A cryptocurrency investor fell into a phishing scam and handed an attacker access to his Meta Mask wallet, which contained $220,000 ($1.2 million) in cryptocurrencies accumulated over six years ago. However, thanks to the quick action of a white hat hacker, the so-called 'good hackers', the trader managed to recover half of his funds, around US$ 117,000. It all started on Monday (12), when user “007happyguy” said on Reddit that he was tricked by a guy pretending to be Synthetix (SNX) tech support on Discord. “I received a link to a website that would validate my extension in Meta Mesk. The website looked real enough. I clicked on it and typed in my passphrase. Due to sleep deprivation, not paying attention when I made a fatal mistake”, he lamented. Upon noticing that he had fallen for the scam, the user was prevented from transferring the funds because the scammer had inserted an automated script in the wallet that, in every attempt to move, transferred the coins to a different address. Despite the thousands of criticisms the user received for keeping such a high amount of cryptocurrencies in a browser wallet — considered less secure than offline cold wallets — he was advised to seek help from good hackers and quickly, o developer Alex Manuskin arrived to save the day.
How the attack was prevented
Manuskin detailed in a blog post on Friday (16) how he ran out of time to try to save the funds remaining in his wallet. The first thing he did was prevent the hacker from sending Ethereum (ETH) to the address. The Meta Mask supports a number of different assets, however, mandatory gas fees to move funds are paid in ether. “Reading the blockchain, it looked like the scammers and the victim were exchanging blows. The attackers sent part of the ETH back to the account, intending to start withdrawing funds. Happyguy was doing its best to try to remove ETH, but it was always one step behind,” wrote the developer. Upon gaining access to the address, Manuskin inserted a “burner” script that would automatically burn all ether received in the wallet. The second step was to transfer the remaining cryptocurrencies to a secure address. For this, the good hacker used flashbots, a service in which the developer sends a package of transactions to a miner to insert them directly into the block. This way, transactions don't follow the normal flow of going to the public network and waiting for a random miner to include them in the next block. The central point of using flashbots is that it allows gas fees to be paid by an address alternative to the one from which transactions depart. This made it impossible for the attacker to act while the funds were sent to a new secure wallet. After eight straight hours of good hacker work, the user said he was able to save $117,000 of his funds. “Alex saved a big chunk and I'll be fine, he's a gentleman and a true legend. Losing that amount of coins thanks to a coup is painful, but Mr. scammer, I've already denounced you and even if I can't catch you right away, one day you will be found”.