Hackers are remotely stealing cryptocurrencies using bots on Github.
Cryptocurrencies have long been touted as a secure alternative to conventional money in the sense that their transactions can be untraceable or anonymous to a certain extent. However, they also have a dark side of being digital by nature which makes them more prone to hacking.
This is why we’ve seen numerous cases emerge over the past year where not only various cryptocurrency exchanges have been hacked losing millions of dollars but also individual wallet accounts.
A case of the latter has emerged a few days ago when a Reddit user who goes with the name of Ty Cooper lost $1200 of Ethereum coins in a mere 100 seconds.
The tale told by the Redditor himself goes along the line of how he left his MetaMask wallet’s mnemonic – 12-word wallet recovery phrase – exposed mistakenly in a public Github repository when sending money to a hackathon named Hack Money – ironically.
The hackers meanwhile were scanning Github using a bot and stumbled across the mnemonic phrase. Using that phrase, they gained access to his wallet and stole the coins.
Narrating the panic that ensued, he wrote,
I get email notifications from etherscan when funds are moved. I wish I would’ve known what was going on, because I would’ve moved funds faster. Literally right after I pushed it public on github, I started to see my funds being drained faster than XRP transaction.
Yet, $600 still remains locked in the wallet in a “Compound DeFi protocol” but it too has become irretrievable, at least for the time being. The reason is that whenever you want to transfer any token that runs on the Ethereum (ETH) protocol, you need something known as gas akin to the fuel we need to run cars.
However, this gas is paid to the ETH network and so with a limited amount of computational power to complete transactions, users of the network bid against each other in terms of the gas they can pay. The higher ones win and get their transactions completed. In this case, the hackers are exploiting this by outbidding the Redditor every time.
To conclude, it is important to consider the notion though that this is not a crypto-specific issue only. If one reveals plain text credentials of other accounts in a public repository, chances are that a bot may catch up on those as well. Hence, users also need to be more careful generally in terms of their security practices.
As for the recommendations, specific to this case, it would be best to keep all copies of your mnemonics and even private keys strictly offline, even non-digitally if possible.
Secondly, try to store a maximum amount of your funds either in a hardware wallet like Trezor/Ledger or a cold wallet with absolutely no access to the internet. Such precautions may seem inconvenient but are always worth it when it helps you save your hard-earned cash.