The ShapeShift security team has conducted some initial analysis on the recent run of wallet-draining attacks reported by some of our users on Discord, and they appear to be caused by “credential stuffing.”
When users choose to use the same password for multiple sites, all their accounts are only as secure as the weakest link. When a hacker is able to breach a password from one site, they will try that password on many others just to see if they can get access to anything interesting. Unfortunately, crypto wallets are very interesting.
The pattern we’ve observed in this string of incidents suggests that the attacker has guessed users’ passwords and logged in to retrieve the 12-word mnemonic seed phrase (the master keys that let them move your funds). In fact, they’ve probably had these master keys for a while, and have just been sitting around waiting for the addresses to receive funds. As soon as the balance is high enough to bother stealing, the attacker can drain the account.
FOX is only one of the assets being targeted, but it’s affecting a lot of our users simply because the airdrop is giving out fresh infusions of FOX in amounts that are worth stealing. This type of attack also does not affect users who follow security best practices, such as using hardware wallets, strong passwords that haven’t been reused elsewhere, or two-factor authentication (2FA).
ShapeShift is non-custodial, meaning we can’t cut you off from your funds, but that means that you have to take proactive actions to protect yourself from these types of attacks. We do all we can to mitigate automated attacks, but the long and short of it is that all we can do is provide the tools and advice to make security easier.
Bad things will happen if you use weak passwords or re-use them across websites; this is just one more example. We strongly recommend that you use a password manager to generate and store your passwords—in fact, we require it of our employees. Internally, we use 1Password, but using any password manager is incalculably better than not using one.
We also recommend that you enable 2FA (from day one!) on every site that provides it. This provides an extra line of defense against credential-stuffing attacks, and users that did aren’t vulnerable to this attack.
Finally, consider using a hardware wallet (for example, a KeepKey, Ledger, or Trezor). Keeping your keys on hardware keeps you safe from attacks like these, as well as many, many others.
If you’ve been compromised in this attack, the hacker has definitely stolen your mnemonic phrase and you need to move all the funds in the affected wallet to a new one immediately. It doesn’t matter if it’s FOX or ETH or BTC; all funds stored in a compromised wallet are at risk.
The attacker probably also knows the password to your wallet (i.e., ShapeShift account) too, so if you’ve ever used the same password for anything else, you should change it there. (Using a password manager makes this much easier.)
It’s important to note that you can’t change your ShapeShift account’s password. We’ve intentionally designed our system this way because changing your password might give the false impression that doing so prevents an attacker from accessing your funds. The reality is that if an attacker has a wallet’s mnemonic phrase—which they could have gotten before the password was changed, and which does not change when you change a wallet’s password—the only effective remedy is to actually move your funds to another wallet. Once you’ve sent your funds from the old wallet to the new one, the attacker will have nothing left to steal, and your funds will be safe.
This could be any wallet, but if you’re using ShapeShift’s native wallet or mobile app, you can do this by creating a new ShapeShift account. Our support team can help you though this process if you’d like. Be sure to use a fresh password (generated by, and stored in, a password manager), and enable 2FA immediately. As always, be sure that you write down the 12-word seed phrase and store it somewhere safe.