On the evening of May 3rd, Beijing time, a whale accidentally transferred 1,155 BTC to a phishing wallet address due to operational errors. According to the currency price at the time, the value was about 71 million US dollars. Such a huge amount of wealth was almost wiped out in an instant, which sounded a heavy alarm for the entire industry.
Let's take a look at the details of what happened (May 3, all times are Beijing time):
At 17:14:47, the wallet address 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5 (whale) transferred 0.5 ETH to the address 0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91 and created the address;
17:17:59, 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 wallet address (hacker) transferred 0 ETH to 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5 wallet address;
At 18:31:35, 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5 (Whale) transferred 1155.28802767 WBTC to the address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 by calling the WBTC contract.
At 10:51:11 on May 4, the address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 (hacker) transferred all WBTC to a new address: 0xfB5bcA56A3824E58A2c77217fb667AE67000b7A6.
The transfer process here may be a bit confusing, so let’s interpret it from the hacker’s perspective:
The hacker was always monitoring the whale's every move on the chain. On the evening of May 3, the hacker discovered that the whale had created a new address, so he took immediate action. The private key and address were randomly generated by brute force, which was highly similar to the newly generated address of the whale (please carefully observe the two red addresses in steps 1 and 2 above, which are almost exactly the same, except for other parts). Then, the hacker transferred 0 ETH to the whale through the generated address, with the aim of creating a transaction history containing the phishing address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 in the whale's wallet.
After the whale confirmed that it had received 0.5 ETH, it began to transfer WBTC to a new address. However, a fatal mistake occurred at this point. The whale found an address with a similar number to its target address in the transfer history, copied and pasted it, and ended up entering a phishing address by mistake.
The hacker detected that his phishing address had a "huge harvest" - 1,155 BTC. He must have been ecstatic, celebrated, took a nap, and then transferred WBTC to another new address.
This brings us some important insights: Have you noticed that it only took about 3 minutes from the time the whale generated a new address to the time the hacker prepared the phishing address and completed the transfer? This shows the following points:
a. The hacker had a premeditated plan and was fully aware of the entire process. The script was already prepared and the entire process was automated;
b. The hacker has strong computing power and generates an address with 5 bytes that are exactly the same. This requires a huge amount of computing power and certainly requires GPUs, and a large number of GPUs.
c. Therefore, this is most likely not an individual act, but an organized action.
Blockchain brings decentralization, eliminates the middleman, and enables people to independently control their own wealth and data. But at the same time, it also places extremely high demands on personal security awareness and security knowledge.
This whale had a strong sense of security, such as changing addresses regularly and testing and confirming before large transfers. But a mistake in copying and pasting ruined everything.
Through this painful lesson of more than 70 million US dollars, every digital asset holder should be alert that hackers and phishing traps are everywhere, and we ourselves are the first and only responsible person for our property. The following are some safety common sense about large transfers for your reference:
·Private keys and mnemonics must be generated offline and stored properly. ——Most wallets now have offline signing functions; ——You can also use hardware wallets, but you must back up your private keys when using them.
Once you suspect that your private key or mnemonic may be exposed, change the address and transfer assets as soon as possible.
The transfer address should be saved in the address book and noted. Do not copy the address temporarily.
When transferring money, you need to select an address from the address book and make sure to perform a test transfer. Confirm with the recipient before making the official transfer.
Large transfers can be made in multiple installments.
Do not directly click on the transfer link sent by the other party to transfer money or conduct online transactions - phishers often forge similar links or addresses.
For larger amounts of funds, it is recommended to use a multi-signature approach - this is suitable for the management of funds of a company or organization - personal assets can also be operated in this way. For example, you can personally control multiple private keys and grant signing rights to friends who do not know each other to prevent the loss of personal private keys and the inability to recover assets.
The website addresses of CEX and DEX must be obtained through formal channels, the deposit addresses must be confirmed repeatedly, and test transfers are also essential steps.
