Written by: Eric, Foresight News
In the early hours of yesterday, an on-chain analyst named Specter discovered a case where nearly 50 million USDT was transferred to a hacker's address due to a failure to carefully check the transfer address.
According to my verification, the address (0xcB80784ef74C98A89b6Ab8D96ebE890859600819) withdrew 50 USDT from Binance around 1 PM Beijing time on the 19th as a test before a large withdrawal.
About 10 hours later, this address withdrew 49,999,950 USDT from Binance in one go, bringing the total to exactly 50 million when combined with the previously withdrawn 50 USDT.
About 20 minutes later, the address that received the 50 million USDT transferred 50 USDT to 0xbaf4…95F8b5 for testing.
Less than 15 minutes after the test transfer was completed, the hacker address 0xbaff…08f8b5 transferred 0.005 USDT to the address that held the remaining 49,999,950 USDT. The address used by the hacker was very similar to the address that received the 50 USDT, indicating a clear case of "address poisoning" attack.
Ten minutes later, when the address starting with 0xcB80 was preparing to transfer the remaining 40 million USDT, it likely carelessly copied the previous transaction, which was the address used for the hacker's "poisoning," directly sending nearly 50 million USDT into the hacker's hands.
Seeing the 50 million dollars in hand, the hacker began laundering the money 30 minutes later. According to SlowMist's monitoring, the hacker first exchanged USDT for DAI through MetaMask, then used all the DAI to buy about 16,690 Ethereum, leaving 10 ETH and transferring the remaining Ethereum into Tornado Cash.
Around 4 PM Beijing time yesterday, the victim publicly addressed the hacker on-chain, stating that they had officially filed a criminal lawsuit and had collected a large amount of reliable intelligence regarding the hacker's activities with the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols. The owner stated that the hacker could keep 1 million dollars and return the remaining 98% of the funds; if the hacker complied, they would not pursue further action. If not, they would seek to hold the hacker criminally and civilly liable through legal means and would publicly disclose the hacker's identity. However, as of now, the hacker has not responded.
According to data compiled by the Arkham platform, this address has large transfer records with Binance, Kraken, Coinhako, and Cobo. Binance, Kraken, and Cobo need no introduction, while Coinhako may be a relatively unfamiliar name. Coinhako is a local cryptocurrency exchange in Singapore established in 2014, which obtained a major payment institution license from the Monetary Authority of Singapore in 2022, making it a regulated exchange in Singapore.
Given that this address has used multiple exchanges and Cobo's custody services, and that it quickly contacted various parties to track the hacker within 24 hours of the incident, I suspect that this address likely belongs to an institution rather than an individual.
"Accidentally" Causing a Major Mistake
The only explanation for the success of the "address poisoning" attack is "carelessness." Such attacks can be avoided simply by double-checking the address before transferring, but clearly, the protagonist of this incident skipped this crucial step.
Address poisoning attacks began to appear in 2022, and the story originated from "vanity address" generators, which are tools that allow users to customize the beginning of EVM addresses. For example, I could generate an address starting with 0xeric to make it more recognizable.
This tool was later discovered by hackers, who found that due to design flaws, it could be brute-forced to reveal private keys, leading to several significant theft incidents. However, the ability to generate customized beginnings and endings also inspired some ill-intentioned individuals to come up with a "clever idea": by generating addresses that are similar to commonly used transfer addresses, and transferring to other addresses that users frequently use, some users might mistakenly send their on-chain assets to the hacker's address due to carelessness.
Past on-chain information shows that the address starting with 0xcB80 was one of the important targets for the hacker's poisoning before this attack, and the address poisoning attacks began nearly a year ago. This attack method essentially bets that one day you will be careless or find it troublesome and fall for it, and it is precisely this easily recognizable attack method that has led many "careless" individuals to become victims.
In response to this incident, F2Pool co-founder Wang Chun expressed sympathy for the victim on Twitter, stating that last year, to test whether his address had experienced a private key leak, he transferred 500 bitcoins, only to have 490 bitcoins stolen by hackers. Although Wang Chun's experience is unrelated to address poisoning attacks, he likely wanted to express that everyone has moments of "foolishness," and we should not blame the victim's carelessness but rather direct our anger at the hackers.
50 million dollars is not a small amount, but it is not the largest amount stolen in such attacks. In May 2024, an address transferred over 70 million dollars worth of WBTC to a hacker's address due to such an attack, but the victim ultimately recovered almost all the funds with the assistance of security company Match Systems and the Cryptex exchange through on-chain negotiations. However, in this incident, the hacker has quickly exchanged the stolen funds for ETH and transferred them to Tornado Cash, and it remains uncertain whether the funds can be recovered.
Jameson Lopp, co-founder and chief security officer of Casa, warned in April that address poisoning attacks are spreading rapidly, with as many as 48,000 such incidents occurring on the Bitcoin network alone since 2023.
These attack methods, including fake Zoom meeting links on Telegram, are not particularly sophisticated, but it is precisely this "simple" attack method that can lead people to let their guard down. For those of us in the dark forest, it is always wise to be vigilant.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
