Author | Hu Feitong

On the evening of May 3rd, Beijing time, a whale accidentally transferred 1,155 BTC to a phishing wallet address due to careless operation. According to the currency price at that time, the value was about 71 million US dollars. Such a large amount of financial funds evaporated almost instantly, which taught the industry a big lesson.
 
What happened
 
Let’s first look at how things developed (May 3, Beijing time below):
 
17:14:47, 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5 wallet address (whale) transferred 0.5 ETH to 0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91 address and created the address;
 
17:17:59, 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 wallet address (hacker) transferred 0 ETH to 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5 wallet address
 
At 18:31:35, 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5 (Whale) transferred 1155.28802767 WBTC to the address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 by calling the WBTC contract;
 
On May 4th at 10:51:11, the address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 (hacker) transferred all WBTC to the new address: 0xfB5bcA56A3824E58A2c77217fb667AE67000b7A6
 
You may not understand what is going on here, so let me explain it from a hacker's perspective:
 
The hacker continued to monitor the whale's activities on the chain; at dusk on May 3, he discovered that the whale had created a new address. The hacker took immediate action;
 
By brute-force random generation of private keys and addresses, an address similar to the newly generated address of the whale is obtained (please carefully check the red parts of the two addresses in steps 1 and 2 above, which are exactly the same, but different in other places). And 0 ETH is transferred to the whale through the generated address, with the purpose of generating a transaction history in the whale's wallet, which contains the phishing address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91;
 
After the whale confirmed that its address had received 0.5 ETH, it began to transfer WBTC to a new address. At this point, a fatal mistake occurred. The whale found an address in the transfer history that had the same address numbers as its target address, copied and pasted it, and mistakenly entered the phishing address;
 
The hacker monitored his phishing address and was surprised to find a "huge harvest" - 1155 BTC. He probably went out to celebrate, drank beer, took a nap, and then transferred the WBTC to another new address.
 
Implications
 
Have you noticed a problem? Take a look at the timeline. After the whale generates a new address, the hacker prepares the phishing address in about 3 minutes and completes the transfer to the whale. This shows several points:
 
a. The hacker is well prepared and knows the whole process by heart. The script is already prepared and the whole process is automated;
 
b. Hackers have a lot of computing power. The address generated here includes 5 specific bytes that are exactly the same (the leading two bytes and the last three bytes), which is about 2^40 computing power. GPUs are definitely needed, and they need a lot of them;
 
c. Therefore, this is probably not an individual behavior, but an organized behavior.
 
Blockchain brings decentralization, eliminates middlemen, and allows individuals to control their own wealth and data. However, this also requires individuals to control security. The requirements for personal security awareness and security knowledge are very high.
 
This whale has a strong sense of security, which is reflected in: 1) He changes his address every once in a while; 2) He tests and confirms before transferring large amounts. However, there is always a loophole, and a copy and paste ruins everything.
 
Some safety tips for money transfers
 
Through this lesson of more than 70 million US dollars, every digital asset holder should be alert that hackers and phishing are everywhere, and you are the first and only person responsible for your property. Some security common sense must be mastered. Here are some wallet security for larger assets for your reference:
 
Private keys and mnemonics must be generated offline and stored offline.
 
—Most wallets now have offline signing capabilities;
 
—You can also use a hardware wallet, but when using a hardware wallet, you must also back up your private key
 
Once you suspect that your private key or mnemonic may be exposed, replace it as soon as possible and transfer your assets
 
The transfer address should be saved in the address book and noted. Do not copy the address temporarily.
 
· To transfer money, select an address from the address book and make sure to do a test transfer. Confirm with the recipient before transferring.
 
Large transfers can be made in multiple times
 
Do not directly click on the transfer link sent by the other party to transfer money or conduct online transactions
 
—Phishing often forges similar links or similar addresses
 
It is recommended to manage larger amounts of funds through multi-signature
 
—This is suitable for fund management of a company or organization
 
—Personal assets can also be handled in this way. For example, you can have multiple private keys and give signing rights to strangers to prevent your personal private keys from being lost and causing your assets to be irrecoverable.
 
The website addresses of CEX and DEX must be obtained through formal channels, the deposit addresses must be confirmed repeatedly, and test transfers are also necessary steps.