Since December, a hacker has been targeting OG cryptocurrency users, draining their wallets and leaving experts baffled.

The crypto industry has its fair share of hackers. Image: Shutterstock

A $10 million hack targeting sophisticated encryption users has left top security experts baffled.

Taylor Monahan, former CEO and founder of Ethereum wallet management company MyCrypto, tweeted on Tuesday that more than 5,000 ETH has been stolen since December.

At today’s prices, that’s worth more than $10.4 million in cryptocurrency.

The worry? According to Monahan, it hits hardware wallets for users who prioritize security.

“I’ve been on a massive wallet draining operation over the past 48 hours,” wrote Monahan, who joined MetaMask last year after MyCrypto was acquired by the crypto wallet’s parent company ConsenSys. She tweeted that “people are more familiar with crypto than most and are ‘pretty safe’ from being hit by fund drains.”

In other words, these aren’t crypto newbies clicking on obvious phishing links that are being drained. The attack is far more sophisticated than that, and it’s the OGs who are being “rekt.” Monahan explained, “Nobody knows how to do it.”

The security team behind the popular crypto wallet MetaMask told reporters that an “unidentified vulnerability” hit crypto users, including but not limited to MetaMask users.

“The on-chain behavior strongly suggests a private key compromise. Current investigations indicate that this particular attack vector appears to point to these users’ secret recovery phrases being compromised somewhere, likely due to inadvertent insecure storage of said phrases,” they said.

Crypto users use private keys to access the funds they store in their wallets and authorize transactions, whether digital or physical.

Monahan also said the attack targeted funds in wallets created between 2014 and 2022. “My guess right now is that someone methodically drained this data by extracting keys from the treasury over a year ago,” Monahan wrote on Twitter.

She then stressed that this was just speculation and that no one had yet been able to "determine the source of their compromise."

Her best advice?

“Please don’t keep all your assets in one key or secret phase for years,” she said.

MetaMask’s security team added that to protect funds, users must not store their private keys anywhere online or on any “internet-enabled device.”

They added, “If your wallet is so old that you can’t remember if you’ve been 100% diligent in using its keys, then consider creating a new wallet.”