I have been using exchanges for a year now, but after all this craziness happening with the withdrawals, I decided to slowly start DCA-ing on Metamask, because I wanted to keep my crypto off exchanges.
I do not have my secret recovery phrase nowhere digitally, its in my house on paper and I live alone. No one could read it. I did not give away my phone to anyone not for a short amount of time when the scam happened. I was at home, no one could unlock with my Face ID.
My Metamask is connected to Plutus exchange on Brave Browser, it asks for my simple password, anytime I connect it. So that password may have been hacked, which is equivalent to my FaceID on my iPhone.
Today I logged in to see my eth, and poof its gone. It had been sent to an another address. I dont understand how this could happen? How can someone send my money to their address only with my browser login password. If someone logs in from an another device it should ask my 12 world phrase, no? I have sent the daily dca to my CDC address to see how easy it to send it. I added my CDC address just in case like in a month ago, so I dont know for new addresses is 24h required?
Thankfully “its only” a 100 euros, but thats like 2 weeks of food or my whole month’s bills where I live. I am obviously mad, how can something like this happen. Even CDC had more security with 2FA, 24h whitewashing address than the secret recovery key Metamask Wallet.
This is the scammer address btw: https://etherscan.io/address/0xe34f6a76abc77b07158fa07d3069167dc62cdb6a
I dont know what I did wrong, I am very cautious, I am simply infuriating that I could have been like 1000 or 10 000 euros too. And a scammer could get my money with only with my Metamask login password not even my recovery phrase. Maybe not my keys not my crypto but I am definitely going back to Crypto.com.