$3.3 Million Stolen from Vanity Ethereum Addresses
A hacker stole $3.3 million from several Ethereum vanity addresses generated using the Profanity tool.
According to an earlier report from 1inch, a vulnerability from these addresses allows hackers to extract private keys.
However, the security issue highlighted by 1inch cannot be fixed in time to prevent the exploit. According to anonymous developer “johguse”, the development project on Profanity stopped a few years ago.
Johguse recognized the vulnerability in the tool and warned users against its use. In a later investigation, online management company ZachXBT claimed that a hacker exploited the same vulnerability to steal an estimated $3.3 million in crypto assets from Profanity-based addresses.
The stolen funds are transferred from the victim’s address to the new Ethereum address controlled by the hacker. The $3.3 million exploit drew comments from experts who suspected that the malicious hackers may have known about the security issue in advance.
“Seems like the attackers were sitting on this vulnerability, trying to find as many private keys as possible of vulnerable Profanity-generated vanity addresses before the vulnerability gets known. Once publicly exposed by 1inch, the attackers cashed out in a few minutes from multiple vanity addresses,” Tal Be’ery, security lead and chief technology officer at ZenGo, said.
Notably, 1inch also claims that the vulnerability was previously used by hackers to exploit potential worth millions of dollars. 1inch claims that it is possible to recalculate some private keys of vanity addresses using a GPU chip.
“We have proof of concept of recovering a private key from a public key. So you can send us a public key (not address) generated via Profanity and we’ll send you back a private one,” the team told The Block in a statement.