How To Lose Your NFT, Panic, and Then Recover It
A story around how Hot Wallets can go awry. Mindset and technical lessons to learn.
One of the frequently memorable parts of Hitchhikers Guide to the Galaxy stems from the all encompassing titular guidebook to the Galaxy, which has a bright tagline across the front of “Don’t Panic”. Our hero’s frequently consult this guide when confronted with unknown knowledge. When I discovered at the last month that my MetaMask wallet containing my Bow Tied Jungle NFT and my personal ETH domain was missing from the browser, this first thing I did was panic.
What I thought would be a simple seed phrase restore turned out that I had copied the wrong text down to recover my wallet. Originally my wallet wasn’t used for anything, so I didn’t consider writing down my seed phrase incorrectly (mistake #1). Once I realized my mistake I quickly and aggressively broke out into a cold sweat. I had to cancel plans with my friends and spent the rest of the night chaotically trying to revive my wallet in my browser. If I had some form of prescience, I would have known a calm and clear mind would lead to a plan of action and that I could block out my fears. Instead, my mind succumbed to the worst part of human emotions; fear and doubt.1
When you are not thinking clearly you fall back to emotional and reactionary thinking. The first stage was unsurprisingly a fit of denial that this was happening to me. I blamed the browser for the mysterious deletion of my wallet extension. This quickly spiraled out of control, with multiple failures and growing frustration on my part.
If I reinstall the extension it will just reappear right? Wrong.
I installed it on multiple browsers right? Wrong.
I must’ve kept a backup copy on my laptop right? Wrong.
The seeds of doubt were already strong in my head at this point. I was contemplating having to rebrand, buying a new NFT, reestablishing all my work I had up to the point on my Crocodile account, and publicly admitting to the world of my failures. I luckily ran out of time for the night and decided this was tomorrow’s problem. This allowed me to regroup and gather myself. I had to stop flailing around and get a plan of action going to solve this problem!
Problem Solving Time
The first step in solving any sort of complex problem is to first understand fully what the problem is. I had no idea how the issue happened, and yet I was doing every quick fix I could think of, not realizing that I could end of doing more permanent damage for the recovery efforts (mistake #2). The magnitude of the problem will mirror the magnitude of thoughtfulness needed before your first maneuver. Any sort of forensic analysis of digital data demands a non destructive copy to work with, as data is fragile, especially in a live system. With this in mind, I decided to take a step back and evaluate the situation.
Over 8 days had passed since the original accident happened, I was racking my brain trying to understand how this problem even happened. To discover the source of the problem would be the first step towards understanding the depths of what had occurred. From that point I could make a plan of action that would noninvasively fix the problem.
I wasn’t sure which PC originally had my MetaMask wallet on it since I switch frequently between my desktop and laptop for different purposes. When I lose physical things I try to actively recall my physical actions in my mind of the moment I last remember being in contact with the item. I try to visually repaint the scene I was in, remember my actions, my movements, and most importantly what my eyes have seen. By replaying the scene in my mind I can pick out tiny details that matter and use that to backtrack to the lost item. I fortunately remembered the act of sitting and leaning back in my chair at my desktop while interacting with my wallet, specifically flipping my wallet account in use from my hardware wallet to the built in one in MM. This simple act of recall reduced my troubleshooting efforts by 50% by allowing me to focus on my Desktop, where I had far more tools in my arsenal to recover my data.
This was a key piece of information to remember as I learned from the day before that my Windows Laptop somehow did not have a system restore point enabled on it (mistake #3). This meant a rollback to a week or so before was impossible. Since my mind tricked me to thinking my laptop could have had my wallet, I knew that was a game over for me as there simply was no backup on that system. Losing that much hope was devastating to me (even though it was unfounded!) and is another reason why we should not panic in the moment as it damages our mind.
With that information in hand, I was able to remember why my Browser extension was suddenly gone. The incident occurred when my browser updated to the most recent Chrome update and a problem that I had no dealt with in years popped up again. I used to use a streaming software for sports that was based of a BitTorrent, which made it easy to get high quality sports streams. While I uninstalled the program years ago, the browser extension had the ability to reinstall itself frequently even after deletion. I did not take this problem seriously at the time, since it passed multiple virus checks and only took a few seconds to remove if it showed up (mistake #4). But after years of this and now using my computer for more serious things such as crypto, the security of my computer had become a priority.
After some searching I had finally found a solution to remove this malicious extension and took full advantage. This involved me diving into the location where Chrome stores its extension and I foolishly nuked the entire folder plus, deleted the old registry keys for those extension (mistake #5). It didn’t occur to me that I was also deleting my MM extension in the browser, since I figured everything in that folder was potentially dangerous, which lead me to the scorched earth practice. My cavalier attitude when working with sensitive data that I was not familiar with was my downfall here. If I took a more judicious approach I would have never been in this scenario.
Root Cause Found
With this new information I was now equipped with enough knowledge to fix everything. Most problems are simpler than they seem, but our ability to keep them as abstract issues stops up from fully solving them in efficient ways. The problem was simply deleting my extension from my extension folder, and now I had to use every tool at my disposal to recover that data from that specific folder.
As part of the troubleshooting I learned that one of the quirks of MM is that all your data is saved on computer in an encrypted vault containing JSON data. So while the main way to recover a wallet is to use a seed phrase, the secondary way is to recover your digitally encrypted vault data and then use your login password to decrypt it (many bad security implications from this!). Once the vault is decrypted your seed phrase will show up in the resulting data and you can then plug that into your newly reinstalled MM extension. The implication of this is anyone who obtains a copy of your encrypted vault is a brute force password hack away from recovering your wallet. Make your MetaMask passwords complex and long!
Now having a goal to attack and deliver all my effort towards completely shifted my mood toward this. What started as a spiraling disaster now had a target and maximum force heading down range to find a solution!
Past Planning Fixes Future Problems
Fortunately Windows has many automatic backup systems in place for problems like this. Unfortunately none of them worked for me. Basic things like File History, which I don’t think have ever worked automatically on Windows, also failed to roll back the MM files to their previous version. My recycle bin, which normally piles up for months, was cleaned the same day I deleted the extension in a fit of bad chance. While basic file recovery failed, more advanced techniques were available to me.
The initial test was using System Restore, which had restoration points that were timestamped before the issue thanks to some timely Windows updates. But when I tried to use them it didn’t restore the extension’s data. I was not sure if this was a result of my reinstalled MM taking precedence over the spot previously taken in the file system, or if system restore doesn’t touch the appdata folder. This is one example why I should not have tried quick fixes since it hindered my later data recoveries.
New Windows version after 2004 also had a new tool built to specifically find deleted files in Windows File Recovery. NTFS drives keep their own memory of where files are located on disk (see Master File Table) compared to the built in filesystem. So while I deleted the files on my computer’s file system, the hard drive itself might not have overwritten the old files yet. Hard Drives tend to not immediately clear space out, instead they mark the space as available to be written to, and eventually that space will be allocated for storage again and paved over with new data. Again, I hypothesized my hasty reinstall MM overwrote the old data silently hanging on my file system and/or hard drive to be deleted, which ruined my chances at an easy recovery. Even though this was a useful tool it was not able to turn up my data (though it did find some things years old!).
The next solution was using my automatic backup software I had installed years ago under a recommendation from many internet articles. Macrium Reflect was my tool of choice, and while I had never used a backup from it in 4 years of operation (you should test your backup software to ensure viability), it never failed to make a full backup of my C drive which contained my previous Chrome extensions history.
Now normally I only keep only one full backup on my PC at a time due to the space requirements (about 14-250 gigs per image depending on a full or partial backup). My backup software had ran the day after I deleted my wallet, so now my most recent backup was too new to restore from. You would think all is lost, but my past self saved me here. Six months ago I purchased an Easy Store 10TB hard drive to specifically keep more Window backups available. I also built a habit of moving old backups to this new drive and not deleting them. Once I realized that I had plenty of backups waiting for me on my hard drive I knew victory was assured.
At this point the restoration of files was beyond easy. These files can be mounted directly to the file system for browsing as a drive, so I didn’t even need to restore my entire PC to an earlier state. I simply navigated to the location of Chrome extensions and found my data sitting there! I used the data vault recovery tool, entered my password, and found my seed phrase sitting right in front of me! I quickly wrote it down physically and then successfully recovered my wallet in the browser!
Post Mortem Fixes
One story Malcom Gladwell told that has always stuck with me was in his book Outliers. He explains that small problems combining together are what leads to massive disasters. He tells the story of an Korean airline that had multiple small problems in their standard operations that built up and resulted in the loss of a jetliner and all its passengers multiple times. He coined a heuristic that multiple small problems can combine to a disaster, with each small problem exacerbating the issue and creating an exponential growth in complexity that will become too strong to overcome. In my process of evaluating this problem it was the multiple issues that lead to my disaster.
Some important problems that were identified in my setup that I aim to fix:
Enable backups on my Laptop.
Encrypt Desktop Backups to stop future wallet theft.
Create a stronger MetaMask password to prevent brute force attacks if wallet files are stolen.
Write down Seed Phrase, verify 3 times, and store safely.
When recovering data, do not modify the existing folders in the filesystem.
Migrate off MetaMask as soon as OpenSea is able to send NFTs to hardware wallets.
Remove all malware as soon as noticed, even if it passes security checks or is “harmless”.
Don’t Panic!
After reading this I hope you perform a basic audit of the security and seed phrases of your valuables. A little bit of effort here can save you from panic in the future. The goal of the Jungle is to make it to 2035. Is your system rigorous enough to last that long? We shall see…
I think someone in Dune once said something like this.
Hell of a Read. I'll definitely double check and have my family check their MM seed phrases
Damn, that was an intense read! I was scratching my head as I read along, wondering wtf you actually did to recover.
I didn't know the bit about the encrypted vault file for Metamask. I have mine linked to a HW wallet so that insulates me from a brute force crack somewhat, assuming they haven't stolen my HW wallet in addition to the hard drive.