1. Home
  2. Wormhole Hack

Wormhole Hack

Wallet tied to Uranium Finance hacker reawakens after 647 days, shifting $3.3M

The hacker has other associated wallets that have also shifted funds to privacy networks such as Aztec.

One of the wallets associated with the $50 million exploit of Uranium Finance in April 2021 appears to have awoken after 647 days of dormancy, with funds headed towards crypto mixer Tornado Cash.

The sudden move was highlighted on Mar. 7 by cyber security firms PeckShield and CertiK on their respective alert accounts on Twitter.

According to data from Etherscan, the hacker moved the 2,250 Ether (ETH) or $3.35 million over a seven-hour period in transactions ranging from 1 ETH to 100 ETH — with all the funds heading to Tornado Cash.

This is, however, just one of the wallets associated with the hacker. Another Ethereum wallet linked to the hacker shows it was last active 159 days ago, with 5 ETH being sent to privacy-focused Ethereum zk-rollup on Aztec.

This marks yet another occasion in 2023 in which a hacker’s wallet has come out of dormancy after a lengthy hiatus. In January, the Wormhole hacker moved around $155 million worth of ETH almost a year after exploiting the Wormhole bridge for $321 million in early 2022.

The same month, a notorious hacker dubbed the “blockchain bandit” also moved around $90 million after a six-year slumber. 

In February, the Wormhole hacker moved another $46 million worth of stolen funds, while popular blockchain sleuth ZacXBT highlighted via Twitter on Feb. 23 that “dormant funds left over” from the April 2018 $230 million Gate.io exchange hack by “North Korea began to move after over 4.5 years.”

Binance Smart Chain-based automated market maker Uranium Finance was exploited on Apr. 28, 2021. The hack itself was reportedly the result of a coding vulnerability that allowed the hacker to siphon $50 million during Uranium’s v2.1 protocol launch and token migration event.

The platform seemingly shut down shortly after the hack, with its last Twitter post published on Apr. 30, 2021 and urges users to remove funds from its various liquidity pools.

Unanswered questions

It is also worth noting that on Apr. 28, 2021, someone claiming to be a member of the project’s development team suggested in the Uranium discord channel the hack may have been an inside job.

They outlined that only a small number of team members knew of the security flaw prior to the v2.1 protocol launch, and questioned the suspicious timing of the hack being just two hours before launch.

Since then, reports have gone cold on the project and its victims. However, Binance forum posts from October 2022 suggest that users have been left out in the cold.

Related: 7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama

On Oct. 26, User “RecoveryMad” made a post asking for a follow-up on the hack, and noted that the person representing the Uranium team in the community Telegram had “vanished.”

In response, user “nofiatnolie” claimed that “No investigation was performed. It was swept up under the rug. There are still victim groups with no answers and crowd-sourced investigations [are] pointing at the developers of Uranium and others as the suspects.”

Trump taps pro-Bitcoin Scott Bessent as Treasury secretary

Jump Crypto & Oasis.app counter exploits Wormhole hacker for $225M

The counter exploit came after the High Court of England and Wales ordered Oasis.app to work with Jump Crypto to retrieve the stolen funds.

Web3 infrastructure firm Jump Crypto and decentralized finance (DeFi) platform Oasis.app have conducted a “counter exploit” on the Wormhole protocol hacker, with the duo managing to claw back $225 million worth of digital assets and transfer them to a safe wallet.

The Wormhole attack occurred in February 2022 and saw roughly $321 million worth of Wrapped ETH (wETH) siphoned via a vulnerability in the protocol’s token bridge.

The hacker has since shifted around the stolen funds through various Ethereum-based decentralized applications (dApps), and via Oasis, they recently opened up a Wrapped Staked ETH (wstETH) vault on Jan. 23, and a Rocket Pool ETH (rETH) vault on Feb. 11.

In a Feb. 24 blog post, the Oasis.app team confirmed that a counter exploit had taken place, outlining that it had “received an order from the High Court of England and Wales” to retrieve certain assets that related to the “address associated with the Wormhole Exploit.”

The team stated that the retrieval was initiated via “the Oasis Multisig and a court-authorized third party,” which was identified as being Jump Crypto in a preceding report from Blockworks Research.

Transaction history of both vaults indicates that 120,695 wsETH and 3,213 rETH were moved by Oasis on Feb. 21 and placed in wallets under Jump Crypto’s control. The hacker also had around $78 million worth of debt in MakerDao’s DAI stablecoin that was retrieved.

“We can also confirm the assets were immediately passed onto a wallet controlled by the authorized third party, as required by the court order. We retain no control or access to these assets,” the blog post reads.

@spreekaway tweet on the counter exploit: Twitter

Referencing the negative implications of Oasis being able to retrieve crypto assets from its user vaults, the team emphasized that it was “only possible due to a previously unknown vulnerability in the design of the admin multisig access.”

Related: DeFi security: How trustless bridges can help protect users

The post stated that such a vulnerability was highlighted by white hat hackers earlier this month.

“We stress that this access was there with the sole intention to protect user assets in the event of any potential attack, and would have allowed us to move quickly to patch any vulnerability disclosed to us. It should be noted that at no point, in the past or present, have user assets been at risk of being accessed by any unauthorized party.”

Trump taps pro-Bitcoin Scott Bessent as Treasury secretary

Jump Crypto Replaces $320 Million in Ethereum Taken From Wormhole Exploit

Jump Crypto Replaces 0 Million in Ethereum Taken From Wormhole ExploitOn February 2, 2022, the Wormhole Network’s ethereum ↔ solana bridge was exploited for 120,000 WETH (wrapped ethereum) worth $320 million and the following day, the team explained that “all funds have been restored and Wormhole is back up.” The team has also said a “detailed incident report” will be published soon. Wormhole Network Returns, […]

Trump taps pro-Bitcoin Scott Bessent as Treasury secretary

Wormhole Network’s Cross-Chain Bridge Exploited for Over $250 Million in Ethereum

Wormhole Network’s Cross-Chain Bridge Exploited for Over 0 Million in EthereumReports indicate that the Wormhole Network’s ethereum ↔ solana bi-directional bridge has been exploited by an attacker for 93,750 ether or more than $250 million using today’s ethereum exchange rates. The developers behind the Wormhole Network have told the public the network is “down for maintenance,” as the team “looks into a potential exploit.” Wormhole […]

Trump taps pro-Bitcoin Scott Bessent as Treasury secretary