jtgi
@jtgi
just had my first wallet drained, lost 20k after making old github code public. made some mistakes: - the project had an old commit w/ a private key for a wallet i was using on rinkeby - I unknowingly reused this account in @metamask 1mo ago to trade clankers on base funds were drained within 10m of making it public
12 replies
8 recasts
68 reactions
jtgi
@jtgi
couple things of note: - i checked the repo before making it public, the private key was in an old commit. - that commit was from 3y ago (on rinkeby no less), when i created a new account in @metamask, it looked brand new because a) i switched computers and metamask doesn't preserve accounts, b) it had no activity on base/mainnet just deprecated rinkeby. something to be careful of for devs, please reshare!
1 reply
4 recasts
26 reactions
jtgi
@jtgi
impressive speed – transfers started as quick as 10m after making the repository public. that means they're ingesting public repositories from github, scanning all old commits for keys then testing balances across all networks.
3 replies
1 recast
14 reactions
Colin
@colin
At Google I worked with GitHub to scan all public repositories for leaked GCP API keys. We immediately revoked access whenever one was detected in this live feed. We were acutely aware that abusers were doing exactly what you're describing -- near-realtime ingestion of all public repositories, grokking all commits, and testing keys for validity
1 reply
0 recast
3 reactions
jtgi
@jtgi
Makes a lot of sense. The payoff can be huge and the hit rate must be high.
0 reply
0 recast
0 reaction