A sophisticated and deeply concerning wallet-draining operation has quietly siphoned more than 5,000 ETH — worth approximately $10.5 million at current prices — from cryptocurrency veterans since December 2022. The attack, first publicly detailed by MetaMask security researcher Taylor Monahan on April 18, 2023, deliberately targets experienced crypto users who consider themselves reasonably secure, making it one of the most puzzling exploits in recent memory.
The Exploit Mechanics
What makes this attack particularly alarming is its stealth and selectivity. According to Monahan, who operates under the handle Tay on social media, the hacker does not rely on conventional phishing websites or obvious scam techniques. Instead, the operation appears to leverage a yet-unidentified data cache — potentially harvested over a year ago — that contains sensitive wallet information from long-time crypto users.
The attacker targets wallets whose keys were created between 2014 and 2022, suggesting the compromised data spans nearly the entire history of mainstream Ethereum usage. Once access is obtained, the thief methodically drains ETH and other tokens across 11 different blockchains. In a particularly brazen secondary step, the hacker returns hours after the initial theft to collect leftover assets and dust that were missed during the first pass.
Large-scale thefts follow a clear laundering pattern: assets are first converted into ETH within the victim’s own wallet, then swapped into Bitcoin through a centralized exchange. Approximately one week later, the Bitcoin proceeds are washed through a cryptocurrency mixer, making the funds extremely difficult to trace on-chain.
Affected Systems
While the exploit was initially associated with MetaMask wallets, the wallet provider has firmly denied that a vulnerability in its software is responsible. MetaMask stated that the 5,000 ETH was stolen from various addresses across 11 blockchains, arguing that characterizing this as a MetaMask-specific issue is inaccurate. The company emphasized that the root cause remains unknown and that the attack affects users across multiple wallet types and chains.
Bitcoin trades around $30,400 and Ether hovers near $2,105 at the time of reporting, meaning the total damage from this ongoing campaign represents a significant sum. The broad multi-chain nature of the attack suggests the vulnerability — or the data breach enabling it — is not confined to any single platform or wallet provider.
The Mitigation Strategy
Monahan has urged all MetaMask users, and crypto holders in general, to immediately split their assets across multiple keys and wallets. Relying on a single private key for all holdings dramatically increases the potential damage from any single point of failure. Creating fresh wallet addresses for new transactions and transferring funds out of older wallets — especially those created before 2023 — is strongly recommended.
Users should also review their operational security practices: check for compromised devices, audit browser extensions, and ensure seed phrases are stored offline in secure locations. Hardware wallets remain the gold standard for storing significant crypto holdings, as they keep private keys disconnected from internet-facing devices.
Lessons Learned
This incident underscores a critical reality in the cryptocurrency space: even experienced, security-conscious users are not immune to sophisticated attacks. The fact that the attacker specifically targets OG users — people who have been in the space for years and likely practice good security hygiene — suggests a level of sophistication that goes well beyond typical phishing campaigns.
The exploit also highlights the importance of data hygiene over time. If the attacker is indeed working from a cached data trove, it means that a breach that occurred months or even years ago can continue to produce victims today. Regular key rotation and fund migration should be viewed as essential maintenance, not optional precautions.
User Action Required
If you have been using a wallet created before 2023, especially one associated with a seed phrase stored digitally or a device that may have been compromised, take immediate action. Move your funds to a newly generated wallet, preferably secured by a hardware wallet. Enable all available security features, including multi-factor authentication on any linked exchange accounts. Monitor your wallet addresses for unauthorized transactions, and report any suspicious activity to relevant security researchers and platforms. The threat is ongoing, and the attacker shows no signs of stopping.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding your specific situation.
targeting wallets from 2014 specifically… that suggests they got hold of some old backup database. scary stuff
the fact that it hit veterans specifically is what bothers me. these weren’t noobs clicking fake links
veterans being targeted means the attacker had specific wallet lists. this wasnt random phishing, it was a curated hit
5,000 ETH across 11 chains and nobody noticed for months. The cross-chain angle is what makes this so hard to track.
11 chains is the scary part. even if you monitor your ETH mainnet wallet, your funds on avalanche or fantom could be draining and youd never check
wallets created between 2014 and 2022 suggests a compromised backup or key derivation vulnerability. metamask tay has been tight lipped about the actual vector which is concerning
key derivation vulnerability makes the most sense. if they cracked a deterministic wallet seed from an old database, 11 chains would be trivial to sweep