Hacker steals $3.3 million using Profanity’s vanity Ethereum addresses

Since the crypto industry expanded its growth, it has become the favorite place for hackers to commit exploits. The Ethereum vanity addresses generated via the Profanity tool have now become the latest loophole to dupe millions of crypto users.

As per the market insights provider firm, Etherscan, Ethereum custom addresses created via the Profanity tool have been breached by a hacker who stole almost $3.3 million from several custom ETH addresses.

Related Reading: Crypto Trading Firm Wintermute Has Suffered $160 Million Hack

ZachXBT, an expert tracking the hacker’s activity, first detected and informed about the breach that began on September 16. The anonymous sleuth also preserved a user’s NFTs worth $1.2 million who moved his assets from vanity addresses after being informed.

Vanity addresses are something like a golden number of vehicles for which riders pay high in an attempt to show off. Likely, vanity addresses involve one’s name or desired info to appear as a distinguished address created via tools like Profanity. 

1Inch Exposed Profanity’s Vulnerabilities Before Exploit

It is worth noting that decentralized exchange aggregator 1Inch, who previously suggested using the tool, informed the community before the hack that vanity addresses pose higher vulnerabilities. In the report published last week, the firm suggested users move their funds from wallet addresses made using Profanity.

1Inch said that Profanity became a prominent tool to generate millions of addresses in one second, and the wider crypto community was using it. But, then, 1Inch’s contributors detected used procedure was not flawless and open to exploitation.

Experts noted that the tool’s procedure uses a 32-bit vector for generating 256-bit code, so-called private keys. And this process was recognized as unsafe in the report. The report reads;

The 1inch contributors checked the richest vanity addresses on popular networks and came to the conclusion that most of them were not created by the Profanity tool. But Profanity is one of the most popular tools due to its high efficiency. Sadly, that could only mean that most of the Profanity wallets were secretly hacked.

Ethereum’s price is currently trading above $1,300. | Source: ETHUSD price chart from TradingView.com

Hacker Cashed Out Stolen Money After 1Inch’s Report

The hacker drained money from the targeted wallet addresses immediately after the 1Inch report exposed the vulnerabilities, per ZachXBT. The hacker then moved stolen funds to a new Ethereum address.

Tal Be’eryBe’ery, chief technology office and security head at ZenGo, commented on the breach;

“Seems like the attackers were sitting on this vulnerability, trying to find as many private keys as possible of vulnerable Profanity-generated vanity addresses before the vulnerability gets known. Once publicly exposed by 1inch, the attackers cashed out in a few minutes from multiple vanity addresses.”

Related Reading: Bearish Crypto Market Sentiment Sends Investors Back To Stablecoins

Additionally, a Profanity developer also warned users about the vulnerabilities he found in the code a few years ago. The developer highlighted the issues on GitHub and abandoned the project by revealing the current state of the tool is unsafe to use.

Featured image from Pixabay and chart from TradingView.com