In the morning on January 17, 2023, when I just woke up and was about to leave for Hainan to start this year's Spring Festival journey, I found that I received a message in a format I had never seen before when I turned on my phone, saying something like the memory was insufficient, sent to "space", I was a little confused (I didn't take a screenshot in time). But the sensitivity made me turn on my computer to check the wallets, and then I found that my multiple MetaMask wallets independently set up on multiple Google browsers on my computer were all hacked, even including the wallet set up for my boy to learn web3. The hacker started to transfer at about 2am after I went to bed at 1:30am (the transfer continued until around 2pm on the 17th, because there is no way to freeze the decentralized wallet.) The wallets have stored crypto assets valued around 150K US dollars plus thousands of NFTS that can’t be valued at present, About $120,000 of the crypto assets in the accounts were transferred to two brand new addresses created by the hacker. In addition, among my thousands of NFTs in the wallets, the hacker only transferred my five metaverse lands from DCL and VOXEL, and three other NFTs, one music NFT and two Australian Open NFTs, the remaining assets that have not been transferred are all at risk.

I had to cancel the Spring Festival trip immediately, and my boy was also very sad. He has been building the lands in the metaverse, and this time they were all stolen.

Then I needed to check how many assets that had not been transferred by the hacker could be recovered. In fact, large sums of assets have already been transferred out. The assets remained in the wallets were basically in a long-term staking state or in very small amount. An hour later, I called the police, because I remembered that this computer was assembled from parts purchased in online store Jingdong in October 2021, and it cost a total of more than 3K$. At that time, I contacted a computer maintenance service people nearby to help install the windows system as I couldn’t get authorized version in mainland, I asked to install the windows authorized version, but even I couldn't obtain, so I had to agree. The service people installed the activated version he provided, but the computer often had blue screen after that installation. Later, this situation was basically resolved through online upgrades after I obtained an authorized activation code, but the whole process was very unpleasant. Also, my Gmail went offline the day before the incident and google alerted that it had detected suspicious activity on my computer. This incident reminded me of the installation of the computer this time, so I have 2 requests, one is regarding the computer system, whether there is a back door, how the information is stolen; the other is to pay attention to the flow of the hacker’s addresses, if it flows to the exchange, Could the police work with the exchange to freeze the funds.

Dealing with the hacked wallets is very troublesome. I didn't go to the police station until about 8pm to make a record. My wife accompanied me, on the way, she held my hand and said, she knows how much pain I have, and she knows how much time I put into the blockchain. She choked up, and I choked up too.

Actually I have been very careful, I attach great importance to cyber security. My boy can only use another computer to learn and experience playing on our Metaverse Lands. I never clicked on any link from unknow sources or sent to me by private messages on my computer. I was rarely involved in the NFT FOMO activity, Even if I participated, I would repeatedly confirm the source of the link. The wallets I have installed on multiple Google Chrome browsers also have different mnemonic phrases. I can only speculate that the hack was caused by the leakage of Google’s cache package on the computer, but I don’t know the specific technical details. Before my Gmail was offline, Google Chrome ever reminded that it needed to be updated, and the computer had automatically restarted and the update was completed. The control panel installation record shows that the Google Chrome was installed on the 13th. (The Tencent mobile game on this screenshot was downloaded when I talked to my boy about one of my classmates working with Tencent, or we could try PUBG, but we haven’t actually had time to play it. Brave is an encrypted browser. After downloading, I haven’t started to use it, the telegram is updated as per the system reminder, I never clicked on any link in it. 

There is another possible reason, which is the mobile phone I received the unknown information from. This mobile phone is connected to my Google account. Whether some information was leaked from the mobile phone, but the information of multiple browsers must still be leaked from the computer.

On the evening of the 18th, the wallet of one of the addresses of the hacker moved. Through the analysis, it can be traced back to some of the hackers’ previous fund flow. It is preliminarily judged that the hackers did not specifically target me. it should be a very skilled hacker organization, a lot of funds flowed in and out of their previous wallets, in and out of multiple exchanges.

Therefore, it is almost impossible to recover the funds, and it is useless to be sad, The important thing to do is to think about how to avoid this tragedy from happening again.

I want to openly seek help from computer security technical experts, especially technical experts from Microsoft (windows), Google, and MetaMask Wallet and all web3 players, on how to prevent such leaks:

The plug-ins on all independent Google Chrome leaked at the same time, is it because of this Google folder leaked

C:\Users\admin\AppData\Local\Google\Chrome\User Data

Whether the mnemonic phrases and private keys of MetaMask Wallets were recorded in the cache by Google browser and thus stolen. I can't think of any other possibility, and I can confirm that no hacker has physical access to my device, and all my mnemonic words are manually recorded, the private keys have never been copied or stored online. If even a careful person like me can’t survive, considering the recent collapse of the CEX – FTX, I don’t know how can ordinary users enter? How can web3 attract users?

This time, not only my assets were lost, but also a complete matrix built on the blockchain using the real names of myself and my family members over a year was collapsed. The records of countless experiences and interactions on the chains have almost been destroyed. I am grateful to my family and friends, especially my wife and my boy, because of you, I still feel love and sunshine in my life. Although the world is full of mistrust and dark evil, I believe that technology, together with goodness and faith in light, can eventually defeat darkness.

P.S.

There is a very high probability that my stolen funds would never be recovered, but I hope to raise the sense of security importance in this industry. Otherwise, it is all a mirage, and all decentralized wallets running on a centralized architecture are just a matter of time and money for hackers. Can the so-called decentralized wallets still be used, if you can only use it when the internet is disconnected, or no money can be put in the online wallet, and those who don’t put much money in would be considered as robots. How can people come and play in this industry?