Subscribe to our Telegram channel
Hacker stole almost a million dollars in Ethereum using Tornado Cash cryptocurrency mixer
Blockchain security company PeckShield has issued a warning about a hacker who stole 732 ETH on September 25, which is equivalent to about $ 950,000. The funds were stolen from an address created using the Profanity Ethereum wallet generator. The hackers withdrew the stolen cryptocurrency using the Tornado Cash cryptocurrency mixer.
#PeckShieldAlert Seems like $ 950k worth of crypto has been stolen by 0x
9731 °F from Ethereum «vanity address» generated with a tool called Profanity. The exploiter has already transferred ~732 $ETH into Mixer pic.twitter.com/QOZfnE49H4— PeckShieldAlert (@PeckShieldAlert) September 26, 2022
The Profanity vulnerability was discovered on GitHub back in January, but only now it has become widely known thanks to the 1inch Network team. As explained by the developers, the tool allowed generating easily readable Ethereum addresses (or vanity addresses) containing words, names, or phrases. 1inch Network experts warned that the keys to such addresses could be picked up by brute-force — a systematic search of all possible combinations of characters. By the way, this incident was the third theft of funds from vanity addresses in a month.
Back in early September, the 1inch Network decentralized exchange (DEX) warned members of the cryptocurrency community that their addresses were unsafe, especially if they were created using profanity. Following DEX’s warnings, blockchain researcher ZachXBT announced that the exploitation of vulnerabilities in the Profanity cryptocurrency wallet generator has already allowed hackers to obtain digital assets worth more than $ 3.3 million.
It should be noted that Ukrainian hackers also use this type of exploit, although Western programmers call it outdated and even archaic. For example, recently in Lviv, the prosecutor’s office submitted an indictment to the court against a resident of Kherson region who used a brute force to gain access to a number of Internet user profiles and sold them on the darknet for cryptocurrency.