I have been storing some crypto in Metamask wallet since early 2021. Last week, I opened my wallet and saw it empty. First I thought it was an error, but after reviewing the transactions, I realized my wallet has been drained out. About 5.6 WBTC (equivalent to 5.6 BTC) was sent out to some unknown address without my knowledge on June 15, 2022.
Here's the history of my Metamask wallet: I installed the wallet on a desktop in early 2021 and transferred some fund into it. Shortly after, I installed Metamask wallet on my laptop using the same seed. So, I have the same wallet on two PC mirroring each other. A few months ago (around April) I installed the wallet on my iPhone with the same seed, so basically all three devices had the same wallet. Up to that point I had about 126K USD Coin in the wallet. On June 14 I swapped all the USDC for WBTC, with amounted to about 5.6 WBTC. All transactions were done through iPhone. A few days later I opened the wallet on my iPhone and was shocked to see that the wallet was empty. Some transactions were made on June 15, sending all the WBTC and ETH out without my knowledge.
Needless to say, it was a trauma for me. I was scrambling to find out how it happened. Did I download a rogue version of Metamask, or one of my devices was compromised? For the PC, I downloaded it from metamask.io. For the iPhone, I used Apple store. Here's a few things that may give clues to how the attack came through:
1) The fund has been in my wallet for months so if the attackers wanted to take it they could have done so earlier. It must be something I have done lately. One June 13 I downloaded some software and installed it on my desktop. The software was not related to crypto. At the same time, my Norton Security subscription just expired and I didn't renew it right away. So there's lapse of security on my desktop around the time of the attack. The desktop is used on daily basis and it is on most of the time during my work hours.
2) All the latest transactions was done through iPhone, so I wonder if the attack could be on my iPhone? One thing I notice is that while all the latest activities are shown on my iPhone Metamask wallet, they are not shown on my desktop nor laptop wallet. All the transactions I made on June 14 (to swap USDC to WBTC), and the unauthorized transaction of sending WBTC out, are shown on iPhone, but not on desktop or laptop. Looks like someone has erased the transactions to hide them from me. Though I can view them on Etherscan.
3) I did not turn on the laptop in the week leading up to June 15, the date of the unauthorized transaction. I actually barely used my laptop to access Metamask.
Here's my wallet activities on Etherscan:
https://etherscan.io/address/0xbf0a095f3479847c8bf677e33046a5e7b5dcce94I learned that I can store my BTC in hardware Tresor wallet and trade through Metamask, instead of storing the coin in Metamask itself. I wish I knew that sooner. I take my consolation in the fact that this is not all the BTC I have. I still have some BTC stored in Tresor wallet. If anyone is storing your coin in Metamask, I urge you to use Tresor instead. Use Metamask to trade only, not to store the key.