Nexus Mutual Attack: 8 Million Lost

At 09:40 am UTC, Dec 14, 2020, CertiK Skynet found a large transaction from Hugh Karp, the founder of Nexus Mutual, which transferred a total of 370,000 NXM tokens to an unknown account. The total value of tokens is approximately 8.33 million US dollars.

The CertiK security investigation team quickly launched an investigation and analysis and believed that the transaction was a targeted attack towards the account of Mr. Hugh Karp.

The attacker’s account address is 0x09923e35f19687a524bbca7d42b92b6748534f25, and some of the tokens obtained by the attack have been traded at through the transaction 0xfe2910c24e7bab5c96015fb1090aa52b4c0f80c5b5c685e4da1b85c5f648558a.

Attack transaction hash: 0x4ddcc21c6de13b3cf472c8d4cdafd80593e0fc286c67ea144a76dbeddb7f3629

Figure 1: the attack transaction hash


According to the official disclosure, after obtaining remote control of Hugh Karp’s personal computer, the attacker modified the Metamask extension used on the computer and misled him to sign the transaction in Figure 1, which eventually transferred a huge amount of tokens to the attacker’s account.

Based on the current information disclosed, the CertiK team conjectured that when Hugh used Metamask as usual, the extension modified by the attacker generated the transfer request for the huge amount of token before Hugh signed the transaction with his hardware wallet.

The browser extension, as an application, is similar to the front-end of an ordinary web application. They are all written in HTML and JavaScript. Files of the browser extension are stored in the user’s computer. Regarding the methods hackers used to modify the Metamask extension, the CertiK team made the following conjectures:

  1. The hacker gained control of Hugh Karp’s personal computer, opened the browser through the remote desktop and directly installed the modified Metamask extension.
  2. The hacker found the installation path of Metamask extension on Hugh Karp’s personal computer, modified the code, and loaded the modified extension into the browser after the modification.
  3. The hacker modified the browser extension with the built-in command line tool.

The official disclosure mentioned that Hugh Karp used a hardware wallet. Although the specific model was not revealed, it should be Trezor or Ledger, which are the only two supported by Metamask. In the case of using a hardware wallet, transactions in Metamask need to be confirmed and signed with the private key in the hardware wallet.

When Trezor or Ledger confirms the transaction, the recipient’s address will be displayed on the hardware screen for the user to confirm. In this attack, the hacker should not be able to modify the displayed address on the hardware screen. It is speculated that when Hugh Karp made the final confirmation on the hardware wallet, he did not notice that it was the address of the hacker.

Figure 2: Screen display when Ledger confirms the transaction


The importance of insurance is fully illustrated by this incident that the account of the founder of a blockchain insurance platform was attacked. No matter who you are and what role you play, hackers will not bypass you in the blockchain network because of your fluke. Security incidents are possible for everyone.

The CertiK security verification team suggests the following security measures based on this attack:

  • Any security system and operating environment requires not only program security verification, but also professional penetration testing to verify the security of the overall product.
  • In order to prevent the loss of digital assets from any non-technical reasons, the project team should purchase insurance for their products/solutions in a timely manner so that there will be multi-level protections for the project and investors, and the loss from any attack can be compensated in time.

Reference :

News source:

The official tweet:

Hugh Karp personal computer system: Windows (Not being disclosed by the official)

Hugh Karp personally response to the tweet:




Official Website:

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium


The Evolving Role of the CISO: From Critic to Enabler

Evolving Role of the CISO

DeFi Starter Kit

A Different Take on The Short Tenure of the CISO

Tech Regs Need Tech Savvy People to Write Them

Can Coinbase steal my money ?

Digital payments trend to outlast Covid

An Analysis of How Attackers Stole 337 BTC From Cashaa’s Bitcoin Wallets

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Official Website:

More from Medium

Knownsec Blockchain Lab | All the past, all for the prologue — 2021 blockchain typical security…

Without Permit: Multichain’s exploit explained

Crypto Compliance Series| What is Peel Chain

A Journey to Exploit the MOST Vulnerable Contracts in the DeFi Universe