- Hackers have stolen $60 million from crypto wallets using a practice commonly used by genuine blockchain projects
- The practice enables them to block users’ wallets from requesting an approval when funds are being drained
- The new method adds to a list of new methods hackers are using to infiltrate crypto storage and trading platforms
Blockchain researcher ScamSniffer has unearthed a new method that has allowed hackers to anonymously siphon $60 million from crypto wallets in the last six months. According to the researcher, malicious actors are misusing a genuine code provision to block wallets from notifying their users when they’re sending funds to a new address. The discovery comes a month after cybersecurity experts unearthed Lazarus’ new hacking method, an indication that malicious actors are looking for new ways to fleece their victims.
Genuine Code Snippet with Malicious Applications
In an X (formerly Twitter) thread, ScamSniffer disclosed that hackers are “misusing Create2 to bypass security alerts in some wallets,” adding that the technique is part of malicious actors’ ways of initiating address poisoning.
1/ Wallet Drainers are misusing Create2 to bypass security alerts in some wallets by generating new addresses for each malicious signature.
After a discussion with @SlowMist_Team, a group has employed the same technique in Address Poisoning to steal $3M since Aug. pic.twitter.com/yCdJs6Zke7
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) November 12, 2023
According to the on-chain sleuth, Create2 is a genuine code snippet used by genuine blockchain and crypto projects like Uniswap but hackers are using it with ill intentions.
The code snippet is used in the blockchain world to “predict the address of a contract before it’s deployed on the Ethereum network.” However, hackers are using the provision to “bypass wallet security checks.”
3/ With create2, the Drainer can easily generate temporary new addresses for each malicious signature.
After the victim signs the signature, the Drainer creates a contract at that address and transfers the user’s assets.
The motivation is to bypass wallet security checks. pic.twitter.com/0tSD5rnZti
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) November 12, 2023
Hacking Group Using Employment Scam
The researcher disclosed that malicious actors use the feature to create temporary addresses for a malicious signature which allows them to silently siphon funds once a user signs the signature.
The revelations come a week after investigators learnt that North Korean hacking group Lazarus has embraced new tactics such as the employment scam used to infiltrate crypto platforms like Ronin Network that lost $540 million.
Despite blockchain sleuths discovering different hacking routes, malicious actors are likely to add more weapons to their arsenal.
