A $10 Million Wallet-Draining Attack: What We Know So Far

Published Apr 19, 2023
By Qredo Team

Yesterday a huge wallet-draining operation was reported by @tayvano_ on Twitter, apparently affecting many OG members of the cryptocurrency sphere across at least eleven blockchains and counting. As Taylor says in her write-up, at this moment, "no one knows how".  

@tayvano spoke out about the devastating attacks and her investigations into them, including some strange findings as to the patterns of attack timings, and the successful targeting of many established and successful OG accounts. 

This event has sent shockwaves throughout the industry, raising concerns over the security of digital assets, for institutional and retail investors alike. 

This news story is a moving target, with numerous security teams from major blockchain organisations investigating. What we know so far is that the attacks are not limited to any specific wallet type, provider or even blockchain.  

It appears that the attack has exploited wallets on numerous blockchains and successfully accessed digital assets with keys protected on long-used cold wallets in certain instances. 

Already there has been some misreporting of the facts, and FUD has inevitably with MetaMask having to insist that there is no evidence that this was caused by any flaw in its product.  

Here's what we know so far, and how distributed MPC (dMPC) technology could be part of the solution to prevent future attacks. 

The details of the wallet-draining operation

Complete details of the attack are still emerging, but it appears that the attacker(s) exploited single points of failure in the storage of private keys, accessing and draining the affected wallets of their assets. It may turn out that the attacker(s) collected private data by several means over an extended period in preparing for this activity.  

The incident serves as a wake-up call for the cryptocurrency and finance communities, emphasizing the importance of developing far more robust security solutions. 

How does this affect Qredo users?

The good news is, as far as we are aware, this hack has not impacted any Qredo user.  

When you create a wallet with Qredo, these are not exposed to the client or any Web3 wallet extensions and are created without having to hold a private key locally for each wallet.  

With multi-party access also available in Qredo wallets, each team member with their own permissioned access, and the option to customize requirements for multiple signatories, we reduce the risk of any single user getting locked out or maliciously exploited. 

Whilst our users do have seed phrases, these do not allow for the instant exploitation and moving of funds as a seed phrase for a hardware wallet typically would. These are not the equivalent to or part of any specific private keys but are rather secrets associated with a specific user's email account. 

This results in three lines of defence (to which you can add multi-party access security):

Firstly, the attacker would need to specifically know that this was a Qredo seed phrase that they had accessed, before being able to utilise it in any way.  

Secondly, they would then also have to know, and access, the associated email address.  

Finally, they would also have to exploit the two-factor authentication device set up by the user in order to attempt signing a transaction. 

The importance of removing single points of failure

The best way that we can secure the blockchain ecosystem is by eliminating single points of failure, whether they be user error, theft, or another issue affecting these points.  

The most glaring security issue affecting the self-custody of digital assets is, of course, the user's secure storage of private keys. By abstracting this risk, the risk of similar attacks can be significantly reduced, providing a far safer environment for digital asset holders.  

Of course, Qredo's solution also protects users from the other danger of holding digital assets on the blockchain: allowing a third party to hold them for you. At Qredo, no one ever has access to your funds except you and your chosen team, decided by your own customizable policies.  

Qredo's platform is designed from the ground up, to drastically mitigate counterparty risk whilst protecting you from user error or malicious attacks at the same time. 

How dMPC technology enhances custody and security

Distributed MPC technology not only distributes the storage of private keys but also employs advanced cryptographic techniques to secure the management of digital assets. 

This multi-party access adds layers of security, as transactions can only be authorized when a predetermined number of parties agree. 

In addition to increased security, dMPC technology provides a transparent and auditable process. Each participant in the dMPC network has access to a comprehensive log of actions, ensuring that all parties are held accountable for their actions.  

This transparency is vital in building trust among institutional investors and fostering the adoption of digital assets within the finance industry. 

The future of digital asset security and the role of dMPC

This recent appalling wallet-draining operation has highlighted the vulnerabilities present in the digital asset ecosystem.  

As an ecosystem, we can and must eliminate single points of failure and safeguard the holdings of investors across the globe. In doing so, Qredo is taking a leading role in making the future of digital assets more secure, paving the way for increased adoption and growth. 

The wallet-draining operation reported by @tayvano yesterday is a stark reminder of the importance of security in the digital asset space.  

Check out our recent roadmap updateto get up to speed on all the latest in our future-proofing technology.  

We're always building, and our mission is to create the most secure solutions for all holders of digital assets across the blockchain sphere. 

Thanks for being part of Qredo. In doing so, you’re helping secure the future of digital assets.  

Open a Qredo Wallet