The attackers who leaked a total of USD 760,000 from 572 Ethereum wallets had direct access to the private keys of all of them. This is the central conclusion of an on-chain analysis published by researchers known as The Smart Ape regarding the theft of funds within Ethereum addresses that occurred between April 29th and 30th.
According to The Smart Ape, the most obvious signs are: That means 99% of the extracted funds were native Ether (ETH).. According to their report, only one additional token appeared during the entire incident (402 SAI, equivalent to approximately USD 8,900), which rules out other vectors used for this type of theft.
The standard Drain-as-a-Service toolset works by tricking users into signing authorizations. Once that signature is on-chain, Drainer will mine USDC, USDT, WETH, etc. with authorization. You’ll see a long and ugly list of tokens. Ends with ETH only These are the signatures of the person signing the transactionThis means you have a private key, not just a forged authorization to transfer funds.
The Smart Ape, on-chain analyst and researcher.
How does the type of wallet affected affect attack analysis?
As reported by CriptoNoticias, it was initially estimated that: This attack focused on wallets that had been inactive for years.some up to the age of 14.
But according to The Smart Ape’s analysis, this is only part of the picture. 54% of 572 breached wallets were active in the past 12 monthsand the other 19 had never submitted a transaction. “This is unusual as most known attack vectors target specific populations,” the researchers noted.
The following graph shared by the researchers reveals the downtime of the affected wallets during the drain.
In the analyst’s view, “this (attacker) appeared to have keys for each type of wallet at the same time,” so this heterogeneity rules out the possibility that the hacker exploited a specific vulnerability in a specific tool or time period.
Further characteristics of attacks on Ethereum wallets
According to The Smart Ape’s on-chain analysis, there are two other conditions in this attack that allow us to recreate how the attacker operated.
The first is rhythm. The emptying of 572 wallets in 13 hours was fast, but not irregular, researchers said. At its peak, on April 30th at 5:00 UTC, 244 wallets were emptied in 60 minutes. “The rhythm matches a script that iterates over a list.”he pointed out.
This also contradicts phishing funnels. When a user opens an email or direct message, the phishing campaign continues for days.
The Smart Ape, on-chain analyst and researcher.
The second is the behavior after drainage. After the hack, the funds were consolidated and sent to the ThorChain protocol in a single transaction. From there, a bridge was created between Bitcoin and Monero.as reported by CriptoNoticias. Smart Ape details that before that transfer, the attackers sent two small test transactions of 0.02 ETH and 2 ETH to verify the exit path and waited three hours after the drain was complete before moving the funds.
What is the cause of the theft?
According to The Smart Ape, the most likely hypothesis is a LastPass breach in August 2022. Attacker accessed encrypted password vault Many users used it to store recovery phrases and private keys.
“The timeline is right: GPU brute force decryption for the weakest vault will reach maturity by 2026,” the analysts wrote. According to The Smart Ape, Chainalysis and other researchers had already linked previous unexplained thefts to the same breach.
According to the researchers, other possible mediators include: Compromised versions of wallet libraries or trading bots In this case, the user must paste the private key directly into the application. This explains that the victim had an active wallet within the past year. A compromise of the backend of any of these services will generate active wallets of the exact type that make up half of the list of victims.
Snipe bots, copy trading bots, MEV bots – many of them require the user to paste the private key directly into the app.
The Smart Ape, on-chain analyst and researcher.
Smart Ape’s conclusion is that the attacker likely consolidated multiple sources of compromised keys into a single list, applied a profitability filter (only wallets with balances above a threshold), and performed the drain in a single coordinated sweep.
“This explains why the distribution of inactivity is so confusing: old ICO wallets and recent MetaMask installations are next to each other. The only thing they have in common is that the keys appeared somewhere accessible to this attacker,” elaborates the analyst.
Therefore, while the attack vector remains unidentified, The Smart Ape has specific recommendations for users who have stored private keys or recovery phrases in LastPass, Bitwarden, or password managers that have been compromised in recent years:
(Tag translation) Cryptomonedas
