MetaMask has published an article called, Fighting back against sweeper bots. The article explains, to some degree, what a sweeper bot is and how to fight them.
Sweeper bots are getting a lot hype on the interwebs and apparently many wallet users (e.g., MetaMask users) are scared scitless and petrofied of them.
Here's my take:
How would the sweeper bot sign the transaction without the private key? It cannot. At some point the user handed over their private key(s) or seed words.
The only thing somewhat unique (a little at least) about "sweeper bots" is they're subtle in that they don't sweep the key (send the transaction) until the user sends a transaction. If the transaction amount meets the bot's threshold (they might not be interested in something small like $5 dollars of ETH, for example) the bot then immediately creates a transaction using the same inputs and in the same amount but sends it with a higher fee so it will likely get confirmed first.
If the user is somewhat of a normie he/she might not know that something bad ever happened or at very least probably not right away. It could happen to them over and over. Even when they do start to suspect something, they might not understand what happened and might even think it was some error they themselves made (aside from giving away their private key(s)).
Other than that, your wallet can get sweeped ("sweep" is just a word for sending a transaction out (although I usually only use that terminology for sending ALL of the funds from one address/key (e.g., from a paper wallet) to a different address/key)) at any time by anyone who has your private key(s) or seed words.
How would a sweeper bot (or whoever wrote / edited it) get your private key(s) or seed words? For example, here's an email I got pretending to be from MetaMask asking me for KYC. They're no doubt looking to get their hands on my seed words / 12 word backup recovery phrase. I imagine there's thousands (or more) of users who fall for this and end up handing over the goods:
I traced the link in that email using Wheregoes.com and evidently it goes to some site called authcontact.info:
MetaMask will NEVER ask you to verify your wallet or for KYC. It wouldn't make sense (i.e., MetaMask wallet is non-custodial / self custody). They've also published an article saying they wont, Will MetaMask ever ask me to verify my account?
Article word count: 444
Count including updates (if any): 444
Thanks for stopping by and reading!
PLEASE leave some comments! Talk a little!
↓ --- You may also find the Nandi Bear at --- ↓