A fool and his money are soon parted. When it comes to dealing with cryptocurrency, it’s important to know exactly what you’re doing. However, not only new crypto users fall victim to lurking predators, even a crypto OG will slip up once in awhile.
Here’s a story about a reddit user – tycooperaow – losing over $1,200 in a matter of seconds.
It all started with a mnemonic passphrase that was accidentally left on a github repository. The reddit user forgot to take out the secret passphrase out of his code, which effectively gives control to all the coins in the wallet it unlocks. Unfortunately for tycooperaow, the hackers were able to scan the mnemonic using their bot which searched every recent public github for a potential crypto mnemonic.
Once the bot confirms a match, it will automatically siphon off all funds to the hackers’ addresses.
Looking at the compromised address‘s transaction history, we can see the rogue transaction sending out 0.038ETH. That is roughly $1,000 at the time of writing.
The caveat here, is that the bot only scans for ether, it doesn’t scan for all tokens attached to the address. The user in question still has roughly $600 in DeFi tokens locked up in the address. However, the user can’t create a transaction to send those tokens to an alternate address because any gas sent gets siphoned off by the bot.
If you have any idea how the reddit user can get those tokens out, please help him out by posting in his stackexchange question.
The best lesson we can learn from the this unfortunate event is to never leave your mnemonic in your code, especially one you might publicly submit to github. A better solution would have been to use environment variables and define them outside the code.