- Nexus Mutual founder Hugh Karp has seen over $8 million in NXM tokens stolen from his hardware wallet
- The hacker was able to install a compromised version of MetaMask onto Karp’s computer
- The hacker completed KYC on the platform but it seems that he may have used fake documents
The personal wallet of Nexus Mutual founder Hugh Karp was hacked yesterday with over $8 million worth of tokens stolen through his hardware wallet. Karp, who founded DeFi platform Nexus Mutual in 2017, fell victim to the hacker who managed to install a compromised version of the popular MetaMask wallet onto his computer and generate a transaction containing 370,000 NXM tokens to their own wallet. Karp has since congratulated the hacker and offered them a $300,000 reward in return for the tokens which he says will be hard to liquidate.
At 9:40am this morning @HughKarp‘s personal address was attacked and drained by a member of the mutual. Only Hugh’s address was affected in this targeted attack and there is no subsequent risk to Nexus Mutual or any members.https://t.co/72nrIDpKW6
— Nexus Mutual 🐢 (@NexusMutual) December 14, 2020
Nexus Mutual Reveals Remote MetaMask Breach
Nexus Mutual tweeted about the hack early yesterday, revealing that Karp’s personal wallet had been compromised but reassuring all users of the platform that their funds were in no way at risk. They then revealed the method used to target Karp’s wallet, which involved the hacker gaining access to his computer and replacing the MetaMask extension with a rogue one.
The hacker then created a transaction containing all of Karp’s NXM tokens but tricked him into signing a different transaction, allowing the fraudulent transfer to go through. Given that the hacker was a member of Nexus Mutual they would have had to go through KYC regulations, which Nexus Mutual confirmed they had done, although they then “switched membership to a new address” a few days after this.
KYC Standards Under the Microscope Again
The company added that despite the individual completing KYC their “investigation is ongoing to identify the attacker”, suggesting that all might not be as it seems. Given how easy it was for one blockchain security expert to recently fool Huobi and KuCoin into allowing him to upgrade his trading tiers last week, this would not be a huge surprise.
The Nexus Mutual hacker has already cashed out some of the stolen NXM tokens, since when Karp has offered $300,000 in return and a cessation of the investigation in order to get the tokens back. If past experience is anything to go by however, the chances of this happening are slim to none.
To the attacker. Very nice trick, definitely next level stuff.
You’ll have trouble cashing out that much NXM.
If you return the NXM in full, we will drop all investigations and I will grant you a $300k bounty.
— Hugh Karp 🐢 (@HughKarp) December 14, 2020