It has been noted that hundreds of wallets that have been idle for a long time on the Ethereum blockchain have been emptied in recent days. Wallets that had not been active for the last 4-8 years were seized by an unknown method, causing a total loss of approximately 800 thousand dollars. Experts performing on-chain analysis stated that the attackers tried to hide their traces by transferring the assets they acquired through ThorChain.
Wallets that have been inactive for a long time became targets for the first time
It turned out that most of the hijacked wallets had not been used for years, and the last activity in some addresses was 14 years ago. Experienced cryptocurrency users were among those affected by the attack. According to experts, these wallets have not interacted with any smart contracts or protocols recently. Sharing about the attack, @WazzCrypto stated that they received hundreds of similar victimization reports on social media.
Hundreds of wallets that had not been processed for years were emptied by the same address, creating an extraordinary activity on the chain.
This situation raised questions about the method by which the private keys of the wallets were obtained. To prevent damage, users are advised to move their funds to a new, secure wallet.
Traces of detected damage and transfer methods
In total, more than 500 wallets were targeted, according to on-chain data. The attacker converted some of the ETH withdrawn from wallets into privacy-oriented XMR. It was observed that the wallets contained different crypto assets other than ETH, and it is thought that some transactions were made manually. According to the researchers, not all affected accounts were completely emptied, and some balances remained in the system.
After the initial asset transfers, the attackers tried to hide their tracks by mixing cryptocurrencies across various platforms. This move has also been observed in similar incidents where DeFi protocols were hacked. Approximately 324,741 ETH from the Ethereum blockchain were moved to the Bitcoin network as wrapped assets using ThorChain. It was also determined that 32 thousand dollars of ETH and digital assets equivalent to 9.56 BTC in total were stored in another wallet.
Possible causes and vulnerabilities of the attack
Experts could not reach a definitive conclusion as to the cause of the attack. Possibilities include using private key lists leaked to the internet years ago or corrupted Electrum wallets. It is thought that some of the old addresses may be included in the list of previously compromised keys.
Similar wallet drain attacks have occurred in the past following the LastPass data leak and security vulnerabilities in similar platforms. Additionally, a recent hack on Bitwarden and supply chain attacks via npm (Node Package Manager) showed that hot wallets could be targets.
According to some estimates, applications in trading bots that direct users to enter their private keys into the system may also open the door to such attacks. The fact that no current on-chain movement was observed in most of the wallet owners who were attacked made researchers even more cautious about the source of the attack.
These events have brought discussions about security in the decentralized finance (DeFi) world and main blockchains to the agenda again. The risks of users keeping large amounts of money in wallets that are not used for long periods of time have emerged once again.
