- Multisig wallet compromised, $40M drained, attacker launders funds patiently.
- Security breach exposes poor key management, $27M stolen, funds laundered.
- Whale’s wallet hijacked, attacker controls leveraged position, funds still at risk.
A significant crypto breach has surfaced, involving a whale’s multisig wallet that was reportedly compromised only minutes after it was created. According to blockchain security firm PeckShield, the attack saw the wallet drained of about $27.3 million due to a private key compromise. Over time, the attacker managed to launder a substantial portion of the stolen funds, around $12.6 million, through Tornado Cash, while holding onto $2 million in liquid assets. Additionally, the attacker is believed to have taken control of a leveraged long position on Aave, amounting to a considerable amount.
However, new findings from Yehor Rudytsia, head of forensic at Hacken Extractor, reveal a more extensive loss, likely exceeding $40 million. The forensic expert suggests that the theft may have started earlier than initially believed, with signs of the compromise dating back to November 4. According to Rudytsia, although the wallet was created by the victim’s account, the ownership was transferred to the attacker within just six minutes, raising suspicions about the involvement of the attacker right from the beginning.
Also Read: Ripple Exec Declares Crypto’s Pain Is Over as Major Fed Move Boosts XRP’s Future
Rudytsia also highlighted a concerning fact about the wallet’s structure. The multisig was configured as a “1-of-1” system, which, in essence, is not a multisig setup. In a traditional multisig arrangement, multiple signatures are required to approve transactions, offering added security. The compromised wallet, however, only needed a single signature to approve transactions, making it an easy target for attackers.
Attacker’s Strategic Approach and Continued Laundering Efforts
Once in control, the attacker exhibited remarkable patience, choosing to launder funds in batches over several weeks. The first notable withdrawal occurred on November 4, with a deposit of 1,000 ETH, followed by several smaller, staggered transactions through December. This methodical approach allowed the attacker to slowly cover their tracks, making it difficult for authorities to trace the stolen funds in a timely manner. As of now, roughly $25 million worth of assets are still under the attacker’s control in the multisig wallet.
The incident has raised serious concerns about the security practices surrounding wallet creation and key management. Several potential attack vectors remain under investigation, including the possibility of malware, phishing attacks, and poor operational security practices like storing keys in plaintext or using compromised devices for signing transactions.
Experts are urging users to ensure they isolate signing devices as cold devices and verify transactions independently beyond the user interface to prevent similar attacks in the future.
Also Read: Coinbase Rolls Out Major System Update, Expanding Financial Services and Markets
