Throughout my career as a journalist, focusing on IT and IT-security, I’ve written numerous articles on security, phishing, ransomware, hacks and so on. I believe I’m security-aware. Though not an expert, I try my best to protect myself. My “sec-ops” is definitely better that the one of the average user. But here I am.

In the realm of crypto in particular, I’m aware of the risks and I know one thing most of all: Don’t ever, ever give away your recovery phrase. There simply cannot exist a situation where you need to reveal the recovery phrase to someone else.

And yet, that’s exactly what I did.

Disclaimer: Though I mention Polygon, Metamask and WalletConnect in this text for context, I put no blame on these projects nor on their products. The fault is entirely on me. However, I include some suggestions for improvements at the end of the text.

I had difficulties transacting on the Polygon network. I couldn’t tell if the fault was on the wallet side (Metamask) or if the network somehow stalled the transactions. They just didn’t get through. I decided to search the Metamask support forum, but I didn’t find any answers related to my situation. Also, I find the Metamask support forum a bit messy, to be honest.

Next, I tried the Polygon support on Discord. I’ve never used this particular Discord server before so I connected to the Polygon server for the first time. Now, as you all know, it’s common procedure to verify to be allowed to join the server. In Polygon’s case, the server greets you with a message to check directs messages (DM) for verification. So I did.

As I recall, there were two DMs from someone or something flashing a Polygon logo as the profile pic. I guess I just picked the first one on the list. This, as it turns out, was a scammer imposing as someone on the Polygon team or a helping hand related to Polygon in some capacity. This is common among teams, to have volunteers or DAO “contributors” helping out and seeking benefits of sorts. At this point I didn’t think much of it.

I open the DM and here’s this guy asking to help. He, the probable gender I suppose given the profile name Pete, started by asking if I’ve tried staking MATIC tokens. I replied I hadn’t, and simply explained my situation. Pete persisted to push for staking MATIC, but I just told him I wasn’t interested and that I had an issue transacting on the Polygon blockchain. He then gave up on the staking promo and asked me to explain my case.

He then asked for my wallet address, which is fair and harmless, unless you have some special reason to conceal your address. So I provided the address and a transaction ID as an example of a stuck transaction. After a short while he returned with an answer that gave me a bit of trust, because he could confirm my issue. Note that before this, I did not tell him exactly what the problem was.

Next, Pete explains that they’ve seen the same issue with others, that this is a well known issue with Metamask. There’s also a simple solution: I need to reset or “reimport” Metamask. Ok nice, sounds reasonable.

In his next move Pete sends me a link to WalletConnect. As per WalletConnect’s web “WalletConnect is the web3 standard to connect blockchain wallets to dapps.” At this point I made a couple of mistakes. For one, my understanding of WalletConnect, which I’ve never used, was that it’s a generic wallet of sorts. It’s main use case is to make users with less known wallet applications able to connect to crypto/web3 services even though the service does not list the user’s particular wallet as one of the options.

Second, I did not check the URL to WalletConnect. The link Pete sent me pointed to walletconnect.co (a now defunced phishing site), not the genuine walletconnect.com or .org. He then instructs me to click on “Wallet” at the top right of the page. So that’s what I do. The page then opened a drop-down dialog asking for my wallet recovery phrase. Right.

This, as it should, sets off an alarm in me. I instinctively react to this. I ask Pete if I really should do this. Very naïve, I know. He (surprise!) replies “Yes definitely”. So, I open Metamask, copy the recovery phrase, paste it into the dialog, and click Ok.

Let’s stop here for a moment, because from this moment I’m smoked. What, if at all, was I thinking?

When I look back, there are two reasons why. The first one being that this “solution” would probably had worked if done differently. It felt correct. Looking back it’s evident that Metamask had stalled somehow; it didn’t send the transactions. It didn’t create a transaction ID, and thus there was no trace of the transaction on Etherscan (an on-chain data scanner). A plausible solution would probably had been to write down the recovery phrase on a pice of paper, uninstall the Metamask browser extension, reinstall the extension and recover the account by providing the recovery phrase.

The second why is that I didn’t understand WalletConnect. My line of “thinking” was that the WalletConnect website is somehow connected to Metamask. And why wouldn’t it be? Metamask is a browser extension, right? I didn’t connect Metamask to this phishing site, but what if I had? It kind of felt like I did connect in a way, by providing the phrase. Maybe WalletConnect had this “reset” functionality. After all, it’s a kind of wallet in itself? No, it isn’t, I later learned. But if it was, could it somehow interact with Metamask in such a way that it securely and temporarily stores the recovery phrase, “reboots” Metamask and reinstalls the recovery phrase? Maybe. Or, maybe not.

Anyway, a moment later I open Metamask and it’s all gone. Just gone. Nearly empty. Empty as my mind at that moment. It struck me as a lightning. I felt like ice. It crashed down on me. Full force. F*ck!

I’m not even bothering to curse Pete. I almost salute him. “Thank you for draining my account. I guess this will be a lesson for life”. Answer: “Thank you very much“.

He fooled me. Congratulations. Well played. He was the better player, I lost.

Luckily, however, I didn’t lose everything. “Not your keys, not your crypto” might be true, but having at least some crypto on a custodial wallet on an exchange has its advantages too. Nevertheless, I lost enough to make my wife’s face turn pale.

That said, in hindsight I realise that the most valuable stuff in that wallet wasn’t money. Consider the following additional implications of loosing your wallet, and you probably realise there’s a lot more than money at stake.

• NFTs. A had some low-value NFTs in the wallet, of which I managed to salvage some thanks to the fact there was some ether left so I could make a few transfers to a new wallet. But it might be for others that the real value is not in fungibles, but in non-fungibles.

• ENS domains. These are NFTs too, and these were the first things I moved out of the compromised wallet. Think of the horror to have someone else in control of your ENS domains.

• Decentralised ID. This is yet uncommon, but I predict DIDs will become ubiquitous in the future. Imagine someone else in control of your online ID.

• Future airdrops. You probably use a bunch of services which have yet to drop their own token. If they do, you might be able to salvage the tokens, if you’re quick enough and the perpetrators are not using some sort of script to automatically move any funds out, but in all likelihood the drop will fall into the hands of whoever co-controls your wallet.

• Legal and tax implications. For whatever reason you might need it, it will be damn hard to prove you lost control of your wallet. What if the perpetrator commits some criminal act using “your” wallet? It’s not too hard for law enforcement agencies to trace that wallet back to you. Will the IRS, or equivalent tax authority, buy your story that you lost the funds?

• There’s probably more, but I think this suffices to get the message through.

Since this I’ve set up a new Metamask wallet, this time protected by a hardware wallet. However, the wallet to which I transferred the NFTs is a Coinbase Wallet which I had begun testing some time before this incident. There are some differences between these wallets, the major one from a security standpoint being Coinbase Wallet supporting 2-factor authentication and Face-ID. Metamask, unfortunately, does not support 2-factor authentication. It wouldn’t had helped in my case, but it sure helps if you get hacked in some other way.

Finally I’d like to encourage crypto projects to keep their Discord servers clean from scammers and imposters. It’s not easy, I know, but at least the latter shouldn’t be too hard. And I do find verification processes through DMs pretty stupid. If your making millions a day, you can for sure afford to have someone keeping an eye on the server.

Thanks for reading, and again, never give away your recovery key.