Hackers have stolen over $60 million worth of crypto from nearly 100,000 victims in the past six months by exploiting a piece of Ethereum code to bypass security alerts, according to research from on-chain investigator ScamSniffer and security firm SlowMist.
The wallet drainers are misusing a function called Create2. This is normally leveraged by decentralized apps like Uniswap to predict the address of a smart contract before deployment. By abusing Create2, the hackers can instantly generate disposable wallet addresses to receive stolen funds after a user interacts with a malicious signature.
Typically, crypto wallet software displays alerts when a signature requests access permissions. However, the hackers’ clever use of Create2 enables them to disguise malicious code within the signature, allowing wallet access without triggering warnings.
Crypto hacks witness recent surge
One group of hackers alone has drained $3 million in crypto from 11 victims since August using this Ethereum technique. Overall, ScamSniffer and SlowMist estimate that around $60 million has been stolen from 99,000 victims in the past six months.
The rise of Create2-based wallet exploits highlights the growing sophistication of crypto-related cybercrime. Just last week, exchange Poloniex revealed a hot wallet breach, resulting in $125 million lost. October also saw victims of the LastPass breach lose $4.4 million in crypto in one day.
As hackers devise more methods to siphon funds from unsuspecting victims, extra vigilance is crucial. The innovative abuse of Create2 underscores that even trusted blockchain code can potentially be weaponized for theft at scale.