Victims Urged to Come Forward: Uncovering a Sophisticated Multi-vector Crypto-Asset Theft Scheme

APRIL 25th, 2023 - OFFICIAL PUBLIC RELEASE

Preface / Overview

  • A Twitter thread posted by @tayvano_ on April 18th, 2023, detailed a novel and sophisticated hacking operation of unknown origin, which has been siphoning wallets of crypto-assets across various networks. The hackers’ origin, the full scope of the affected addresses, and the attack vectors are still unknown.

  • Since then, and for months before, members of the global crypto-asset community have worked tirelessly to contact identified victims and determine the root cause.

  • Many of the volunteers have opted to remain anonymous, but have experience in the blockchain development, forensics, and security fields from working at Bidali, Blockmage, ChainSafe, CipherBlade, ConsenSys, Convex Labs, Everlasting, Gray Wolf Analytics, Paradigm, Status and more.

  • In light of the sensitive and widespread nature of this incident, Blockmage has offered to serve as the legal umbrella for this decentralized network of global volunteers. They will utilize their resources to be the primary point for information collection and dissemination.


A brief recap of the ongoing investigation

The details of the ongoing investigation are outlined in the original Twitter thread by @tayvano_ but here is a brief recap:

  • Identification of over 100 compromised addresses, with more being discovered.

  • Uncertainty about how the wallets were compromised or who the threat actors are.

  • Unknown whether a single group is responsible or if multiple groups are using different attack vectors.

  • Two victims have had forensic scans performed on their devices, revealing no clues. Others have run malware scans with results that do not point towards a common threat.

  • Most victims are very experienced in crypto and cybersecurity best practices with above-average security hygiene.

  • The method of compromise seems to involve seed (recovery) phrases and/or private keys, as supported by multiple assets across multiple networks being stolen, including non-EVM.

  • No major exchanges, custodians or smart contracts appear to have been affected. All stolen assets were held self-custodied so far.

  • Compromised addresses range in age and activity. Wallet age ranges from as far back as 2014 to as recent as late 2022. Some wallets were very recently very active, some have been dormant for years with little transaction history.

  • On-chain theft activity matching the patterns began as early as August 2022, but we are still investigating & tracing these transactions, so it could go back further.

  • For smaller amounts of stolen crypto-assets, attackers have been reusing another victim’s compromised addresses to attempt to obfuscate the flow of funds.

  • Stolen assets are swapped on-chain, commonly using FixedFloat, SimpleSwap, SideShift, ChangeNOW, and LetsExchange. We’ve already been in contact with some of these service providers.

  • The final destination appears to always be Bitcoin, which is then taken to Wasabi Wallet and other coin-join mixers to try to obfuscate the flow of funds.


Other information, not contained in the original Twitter thread

  • On March 1st, 2023 LastPass officially acknowledged the severity of two security incidents that occurred between August and November 2022 that resulted in a significant theft of source code and customer data. This is a leading hypothesis but could be a coincidence as LastPass was very popular.

  • There have been numerous security updates to fix zero-day exploits in all major browsers, and mobile and desktop operating systems since August 2022, and there has been a notable increase in frequency of security updates since then. This information is contributing toward a potential hypothesis.

  • On March 6th, 2023 Kudelski Security published an article outlining a methodology where they were able to successfully obtain multiple private signing keys from ECDSA signatures for the Bitcoin network, Ethereum network and TLS. We don’t have enough evidence to support this theory and it is very low probability. They even state: “We couldn’t find any real-world case of recurrence nonces in the Ethereum dataset.”

  • On April 23rd, 2023 the Trust Wallet team published a post-mortem about a browser extension WASM vulnerability that affected victims over a similar time period. We don’t have any evidence to suggest these incidents are related at this time. They independently confirmed the same.


We need your help!

We need more information from victims in order to narrow down the root cause!

If you fall into one or more of the following scenarios below please fill out the secure victim intake form found at: https://intake.blockmage.org

  1. You have been a victim of the recent LastPass security incident; and

  2. You have had crypto-assets stolen from your own wallet unexpectedly within the last year, seemingly through no fault of your own; and/or

  3. Your address is one of the identified ones in this tweet or this tweet (search Twitter for your addresses; the addresses provided in these links will be copied below).

You can complete the form pseudo-anonymously. All fields in the form are optional. Please read the full disclaimer in its entirety as the form is quite comprehensive. As a result, we are treating this information with utmost confidentiality.

As updates become available they will be posted to:

No other channel will be used for official broad communication.

For victims, if necessary, we will contact you directly. Messages will be signed with the following PGP key fingerprint: 53783AD54B35D8188E76889A6701DFE88BE8B569

Found here in full:

You can verify this on Twitter through this tweet.

If you have any intel or information you feel may be helpful in investigating this particular attack, you may also email us securely at this email address:

contact@blockmage.co

Beware of scams or misinformation! We will never ask for your seed phrase, private key, or ask you to send assets to us or a particular address to prove you own a wallet!


How you can reduce your risk of exposure

Do not panic! If you have your assets stored with a reputable crypto-asset exchange, a qualified and supervised crypto-asset custodian, or your assets are held self-custodial using a prominent mobile or hardware wallet then you are less likely to be at risk. Still, we highly recommend you follow the steps below to ensure your security.

As of this time, we don’t know the root cause of the crypto-asset losses so we cannot say for certain that you have zero risk unless you move your assets to a cold storage, offline-only wallet. If you are feeling uncomfortable, you can very carefully move your crypto-assets by following the steps below.

  • Generating a new seed (recovery) phrase, private signing key and public key (address) using one of the following options:

    • a reputable hardware wallet such as a Ledger or Trezor;

    • a reputable mobile wallet that uses a strong random number generator; or for more advanced users:

      • a clean, minimal, air-gapped computer; or

      • a multi-signature setup such as a Gnosis safe or other multi-signature solution such as Argent

  • Very carefully transfer your assets to the address of your new wallet from the old

    • Ensure to double-check the address you are sending to in its entirety (not just the first or last characters) when you send assets.

    • Perform a test transaction for each asset where possible, by sending an initial small amount to ensure it was received correctly by your new wallet.

  • Keep your new seed phrase and private key in a secure location. If being stored on a digital device, ideally it should be encrypted with a strong password (20+ characters). Alternatively (and recommended) you can store it offline entirely.

  • If you use a password manager to secure your seed phrase or private key, change your master password.

  • If you were a LastPass user at any time prior to April 1st, 2023, and if you have not already done so, you need to change ALL your passwords, move your crypto-assets to a new wallet with a new seed phrase and private key IMMEDIATELY. You should be vigilant in watching for identity theft attempts and contact important service providers, financial institutions and credit rating agencies to notify them of the situation.

  • Run a virus and malware scan on all your devices. Malwarebytes is a good tool for this task, but whatever you choose, please be certain you verify its legitimacy.

  • Ensure you download and install any official security updates and patches for all your devices and web browsers ASAP. (Note: You should ALWAYS do this!!)

  • Be vigilant with any suspicious messages or emails. Do not click on any unexpected links, documents or attachments!

All this is merely good security hygiene, so these steps should not be cause for alarm nor should they be interpreted as an indicator of a particular attack vector at this time. If anything, should you find the above recommendations surprising, then it may be worth introspecting your own security practices. It’s unfortunately common for many users, even those who may be more advanced than most, to overlook these practices.


About Blockmage

Blockmage is a stealth startup that has been building novel tools for blockchain forensics and analytics. Our team has extensive experience in this area and already have the appropriate contacts and jurisdictional basis to assist with pursuing asset recovery and criminal prosecution, should that be the appropriate course of action.

If you already not already aware of us, rest assured, we intend to be much more apparent in our presence - and especially so, regarding any of the matters above.

Twitter: @BlockMageSec
Telegram Channel: @blockmagelabs
Telegram Direct: @blockmagesec
Discord: discord.gg/blockmage (inactive, but will be active soon!)
Website (live): blockmage.dev

Other domains we own & may occasionally use are as follows:

blockmage.co (namely, used for email)
blockmage.org (soon-to-be primary website)
blockmagelabs.org
blockmagelabs.com
blockmage.tech


Current list of addresses, as per Twitter posts

0x1272c3bf86a6c8aff06b71bf859f7a97662c6401
0x12c86444f546e5dd1f8cacc5a55930bae9ff524b
0x1b811fab3618e727d5d38d7e6338262ca372a3ca
0x301623155a7a44cf5d49d349d6fc7a6c8a74b9ad
0x35cf58241b364480b3aff0d85dfb3c5802473907
0x37fabdb1d081f0a69ffd2a9525d71cf220041dd4
0x386c0f995006f564db2428c3ef49798f2d04ea99
0x3ea4c596d38d787c6dfe7bb4ae48715fed987878
0x4a090f2ce63e3a80dba4e3fb6d2e9b443137b6a8
0x4c1e02f1d51673d709ff027be4e541411e6383d0
0x5895a6aa60333460320598a78ab1fc19b9911901
0x5cf86178c83981e59dea066e60c09ae9b93e79cd
0x7bd3fa9d10041aadcd916df3b0ba3b0af7870b37
0x7c314598c5021b65132adb239a9ec1b2ba892b1f
0x7c554f4642b9b750fc2357f466dfa1e75b7d6933
0x91e578c5a8031f30010b1611652852c2996b444b
0x942e4a1e66f3f3eab86865f8d7ab328f423728bd
0x94692b042a0e36671952ff0b71e43d6e0d06845a
0x9c3c347582fb2bc835f3e1ee368f077c06a4df61
0x9c6edf8455390aa81e03c9f18dc420bd3d1a24a7
0xa31188576e1037dc8484cfcaf8e1af9fefea9b07
0xaf5bb35c17df89c44ccfa7f7dfdab44182922453
0xb1d8b4aead0b6f1dcbc9533d4513b1c5df58c92a
0xbb25939d30298a2987c2c57f1565a75cd9eb95d4
0xc2d813c7d7c48580416e09990a51eaca689217be
0xc98253ce74b32d220402358c199975fd2652a16f
0xd4ecb05559d1cba877d0e9da8da3069836e6e1f4
0xda657184d7fc836df07bc145a0cdd94cd69fa2f2
0xde14b36aa562e5d870dd546d7923178f4b15bfae
0xe1790fefc214370a345d1b32b704612738406d74
0xe6a83b31ea7ed2fdca06a306f0585ce506a29778
0xeb17edb78d48ff2f3b1ef5a329983a43d917bddc
0xf76d555208fb7de91456a205e71f50b372156964
0xfa4bd205e4be0cefa0c02f1dd79a14f4e6f0fc83
0xfc3e2e11fc30d94a079277a5bb4402b95c8f62aa
0x011c9714aca6919cccdf113f1f64b93f27509933
0x03344de035f5923f87c54743e3915262064eee17
0x03d8e300a9071bd7568802c381bf419e56414867
0x063caab0cadda9f3a4f13c5ec8a31fec66a7f92f
0x08ecfabe862efad149be7427417f47cc229c7c16
0x08fa6cb120bb6bca990bda6788bc5ccc355172b8
0x09b7a869daeb0337d95e1482f6f4cf3a309eeba2
0x0a21186eb8b1cb2ef0e706009eb2daa542c498bc
0x0e0864e0fead51eed69973902956b1b8d50f46a1
0x0f26f792fb89daf87a10a40f57ed1a0093b74ad7
0x1523f9af095ca5e3add623dd25f98d91db5bdd67
0x16d8c4b8ecf5a6a3b3aa74ca9ebbeb33004337e6
0x19c81f8c59ce0071ea3b5f9994ac19ce42f29728
0x1be1824b3b2e1c5dbe6ec1157d43ea6560f1b23c
0x1e5d74b4aea61c5dcd766db9bc9d96894f4a749a
0x1fe50f5a72b2b8b4de83b403e8acb279eb1ee21a
0x21c36831f2a87251ee33eee23da21cb4feb61c10
0x240cd6c2798c178a3c4ef6a3b2d8b6aaca722d6b
0x248e49fcdd7f2ac8379e6f8f9fd05ad7eac8f26f
0x2ac2aaa1ba83d15c34e5dceeb0cc7e3696c65ec7
0x3065214e80f9de30bd77b60b077c25902809fb1e
0x31aed7b980c48dd4235b916f581d557df38d473e
0x3421aa3415624c5ee71c53169e7f95b2b49b254e
0x37d0aac814f24ad0c4f58c92132d67ea9fcfc7a1
0x3afd59c54343bec0b0505e7ad3c7b96d967e14b2
0x3c62471c55d23d5b59c78d2c423ea2b42aee5615
0x413e2e10ca98ad7a6c2fd7e0a130016a2a49ea0b
0x474a0c39e1b4eaa5b2c40f6c266bdd21276aa0cb
0x50a82441bb63f2f75bd45b9815bec6d3a3c93cce
0x531230054f3e22c4c1b24fdb44a820ee276b70fc
0x5ca323d77930c84524e9b06b20c5027ec4e54480
0x5cb87df0834cd82297c63ef075421401995914ae
0x5d4431c527a25909cb205f13ca2fefeec5364f06
0x63f017cf88c47c35b7010afe920d7f5b5222c13f
0x679871fa9996ecb25df35c94aea339eb9c7541f7
0x6c39150444ac2e01b87d94f3d936a9b56c9b8d04
0x71c383ef712d958f8795268a21049c65de513080
0x74e8ded4af10f6d0b10671f8ba1df02ae537fc13
0x88fc1908828e02e60e12fdef7e3c60d7de1c1e2f
0x8b66fde33db20bfe9ebd738959808d4cc6bb4db1
0x8c43ea654c6c7e01680e9b6d4aed938b5a679dc0
0x8e424fb46cd88b02b10354ab06217743c72bfd9b
0x9307caa51a02177c26d666e628a156a5bd8931bb
0x9791ff2d33e7f942d3384080236c68dd30afadbe
0xabd0d3217d1fd033644e0b447a34e7bb824ebb62
0xaf656b481d1fb0b87a0668ce9c7c62b1dd074997
0xb9ec5cffeda230818734e6bfce9723e42b3d69d8
0xbb02172ccd838444d6b57fbf80758e72f6d305d8
0xc3fd4009dc03278caa584927b81a0f5639a31b47
0xc4dc84067ca4c010e2b5a7797eb66b6f12487d5c
0xc6e21172aaeb98ec66d7f815909fa6167e439683
0xcd7be06ecd20f67145316a4d6ee82f152e920c2b
0xcd8af2aef25bb18c0344b2c7a2e02f31a4f1e2c6
0xda5e2314cfd382fc557fa933070f3ba70f5fd02e
0xe0a06a7b53a6124304f900f0f17bcf891700e6be
0xe26b348c6bb1507a481c4d1e8d801085de4602f1
0xe5839c1cb95bd55d7cbebec526a3d20fb408ffde
0xf0d8d607f548ce4ca24eca5c15b3675c3c9fb243
0xf11f22981d0bccd256c1a4e9a6450722254328d7
0xf38d09210ec63843d9d87798902955b89a8a135b
0xfdd063eea3b66c9fd5dc50db50b829de87b28d35
0xfe0fdd58f5c5830f380c790acdf361bfb90583cb
0xfe3d85991ba7530cfaac9329502efc8ed7d2bd19
bc1q675pyn8eaa77lw93l4mtsdlykj96l9hukecz7v
3K4WBDcjdzKKusnR7iucPyDttbyX4zpiya
Subscribe to Blockmage Labs
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.