• Utilizing profanity’s vanity Ethereum addresses, a hacker steals $3.3 million

  • Since the cryptocurrency sector has continued to grow, it has emerged as the preferred target for hackers looking to carry out vulnerabilities. The Profanity tool’s created Ethereum vanity addresses have now evolved into the newest scam targeting millions of cryptocurrency users.

    According to the market insights supplier company Etherscan, a hacker gained access to multiple bespoke Ethereum addresses created using the Profanity tool and stole roughly $3.3 million from them.

    The breach, which started on September 16, was initially discovered and reported by ZachXBT, a specialist monitoring the hacker’s behavior. The anonymous investigator also saved a user’s NFTs worth $1.2 million who, after being notified, relocated his assets from vanity addresses.

    Similar to a golden number of cars, bikers spend hefty prices for vanity addresses in an effort to show off. Vanity addresses are probably constructed using one’s name or other desired information to seem like a distinguished address using software like Profanity.

    Before being exploited, 1Inch revealed profanity’s vulnerabilities.

    Notably, the decentralized exchange aggregator 1Inch, who had before recommended utilizing the tool, had warned the community ahead of the breach that vanity addresses present greater risks. The company advised customers to transfer their assets from wallet addresses created using profanity in the report released last week.

    According to 1Inch, profanity became a popular method to produce millions of addresses in a single second and was being used by the larger crypto community. But afterward, 1Inch’s authors realized the method was not perfect and vulnerable to abuse.

    The process used by the tool to generate 256-bit code, or “private keys,” uses a 32-bit vector, according to experts. Additionally, the report identified this method as being dangerous. Reads the report:

    The 1inch contributors checked the richest vanity addresses on popular networks and came to the conclusion that most of them were not created by the Profanity tool. But Profanity is one of the most popular tools due to its high efficiency. Sadly, that could only mean that most of the Profanity wallets were secretly hacked.

    After 1Inch’s Report, the hacker cashed off the stolen funds.

    According to ZachXBT, the hacker promptly removed money from the targeted wallet addresses after the 1Inch report revealed the flaws. The hacker then transferred the money from the stolen Ethereum address.

    Tal Be’eryBe’ery, head of security and chief technical officer at ZenGo, made comments regarding the incident;

    “Seems like the attackers were sitting on this vulnerability, trying to find as many private keys as possible of vulnerable Profanity-generated vanity addresses before the vulnerability gets known. Once publicly exposed by 1inch, the attackers cashed out in a few minutes from multiple vanity addresses.”

    A Profanity developer also alerted users to the bugs he discovered in the code a few years back. The developer said the program is unsafe to use in its current condition and disclosed the flaws on GitHub before giving up on the project.

    What's your reaction?