Date:: April 19th, 2021
Amount Stolen:: $81,000,000
Time:: 10:36:56 AM +UTC
Malicious MetaMask, Private Key Compromise
From: Dan @ Pantera Capital
Subject: Pantera Capital Investment Agreement (Protected)
Ankitt Gaur, founder and CEO of Layer 2 DeFi lending protocol EasyFi (EASY), said,
“On April 19, team members reported that a large number of EASY tokens were transferred from the official EasyFi wallet to the Ethereum network and several unknowns on the Polygon network
The hacker successfully obtained the administrator key and transferred $6 million of existing liquid funds in the form of USD/DAI/USDT from the protocol pool, and transferred 298 Ten thousand EASY tokens (approximately 30% of the total supply of EASY tokens, currently valued at 40.9 million U.S
By stealing the private keys to EasyFi’s MetaMask admin account, hackers were able to extract $6M in USD, DAI, and USDT, plus 2.98M EASY tokens, all of which amounted to around $81M
The machine that was compromised to gain the keys was offline most of the time, only being switched on to perform official transfers for the project
When the attack was carried out, the machine had been offline for more than a week And because it wasn’t actively used when the attack was carried out, this delayed the platform’s response and allowed the hacker to drain the assets from the protocol. get access to admin keys and remove existing liquidity to the tune of $6 million from protocol pools in USD / DAI / USDT and transfer 2.98 Million EASY tokens.
While most metamask attacks phish private keys / mnemonic phrases by tricking into downloading a malicious version, this is not the case here
My computer was compromised and MetaMask was altered from the disk
The physical machine was not tampered with, and it seems to be the issue with some remote access as might have been previously used on Hugh Karp
From the initial investigations, it looks like hackers are extremely sophisticated and quite likely working as part of a larger group."
The token was upgraded to ‘EZ 2.0’ four days later, making the hacker’s existing EASY holdings useless .
- 0x0c08D0fE35515f191fC8f0811CAdCfC6B2615b74 - Victim / Compromised
- 0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37 - Theft
- 0x437147da920714fec4822f0666d940945f9c972b - Primary Theft
- 0x31499e03303dd75851a1738e88972cd998337403 - Connects to Nexus Mutual, CoinMetro, Unibright Coinberry, and multiple others
- 0x4090e984897e7c1379c73f2213b906e5bef468a4 - Ascendex/Bitmax
- 0x437147da920714fec4822f0666d940945f9c972b - Ascendex/Bitmax Outputs
- 1PsLLdQhhfA5GEu1XHcpLnffaDxLpQZBvh - Laundry
- 1395hgVUB2P7yv145sRbt6Ykbi3qargnoD - Laundry
- 17WFZENdcgkCvVjENQWJnqwXyiCkgTdGbi - Laundry
- 1DzGYwnUKu9ukGBKm8kTvoezjfCQ2qLwYr - Laundry
- 14BGW1f5eyvhQkgTUPBjrL2UvcMaSTubL1 - Laundry
- 1ZBN1htJPHJvXSr4n77TqXtJdDhw5egP7 - Laundry
- bc1q75f989p3x42ys05k8490pt4gxksywxvr8e5t4e - Chipmixer Withdrawal
- bc1qdkfh5q8ss8yx6422epuneee6t8u0hjpq7dtg7f - Chipmixer Withdrawal
- bc1qu79cnt8wr2954ul9f96vfc8a7ge95f7cp75q9d - Chipmixer Withdrawal
- bc1qa34lt4ye39u3c2k7d5dymgydq5wkjewkwxhqek - Chipmixer Withdrawal
- bc1qpvfsku20rxe6k4supdzu9cuua5x8rdyy0za82d - Chipmixer Withdrawal
- bc1qk6quxamg4x4jwv0kxnpedqnlgp3zwykp7u0fz0 - Chipmixer Withdrawal
- bc1q5lfwgap0u8ur3r2sqpf50rzx8rmvqzenwdmp9r - Chipmixer Withdrawal
- bc1quzz3z2a7w6snt9he5cl4sklwu64d0yfqy4khrg - Chipmixer Withdrawal
- bc1qkgwmv0d9p6473g6kast7h0mrpswxzrlzf65rla - Chipmixer Withdrawal
- bc1q2u7n69pdzm0886gggmznyhty0af4l4nzqkdgrs - Chipmixer Withdrawal
- bc1qsa8uxs6j8dqnx82mg97svdvdn9sr5gl68lzjax - Chipmixer Withdrawal
- bc1qath2ss884adh48xrqjcmz3789vmvmrwlfy8zjf - Chipmixer Withdrawal
- bc1qgznjavvfczl7lzqukwtwkysj27vsw8gty62tm9 - Chipmixer Withdrawal
- bc1qd5h4uxl50p6f3y3hlkzgv2wj33pc0fxedqdakx - Chipmixer Withdrawal
- bc1qctxsadq92nuqkcv5pst4jfvzfq6ngz7kxucz6p - Chipmixer Withdrawal
- 35TjCuKRbKcofxnKG2EkC8B66ZNXKqE1aN - Post ChipMixer Consolidation
- 3M8VZjtAqi51LsMuRGGY9mhPvQk5hvubvt - Post ChipMixer Consolidation
- 0x313d06759af5696d6ee3f5965408e9C5b658Fb7E - Post ChipMixer Consolidation
- 0xe0c79066488a15b70361ad8268d713b05944a4fe - Post ChipMixer Consolidation
- 0x38720d56899d46cad253d08f7cd6cc89d2c83190
- 0xaAa51A89c7D3342E0c4e6084713Aa44248a7A232
- 0x27a9d7D17D72a5A67115dBF381b121B51D8b5Dd8 - Binance Deposit
- 0xabEF0DF725EF5d2f0354c59ea3cCB161aBc11515 - Binance Deposit
- 0xec592C8f4204B46Be7C3dcD4E6Fc6C1f3Ab773A9 - Binance Deposit
- 0x20604b432aB2952b31B9435638070Fe3539d8Fb6 - Binance Deposit
- 0x2e1155cf5374cba058a04fd03ebd0ba19afe580d - Noones Deposit
- 0x246569f8b420c8d850c475c53d0d59973b3f08fc - Paxful Deposit
- 0x593dc5e1ad81667bbfc90739dd2c09c926920e3b - Paxful Deposit
- https://cointelegraph.com/news/reeling-from-post-hack-price-slump-easyfi-reveals-community-compensation-plan
- https://easyfi.network/
- https://github.com/HalbornSecurity/PublicReports/blob/master/Solidity%20Smart%20Contract%20Audits/EasyFi_Access_Vesting_Smart_Contract_Security_Audit_Halborn_v1_1.pdf
- https://medium.com/easify-network/easyfi-security-incident-66c02a277a91
- https://medium.com/easify-network/easyfi-security-incident-pre-post-mortem-33f2942016e9
- https://rekt.news/easyfi-rekt/
- https://www.quadrigainitiative.com/casestudy/easyfi'seasyfinishing.php
- https://newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army
- https://thedefiant.io/compound-finance-fork-easyfi-loses-over-60m-in-admin-key-hack/
- https://www.businessinsider.in/investment/news/biggest-crypto-hacks-of-2021-over-4-billion-stolen/slidelist/88560280.cms#slideid=88560401
- https://www.coindesk.com/defi-protocol-easyfi-reports-hack
- https://www.web3rekt.com/hacksandscams/easyfi-367