At midday on May 13, there was $45,000 worth of tokens in my MetaMask crypto wallets.
One hour later, it was all gone.
Sitting at my desk in my home in Lagos, Nigeria, I stared blankly at my computer screen, struggling to register the impact of what had happened.
On multiple open browser tabs on my computer, I could see several outgoing crypto transactions from my wallet to unfamiliar addresses.
I was confused.
I looked at the timestamps displayed on several of the transactions, and I knew I could not have initiated them.
That’s because I had been busy working on a different computer for three hours.
My shock soon gave way to dismay as I realised I’d somehow been hacked. But how?
Pain and guilt
I’ve been a crypto reporter for seven years, and in that time I’ve covered many cases of token owners losing their funds to hackers.
Now, the same thing had just happened to me.
I felt pangs of pain and guilt as I remembered that the bulk of the funds belonged not to me but to my family.
They began amassing these crypto tokens — Ether, Tether’s USDT stablecoin, and Jasmy, an altcoin — in 2020 after the Covid-19 lockdowns sparked economic volatility.
As the resident expert in the family, it had fallen to me to take care of their assets, to keep them safe. I was their crypto custodian and my record was unblemished.
Until now.
As painful as the theft was, it was nothing compared to the anguish I felt as I informed my family about what had happened.
The grief I saw etched on their faces reminded me of my late father’s passing in 2017. My ordeal casts the transparency of public blockchains in a different light.
In a few computer strokes, I can see my stolen crypto in someone else’s wallet, and yet I can’t recover my assets. It is a macabre reminder of my ordeal.
The reality is that a similar fate has befallen many crypto users ranging from professionals to novices.
‘It’s easy to lose your crypto if you make a mistake. In my case, it all started with a game.’
Billionaire Mark Cuban lost $870,000 to a hacker last year after he said he downloaded a MetaMask wallet “with some shit in it.”
In 2023, crypto investors lost $1.7 billion to thieves, according to Chainalysis, the blockchain forensics company.
It’s easy to lose your crypto if you make a mistake such as downloading tainted software that exposes your wallet details.
Sometimes, you can lose your funds if a watchful hacker poisons your wallet address by creating a fake wallet that closely matches the victim’s.
In my case, it all started with a game.
Keylogger
I had promised to help a younger relative of mine download a game called “Dave The Driver.”
He grew impatient and tried to do it himself. The problem was he used the computer with the browser wallet that held my family’s crypto assets.
He downloaded a version of the game embedded with malware and it immediately infected my laptop.
The malware probably installed a keylogger — a programme that records keystrokes — and exposed my MetaMask wallet details, which allowed the hacker to syphon out the crypto.
Many online wallets, including MetaMask, don’t use proven safeguards to prevent theft, such as fraud alerts and two-factor authentication.
If this was an account at my bank, I’d would have received a fraud alert as soon as the first transaction was initiated.
The bank would have paused the transaction and given me enough time to confirm whether I had indeed initiated the fund transfer.
Virtually no such preventive features exist for crypto wallets.
Staked funds safe
Indeed, the one warning I received from from a centralised exchange where I held some tokens. The hacker was apparently trying to access my assets and the exchange asked them for a two-factor authentication code.
That attempt was unsuccessful and I managed to hold on to those assets, but it was a small amount. Still, here was a situation where two-factor authentication, or 2FA, worked nicely.
The hacker also tried to steal funds from other wallets I used that had staked crypto but they were unsuccessful.
‘Unless the hacker forgets, I’d be in a race with the thief to secure those staked assets in a new wallet.’
That’s because blockchains like Cosmos typically require users to wait 14 to 21 days to withdraw staked assets after they are unstaked.
The hacker initiated the unstaking process, but was unable to transfer the tokens to their wallet. I’ve since restaked those crypto tokens, but that hardly solves the problem.
(Staking is a process of permitting your tokens to be used in validating transactions on a blockchain network.)
Unless the hacker forgets about my assets, I’ll be in a race with the thief to secure those staked assets in a new wallet when they become available for withdrawal, but that’s a problem for another day.
As for the immediate fallout, I am grateful my family didn’t blame me or my young relative for exposing their assets.
Reflecting on the stories I had written about similar cases, I realised I hadn’t given much thought to the families of people who’d lost crypto funds to hackers.
My focus had been on explaining how the hacks happened, where the funds went and possible recovery efforts.
I can see the assets
What was especially frustrating was the fact I can still see my stolen assets three weeks after the crime.
The bulk of the stolen crypto sits in the two addresses belonging to the hacker. They can be seen here and here.
In any event, I contacted a blockchain security firm to try to block the hacker from being able to trade the stolen crypto for cash via a centralised exchange.
They told me it would cost $2,000 for them to try and block the hacker’s wallet addresses.
Recovering stolen crypto is usually a long process that involves law enforcement action and the cooperation of crypto exchanges.
My family members decided it was better to absorb the loss.
They were not enthused at the prospect of spending more money in pursuit of the hacker when the chances of recovery were slim to none.
Better safeguards needed
I’ve had time to reflect on what happened, and there are lessons to be learned from my experience.
First, keep your computers that hold valuable crypto wallets away from little kids!
On a more serious note, crypto wallets need better safeguards.
If broad-based crypto adoption is the goal, then safely storing these digital assets needs to become simpler, especially for those who prefer self-custody.
Self-custody comes with the expectation that the user is responsible for keeping their assets safe.
But users need more help ― perhaps in the form of real-time alerts and two-factor authentication.
There are smart contract solutions like Safe’s multi-signature wallet where more than one signer is required to complete a transaction.
While multi-sig wallets help improve security, the individual signers must protect their keys ― again, with self-custody, the onus is on the user to ensure the security of the wallet.
Multi-sig to the rescue?
Assuming I’d set up a multi-sig arrangement with the compromised wallets, the hacker would have still been able to steal the funds. They would have used each compromised address to sign the transactions needed to move the funds.
That process would have been slower, but they’d have gotten away with my family money.
However, it’s poor practice to set up a multi-sig controlled by one entity.
Ideally, each signer would have been a different family member whose wallets were on separate devices.
And that’s what we’ve done.
Some may point to the mistake of keeping the funds in an online wallet that is prone to hacking. Or say the tokens should have been safely ensconced in an offline wallet, such as the type offered by hardware wallet makers.
That was the plan, albeit I’d been slow to make the move.
And now I’ve been hit with a $45,000 lesson for my lethargy.
Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. To share tips or information about stories, please contact him at osato@dlnews.com.