Original Article Title: "$50 Million Stolen Due to Failure to Double-Check Address"

Original Article Author: Eric, Foresight News

Yesterday morning Beijing time, a blockchain analyst known as Specter discovered a case where nearly 50 million USDT was transferred to a hacker's address due to a lack of careful address verification.

According to the investigation, the address (0xcB80784ef74C98A89b6Ab8D96ebE890859600819) withdrew 50 USDT from Binance around 13:00 Beijing time on the 19th for a large withdrawal test.

Approximately 10 hours later, the address withdrew 49,999,950 USDT in a single transaction from Binance, adding to the previous 50 USDT, totaling exactly 50 million.

Approximately 20 minutes later, the address that received the 50 million USDT first transferred 50 USDT to address 0xbaf4…95F8b5 for testing.

In less than 15 minutes after the test transaction, the hacker's address 0xbaff…08f8b5 transferred 0.005 USDT to the address holding the remaining 49,999,950 USDT. The hacker's address used was very similar to the one that received the initial 50 USDT, indicating a clear "address poisoning" attack.

10 minutes later, when the address starting with 0xcB80 attempted to transfer the remaining 40+ million USDT, likely due to carelessness, it mistakenly copied the previous transaction, sending nearly 50 million USDT directly to the hacker's address involved in the "poisoning" scheme.

Upon receiving the 50 million dollars, the hacker initiated money laundering activities just 30 minutes later. According to SlowMist monitoring, the hacker first converted USDT to DAI using MetaMask, then used all the DAI to purchase around 16,690 Ethereum, keeping 10 ETH and transferring the remaining Ethereum to Tornado Cash.

Around 16:00 Beijing time yesterday, the victim called out to the hacker on-chain, stating that criminal proceedings had been officially initiated. With the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, a large amount of reliable intelligence regarding the hacker's activities has been collected. The complainant stated that the hacker could keep 1 million US dollars and return the remaining 98% of the funds. If the hacker complies, no further action will be taken. However, if the hacker fails to cooperate, legal measures will be pursued to hold the hacker criminally and civilly liable, and the hacker's identity will be publicly disclosed. As of now, the hacker has remained inactive.

According to data compiled by the Arkham platform, this address has recorded large transfers with Binance, Kraken, Coinhako, and Cobo addresses. While Binance, Kraken, and Cobo are well-known, Coinhako may be a relatively unfamiliar name. Coinhako is a Singapore-based cryptocurrency exchange platform founded in 2014. In 2022, it obtained a major payment institution license issued by the Monetary Authority of Singapore, making it a regulated exchange platform in Singapore.

Given that this address has interacted with multiple exchanges and Cobo's custody service, and demonstrated the capability to promptly contact relevant parties for tracing the hacker within 24 hours of the incident, the author suspects that this address likely belongs to an institution rather than an individual.

When "Carelessness" Leads to Serious Consequences

The only plausible explanation for a successful "address poisoning" attack is "carelessness." Such attacks can be easily avoided by double-checking the address before a transfer, a vital step that was evidently skipped by the protagonist of this incident.

Address poisoning attacks emerged in 2022, originating from the "fancy address" generator, a tool that allows customization of the EVM address prefix. For example, the author could generate an address starting with 0xeric to make the address more recognizable.

The hacker later discovered that due to a design flaw, this tool could brute-force private keys, leading to several significant fund theft incidents. However, the ability to generate addresses with customized prefixes and suffixes also prompted some ill-intentioned individuals to come up with a clever idea: by creating addresses similar to the beginning and end of a user's commonly used transfer address and transferring funds to other addresses commonly used by the user, some users might mistakenly send their on-chain assets to the hacker's address out of carelessness, thinking it was their own.

Previous on-chain data indicates that the address starting with 0xcB80 was one of the hacker's key targets for address poisoning before this attack, starting almost a year ago. This attack method fundamentally relies on the hacker betting that you will eventually fall victim due to either laziness or inattention. Ironically, this obvious attack method is what led the "careless" to become unwitting victims.

In response to this incident, F2Pool co-founder Wang Chun tweeted his sympathy for the victims. He mentioned that last year, in order to test whether his address had experienced a private key leak, he transferred 500 bitcoins to it, only to have 490 bitcoins stolen by hackers. Although Wang Chun's experience was unrelated to address poisoning attacks, he likely wanted to convey that everyone has moments of folly. The focus should not be on blaming the victims for their carelessness, but rather on directing the blame towards the hackers.

A $50 million loss is significant, but not the largest amount stolen in such attacks. In May 2024, an address was used in a similar attack to transfer over $70 million worth of Wrapped Bitcoin (WBTC) to a hacker's address. However, with the assistance of security firms Match Systems and the Cryptex trading platform, the victim was able to recover almost all of the funds through on-chain negotiations. In this current incident, the hacker swiftly exchanged the stolen funds for ETH and transferred them to Tornado Cash, making the chances of recovery uncertain.

Casa co-founder and Chief Security Officer Jameson Lopp warned in April that address poisoning attacks are rapidly spreading, with over 48,000 such events occurring on the Bitcoin network alone since 2023.

These attack methods, including fake Zoom meeting links on Telegram, are not sophisticated, but it is precisely this "simple" approach that can catch people off guard. For those of us in the dark forest, having an extra layer of caution is never a bad idea.

Original Article Link

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia