versus using the seed phrase alone), and an attacker would need both your base private key AND your password in order to access your coins. This additional level of security is not supported by all wallet softwares, but if it’s available to you then it’s absolutely a valuable security measure. I personally use it for my hardware wallets.
One warning to keep in mind with password-protected seed phrases: If you lose the password, you’ll lose access to your coins. Both your seed phrase AND your password are required for control of your wallet contents.
How can I store my private key in a secure manner?
There are two main problems facing each user:
- If you ever lose your private key, you will permanently lose access to all funds and contracts controlled by the wallets belonging to that private key. For this reason, you should ideally always keep multiple backups.
- If someone else ever steals (or otherwise learns) your private key, they will permanently gain access to all of your funds and contracts. For this reason, you should ideally never store your private key anywhere that an attacker could possibly access it.
The book Mastering Ethereum by Gavin Wood and Andreas Antonopoulos is available both in print and as an open-source web book on GitHub. Part of this book specifically addresses the “Control and Responsibility” of cryptocurrency ownership. I highly recommend reading this specific page of the book as it contains a bulleted list of tips on how to responsibly manage your private key(s).
Note: The third bullet point mentions that “the highest security is gained from an air-gapped device”. There are several ways to achieve this, but a hardware wallet (such as a Ledger Nano X) is arguably the most user-friendly and straightforward form of an air-gapped wallet.
What exactly is a hardware wallet?
A hardware wallet is a physical device which securely stores your private key (or seed phrase) in such a way that it is never exposed to your computer or phone (or any networked device), even during use.
When you use a hardware wallet (or other airgapped device), your private key is never stored anywhere that any adversary could possibly access (unless you back it up somewhere unsafe, like cloud storage).
Stealing your funds requires physically stealing your wallet device! And in reality, someone probably won’t be able to steal your funds even if they steal your device (due to additional layers of security, like a PIN). If you know your device is stolen, you can move the funds long before the thief has a chance.
How much does an entry-level hardware wallet cost?
For $60, you can get a Ledger Nano X or a Trezor One. They both work with most coins, and Ledger devices specifically work with Tezos.
NOTE: Despite having “wallet” in the name, hardware wallets do not correspond to any one specific wallet software. Software wallets, such as the Metamask (Ethereum) and Temple (Tezos) browser extension wallets, often have an “Import Hardware Wallet” option which facilitates the use of your hardware wallet accounts in an identical manners as standard software wallet accounts.
What advantage do I gain from using a hardware wallet (versus software like Metamask)?
A hardware wallet stores your private key such that it is totally inaccessible from the outside. Your computer writes a message (transaction) into the onboard flash memory of the HW wallet. Then, an onboard chip signs the message with your private key. Your computer then accesses the signed message.
In a traditional software wallet setup, the “signing” step (which requires your private key) happens on your computer. Because your private key is stored on your computer to perform this step, it becomes inherently vulnerable to the type of malware attacks described at the beginning of this article.
With hardware wallets and airgapped devices, you perform the “signing” step without ever storing your private key anywhere insecure, even for a moment. Even if malware is present on your computer, the malware cannot access the secret data (private key) on your hardware wallet.
NOTE: Even with a hardware wallet, you still need to keep a secure backup of your seed phrase. And as stated previously, this should NOT be stored on a networked device. Write it on paper. If you want fireproof, stamp it into titanium! (The author plans to make a tutorial on this in the future)
For further information you might be interested in these three Twitter threads, where the author of this article responds to the hacks and discusses hardware wallets in more detail: