MetaMask stated its security team is working with others in the Web3 wallet space to uncover the source of this exploit.