As Web3 adoption accelerates, ecosystems blossom, and more cryptoassets are exchanged, scams and hacks are growing in number accordingly. Whilst following the critical security rules for using MetaMask will keep your wallet safe, it is beneficial to understand the types of scams you may encounter. Knowing what to keep an eye out for will considerably improve your security on Web3.
To be clear, this article will focus on prevention rather than how to respond to being hacked or scammed. This is because the irreversibility of blockchain transactions means you will have almost zero chance of retrieving stolen funds. Instead, it is worthwhile to focus your efforts on building robust security habits and prevent getting to this point in the first place.
If you are concerned that you have been hacked, please see our guide.
To cut to the chase, here is the tl;dr, i.e. the crucial security implications of these scams:
- Never, ever share your secret recovery phrase.
- Remember that MetaMask will never contact you regarding customer support issues outside official channels.
- Consider getting a hardware wallet.
What is spoofing?
Spoofing involves hiding or disguising identity to enable malicious activity, literally spoofing the identity of the malicious party to make it believable and appear trustworthy.
Fraudsters often use this method in tandem with the closely related practice of phishing, through which they attempt to obtain personal information from you directly. Hand in hand, these two methods can easily deceive, and the sophistication of these hacks has grown in step with the popularity of crypto and digital assets, with ever more potential victims entering the Web3 space.
What could a spoofing attack look like?
A spoofing hack will target your secret recovery phrase (also known as a seed phrase), as this can be used to restore your wallet and will provide a hacker with access to your private keys and the wallet's contents. MetaMask is a non-custodial wallet, meaning you are responsible for keeping your secret recovery phrase secure.
In practice, a classic spoofing attack on your MetaMask wallet could go something like this:
- You ask MetaMask a support question in reply to a tweet. (n.b. this is inadvisable - always use our official channels, found here.)
- A malicious account (potentially a bot, or at least using a bot to scope you out) identifies you as a target due to your requirement for MetaMask support, and will reply to your tweet or send a DM. The account will be configured to resemble an official MetaMask support channel and could include our fox logo, a vaguely convincing Twitter handle and content and replies which read professionally. Another approach could be for the attacker to pose as a MetaMask support engineer, even including a headshot and name.
- Using their spoofed identity, the bad actor will rely on you believing that they are an official MetaMask support channel/engineer and talk you into handing over your secret recovery phrase/private key to resolve your problem. For example, if your issue was a slow or pending transaction, they may offer to look into the issue but request your secret recovery phrase to do so.
- With their hands on your secret recovery phrase, the bad actor can access your private keys and drain your wallet of funds to their chosen address.
This scenario is just an example, and similar events could play out across any social media platform, messaging service, forum, or otherwise on which you share information publicly.
How can I protect myself from spoofing attacks?
Whilst using MetaMask to engage with Web3 services such as DeFi can be rewarding and exciting, you need to maintain constant vigilance. Golden rules for preventing and identifying spoofing include:
- Remember MetaMask will never contact you outside of our support channels, accessed through our help center. Anyone asking you for contact information, your secret recovery phrase or details of your support issue outside of these channels is a potential scammer and should be ignored and/or reported.
- Be vigilant. If it looks like it might be a scam, it probably is. Always be observant and keep a lookout for suspicious, telltale signs. These could include:
- Requesting personal information, including anything from your name, the value of your wallet's holdings, or even your private key, which you should never, ever give to anyone.
- Unofficial-looking Twitter handles using underscores, doubled-up letters, and numbers to mimic official accounts (i.e. @MetaMask).
- Requests to reach out for support, get in touch, or send a DM.
- Unprofessional language.
Most importantly, KEEP YOUR SECRET RECOVERY PHRASE SECURE, and do not hand it out regardless of how convincing the person/entity may be.
What is sweeping?
Sweeping (also known as scavenging) involves malicious parties assigning a script to your wallet which monitors transactions broadcast to the network, as well as the mempool or txpool (transaction pool) where pending transactions are temporarily stored. Once these sweeper scripts identify an incoming or outgoing transaction from the targeted wallet, they intervene to sign a new transaction before the original is complete. The funds can then be intercepted and transferred instead to a wallet written into the script by its owner.
Your wallet can only be affected by a sweeper script if you share your secret recovery phrase with a bad actor.
They are particularly troublesome for two reasons:
- The code can react far quicker than a human ever can. Racing to move your funds through your wallet faster than the script will always result in you coming out second best.
- It is subtle. It is not immediately apparent to the user that they've been hacked, as the script works out of sight. If you perform a significant transaction and you or the recipient do not receive the funds, you may at first assume the transaction is stuck or pending, or that MetaMask has misfunctioned.
How might this play out in practice?
The first and crucial step for a scammer is to obtain your secret recovery phrase. To do so, they may deploy a phishing attack, which could use the spoofing method outlined above. They may pose as a friendly helpdesk engineer offering to help you resolve your issue or attempt to disguise themselves as an official MetaMask support account. Another potential avenue is to set up a seemingly trustworthy Dapp--or mimic an established one--and require the user to input their private key or secret recovery phrase to use it.
If they are successful, they will be able to access your wallet, obtain your private key, and write it into the sweeper script. Possession of your private key allows the script to sign transactions without your knowledge, allowing it total and unrestrained control over wallet activity. The script will then proceed to monitor transactions coming to and from your account and sweep out any tokens you transfer in before you could possibly react.
Sweeper scripts are a nuisance to dispose of once they have infiltrated your wallet, and require you to employ very complex methods or even recruit whitehat hackers. For example, there are highly specific approaches you can take if you are attempting to get NFTs out of a compromised wallet.
How can I stay safe?
Keeping your secret recovery phrase secure is the best and most dependable way to avoid falling victim to sweeper scripts. Without it, malicious actors cannot access your private key and sign transactions that steal your funds.
Another option--the relevance of which scales with how much you value your crypto holdings--is to consider buying a hardware wallet. Popular options include Ledger and Trezor. Hardware wallets are termed "cold" wallets as they store your private keys completely offline, a considerable obstacle to hackers.
As with most things Web3, you should also stay sceptical. That is to say, whenever you interact with Dapps, do not assume they are reputable and trustworthy. Always do your research and make sure you are comfortable with the risks.
What is clipboard hacking?
The good news is that clipboard hacking does not mean you now need to be suspicious of people bearing clipboards. The bad news is that it is a genuine and insidious method for stealing your crypto.
As they are hexadecimal (base16) and are many characters long, crypto wallet addresses do not lend themselves to being memorised or typed in manually, just as you would type in an email or username.
Enter copy and paste, the unsung hero of crypto transactions. Many wallets and exchanges, including MetaMask, include built-in 'copy' or 'copy to clipboard' shortcuts that allow you to copy your wallet address with a single click. These features smooth the process of pasting into a third-party site to which you may be transferring tokens, for example.
Clipboard hacking exploits the copy and paste function to rob you. Rather than relying on users' inexperience or exploiting their trust, malicious actors will create and disseminate malware.
Once this malware has infected your computer, most likely hidden within a seemingly innocuous download, it will automatically intercept your clipboard, scan for crypto addresses, and, if it identifies one, replace it with their own. So by the time you hit paste, your address has been replaced, and you will be about to send your transaction to the hacker(s).
Naturally, as blockchain transactions are irreversible, there is no way to retrieve your funds once they are sent.
How can I protect myself?
A logical first port of call is to ensure you have robust anti-malware software installed, and keep it updated. Your software should identify most potential clipboard hacking malware programs, notify you, and quarantine them before they can affect your crypto activity.
However, since there is a possibility that your anti-malware software may not detect the program, the only way to be safe is to double- and triple-check addresses before you confirm any transaction. Some hardware wallets may prompt you to do this anyway, but as transactions are irreversible, it is a worthwhile habit to adopt.
In the physical world, we were taught at a young age to adopt habits that mitigate the potential for becoming a victim of crime: we learn which areas of town to stay away from; to shield our PIN when making card transactions; to check our doors are locked and turn on the house alarm when we leave. These acts are so familiar to us that they become second nature and we think nothing of them.
Similarly, we need to adopt Web3 security best practices and internalise them. Across all these scam types, two things are consistent. If you only remember one small section of this article, let it be these two aspects:
- Never, ever give your secret recovery phrase to anyone. The secret recovery phrase is used to access your private key locally, meaning anyone who possesses it has full and unrestrained access to the contents of your wallet.
- Remember that MetaMask will never reach out to you other than through our official support channels and will never ask for your secret recovery phrase, even in customer support interactions.