Original title: " $50 million stolen for failure to check addresses "

Photo by Eric Foresight News

In the early hours of Beijing time, a chain analyst named Specter discovered a case in which nearly 50 million USDTs were transferred to a hacker's address for failing to scrutinize the transfer address。

According to the papers, the address (0xcB80784ef74C98A89b6Ab8D96ebE890859600819), was tested by 50 USDTs from Binance at around 1300 hours Beijing time。

About 10 hours later, 49,999,950 USDTs were submitted from Binance at one time, plus the 50 USDTs previously proposed, totalling just 50 million。

About 20 minutes later, 50 million USDT addresses were received and transferred to 0xbaf4...95F8b5 to 50 USDTs for testing。

Within 15 minutes of the completion of the test transfer, the hacker address, 0xbaf...08f8b5, transferred 0.005 USDTs to the addresses of the remaining 49,999,950 USDTs. The address used by hackers was very similar to the beginning and end of the address that received 50 USDTs, and was a visible " address poisoning" attack。

Ten minutes later, when the initial address of 0xcB80 was ready to transfer the remaining 4 million USDTs, it might have inadvertently copied the previous transaction, the hacker's address of "detoxification", and sent almost 50 million USDTs directly to the hacker's hand。

Seeing 50 million dollars in hand, hackers started money laundering in 30 minutes. According to slow fog monitoring, hackers first turn USDT transactions into DAI through MetaMask, then use all DAI to buy about 16690 Ethera workshops, leaving behind 10 ETH and then all the remaining Ethera workshops are transferred to Tornado Cash。

Yesterday, at about 16:00 Beijing time, the victim complained about the formal criminal proceedings against the hacker in the chain and gathered a great deal of reliable information about the hacker ' s activities, with the assistance of law enforcement, cybersecurity agencies and several block-chain agreements. The owner indicated that hackers could remain at $1 million and return 98 per cent of the remaining funds, and would not pursue them if they did; if they did not cooperate, they would be held criminally and civilly liable by legal means and would be publicly recognized as hackers. To date, however, there has been no movement of hackers。

According to data collated by Arkham platform, this address has large transfers records with Binance, Kraken, Coinhako and Cobo. Binance, Kraken and Cobo don't need to be introduced, and Coinhako may be a relatively strange name. Coinhako, a local encrypted currency trading platform in Singapore established in 2014, obtained a large payment agency license from the Singapore Financial Authority in 2022, which belongs to Singapore ' s regulated trading platform。

Given the location ' s use of multi-site trading platforms and Cobo hosting services, as well as the ability to quickly contact parties to track hackers within 24 hours of the incident, the author speculates that the address is likely to belong to an institution rather than to individuals。

It's a big mistake

The only explanation for the success of the "place-to-place" attack is "a carelessness" that can be avoided by checking the address before the transfer, but it is clear that the owner of the incident saved this crucial step。

The address poisoning attack began in 2022, and the story originated from the "Sweet Address" generator, a tool that can customize the EVM address to start. For example, a pen can generate an address starting with 0xeric to make it more labeled。

The tool was subsequently detected by hackers as a result of the violent breaking of the private key by design problems, which led to several major thefts. However, the ability to customize the beginning and end has also led to a “ghost idea” for some of those who seek to misbehave: by generating addresses similar to those that end at the end of a user’s usual transfer address, and by transferring them to other addresses that the user usually uses, some users may, through carelessness, use the hacker’s address as their own, thereby voluntarily sending the chain assets into the hacker’s pocket。

The information on the previous chain indicates that the initial address of 0xcB80 was one of the most important targets of hacker poisoning before the attack, and that the site was attacked nearly a year ago. In essence, the way you attack is the way that hackers bet that one day you'll fall for trouble or lack of attention, the same way that you can see through it, and the way that the "Big Tigers" will go and become victims。

In response to the incident, the F2Pool League Pure Proud expressed sympathy for the victims and claimed that 500 bitcoins had passed and that 490 bitcoins had been stolen by hackers last year to test whether there had been any private key leaks in his address. While Wang's experience is not related to the address of the drug attack, it is likely that when it comes to expressing the belief that everyone has “dickness”, the victim should not be held to the will of the victim, but should be targeted at hackers。

The $50 million is not a small amount, but not the largest amount stolen from such attacks. In May 2024, an address was transferred to a hacker address worth over $7 million as a result of such attacks, but the victims eventually recovered almost all of the funds through chain consultations with the assistance of the security companies Match Systems and Crystalx Trading Platform. However, it is not clear whether the stolen funds were eventually recovered by hackers who quickly traded them as ETH and transferred to Tornado Cash。

The Casa co-founder and chief security officer, Jameson Lopp, warned in April that the address poisoning attack was spreading rapidly, reaching 48,000 incidents on the Bitcoin network alone since 2023。

These methods of attack, including the false Zoom conference link on Telegram, are not very smart, but they are the same "simplistic" methods of attack that make people less vigilant. For us in the dark forest, an extra heart can never be wrong。

Original Link