Skip links

Crypto wallet providers urged to rethink security as criminals drain them of millions

Infosec researchers are noting rising cryptocurrency attacks and have encouraged wallet security providers to up their collective game.

Check Point specifically cites the growth of attacks that abuse Ethereum’s CREATE2 opcode, dubbing it a “critical issue in the blockchain community” that’s seeing millions of dollars worth of assets being drained from victims’ wallets.

Introduced in 2019, CREATE2 is seen as a significant advancement for Ethereum, allowing for more efficient deployments of smart contracts – the technology that validates transactions on the blockchain.

CREATE2 is also the function that’s being exploited by attackers to drain tokens from victims’ wallets. 

One of its key capabilities is being able to deploy smart contracts to pre-determined addresses, making the entire process more predictable for the blockchain when dealing with multiple contract interactions across the ecosystem of decentralized applications.

By pre-determined, it means that an attacker can create temporary, single-use addresses to receive a victim’s assets. New addresses can be used for each attack, and this is crucial because wallet security providers rely on previously held data to flag potentially malicious transactions. If the address has no dodgy history, it’s likely the transaction will evade these detections.

The fact that attackers can set up a contract before deploying it (before it even exists), using a wallet address that doesn’t have a history of malicious activity, means that if they can get the victim to approve a contract they can drain their funds.

Of course, this requires some social engineering hijinkery to pull off, but we’ve all heard about the real-life scam stories that sound too wild to be true, but are. This attack works, and has facilitated huge single-transaction scams in recent times.

The researchers highlighted one fraud in January that saw attackers make off with $3.6 million worth of SuperVerse tokens in one fell swoop as an example of how serious these incidents can be for victims.

Remember: with blockchains, there is no legal recourse and no customer helpline to recover funds. Once they’re sent and signed, that’s it – tokens are gone for good.

How they work and why they work

The attack flow is as follows. First, an attacker needs to get a victim to approve a contract that hasn’t yet been deployed – the bit that requires social engineering. They then use CREATE2’s ability to generate new contract addresses to receive the funds and deploy the malicious contract, complete with the victim’s authorization, in turn draining the victim’s wallet.

The key part here is the generation of a new wallet address, one that has no history of being reported for criminal intentions. CREATE2 generates this using a calculation that includes four parameters: the attacker’s wallet address, a constant prefix, a salt, and an initialization code.

This address will be created only when the victim approves the contract, meaning it’s never been used before for any illicit dealings, and won’t be used again, thereby bypassing the security protections that usually monitor such transactions.

“The exploitation of the CREATE2 function underscores the continuous battle between innovation and security in the blockchain sphere,” said Check Point researchers Oded Vanunu, Dikla Barda, and Roman Zaikin.

“As Ethereum continues to evolve, so too must the security mechanisms designed to protect users from such sophisticated attacks. Awareness and education are the first steps in safeguarding digital assets against emerging threats. Blockchain developers and users alike must remain vigilant, continuously updating their knowledge and security practices to navigate this ever-changing landscape securely.

“This vulnerability highlights the need for enhanced security measures in wallet security products to adapt to the evolving tactics of cybercriminals, ensuring the safekeeping of digital assets in the face of innovative exploits.”

The big business of crypto attacks

Towards the back end of 2023, we saw a string of high-profile wallet-draining attacks netting cybercriminals hefty sums, and the attacks weren’t localized to just the Ethereum blockchain either.

Justin Sun, founder of the Tron Foundation and owner of Poloniex, a crypto exchange that was drained of circa $120 million in November, offered a reward for the attackers at the time to return the funds they stole.

The Monero Project was also mysteriously drained of nearly half a million dollars just days before, and 5,000 Atomic Wallet users were drained earlier in the year – just a few of the high-profile incidents that took place in 2023.

While not all of these have been directly attributed to CREATE2 exploits, researchers told The Register that it seems like North Korea’s state-sponsored Lazarus gang may have been behind a sizable proportion of them.

The web3 anti-scam solution provider ScamSniffer analyzed a series of CREATE2 incidents between May and November 2023, concluding that almost $60 million had been stolen from around 99,000 victims. ®