It has been reported by disclosure by Nexus Mutual that the funds were drained on Monday (December 14) morning UTC by compromising Karp’s personal device, as the hacker managed to install a compromised version of MetaMask that tricked Karp into signing a transaction that redirected all his NXM tokens to an attacker-controlled address.
At 9:40am this morning @HughKarp's personal address was attacked and drained by a member of the mutual. Only Hugh’s address was affected in this targeted attack and there is no subsequent risk to Nexus Mutual or any members.https://t.co/72nrIDpKW6 — Nexus Mutual 🐢 (@NexusMutual) December 14, 2020
The report said that according to Nexus Mutual, Karp was using a hardware wallet. The attacker circumvented the protection by replacing a legitimate transaction with his own. Some hardware wallets should provide protection against these types of attacks by requiring confirmation on the device itself, where the display should be protected against this form of tampering.
The founder of the @NexusMutual DeFi protocol got hacked for $8 million in NXM tokens, or approximately 6% of the circulating supply. https://t.co/CtbYGkcHfx — Cointelegraph (@Cointelegraph) December 14, 2020
Also, the attacker was a member of the mutual, having passed know-your-client verification 12 days ago.
It has been analyzed that the attacker was not fully identified though, with investigations still pending, as the attacker needed to be a verified member of the mutual in order to receive NXM tokens.
A Nexus Mutual community manager said that they are “working on the assumption that [the hacker] could have committed identity fraud.”
Likewise, the NXM token dropped 17% since the attack occurred, although the protocol itself was not affected.
The NXM stolen in the hack amounts to approximately 6% of all tokens in circulation, which could pose significant downward pressure on price.
As per the report, Karp later complemented the attacker for performing a “very nice trick.”
To the attacker. Very nice trick, definitely next level stuff. You'll have trouble cashing out that much NXM. If you return the NXM in full, we will drop all investigations and I will grant you a $300k bounty. — Hugh Karp 🐢 (@HughKarp) December 14, 2020
Thus, he offered a $300,000 bounty and dropping all charges in exchange for returning the tokens by arguing that the hacker would have trouble in converting the NXM into more liquid forms of money.