White hat hacker saves $117,000 in crypto from MetaMask phishing attack

On July 12, a distraught crypto holder posted to Reddit that not only had they kept an especially large amount of money in their MetaMask wallet — some $240,000 — but that they had been phished and given access to a scammer, who was draining their funds. The Redditor invited other users of the popular forum to join them in watching their account get emptied.

The post received arguably justified criticisms of keeping so much money in an in-browser wallet (typically more risky than a hardware wallet kept offline) along with users shaking their heads over the idea of giving out access to these funds to an unusually helpful, supposed technical support assistant. 

But among these responses were some users suggesting a solution, a way that might just stop the bleeding.

It turned out this method would end up saving about half the funds, or some $117,000, and take them out of the reach of the scammer. Here’s how it happened.

Reaching out for help

The crypto holder, known as “007happyguy” on Reddit, was directed to a Whitehat hotline form with their details.

On the other end of the form are a few white hat hackers that say they “are happy to help out distressed individuals.” It’s an ad hoc service, where developers may choose to respond to requests if they’re available.

In this case, Alex Manuskin answered the request, he told The Block. He’s a former blockchain researcher at ZenGo who now does freelance blockchain development work. It was evening his time when he read the message and realised it was urgent because the wallet was still in the process of being drained — plus the amounts were significant.

The first thing Manuskin did was verify that the Redditor owned the wallet in question and wasn’t trying to get access to someone else’s funds. 

At this point he has to get access to the wallet by asking for the private keys. It’s ironic because it’s the one thing any security expert will tell you not to do — but in this case, it’s more of a last resort.

Then he made sure that the scammer couldn’t send any more money out of the wallet. To make Ethereum transactions — even for tokens — you need to have some ETH to spend on transaction fees. So, he made sure that any ETH sent into the wallet was automatically sent out of it.

Using flashbots to rescue the funds

With the threat of further funds being taken diminished, the next goal was to save the remaining funds.

To do this, Manuskin used Flashbots, a service that enables communication between developers and miners. In short, a developer can use Flashbots to send a “parcel” of transactions to a miner to be directly included in a block, rather than broadcasting the transactions to the network and hoping they get picked up.

There are two reasons why this is effective. The main reason in this case is that, without any ETH in the wallet, any transactions made with zero transaction fees wouldn’t get picked up by any miners. What happens with Flashbots is that a complex transaction is made that moves the funds to an alternative wallet and pays the miner using other funds in one go. 

The second reason is that it’s more stealthy. If any transactions are broadcast to the public network, that gives the scammer a chance to frontrun them. (Although in this case there would still need to be some ETH to pay for transaction fees).

Manuskin explained it took around 5-6 hours to write the custom scripts and execute the transactions. He said the timings vary depending on the complexity of the transactions — say if they’re locked in complex protocols — and whether he’s experienced a similar case before.

According to the Reddit post, Manuskin managed to save around $117,000 of the $120,000 in tokens that were left in the wallet after the scammer began draining it. 

Typically, white hat hackers charge about 5-10% of the recovered funds as payment for saving them, depending on the complexity of the work required.

Manuskin said that this specific case was interesting because it was a live battle between him and the scammer. Often the funds can only be recovered because they will get unlocked at a certain date in the future but in this case, they were still at risk of being taken. 

He said it was a bit more stressful as the scammer was still trying to send ETH to the wallet to try to get the tokens out, adding, “It wasn’t a chilled afternoon.”