Almost $1M in crypto stolen from vanity address exploit

Hacks and exploits continue to plague the decentralized finance (DeFi) sector as another vanity wallet address joins the roster of DeFi victims that collectively lost more than $1.6 billion in 2022

In an alert published by blockchain security firm PeckShield, a hacker was detected after stealing 732 Ether (ETH), around $950,000, from an address created at the Ethereum vanity wallet address generator called Profanity. After draining the wallet, the exploiters have sent the crypto to the recently sanctioned crypto mixer Tornado Cash.

#PeckShieldAlert Seems like $950k worth of crypto has been stolen by 0x9731F from Ethereum “vanity address” generated with a tool called Profanity. The exploiter already transferred ~732 $ETH into Mixer pic.twitter.com/QOZfnE49H4

— PeckShieldAlert (@PeckShieldAlert) September 26, 2022

Vanity addresses are customized crypto wallet addresses that are generated to include words or specific characters chosen by the owner. However, as pointed out by recent exploits, the safety of vanity addresses remains questionable.

Earlier in September, decentralized exchange (DEX) 1inch Network warned community members that their addresses were not safe if it was generated using Profanity. The DEX called out crypto holders with vanity addresses to transfer their assets immediately. According to 1inch, the vanity address generator used a random 32-bit vector to seed 256-bit private keys, which means that it lacks safety.

Following the DEX's warnings, ZachXBT, a blockchain investigator, has announced that an exploit of the vulnerability in Profanity has already allowed some hackers to get away with $3.3 million worth of digital assets. 

Related: White hat: I returned most of the stolen Nomad funds and all I got was this silly NFT

On Sept. 20, the United Kingdom-based crypto market maker suffered an exploit that led to $160 million in losses. According to researcher Ajay Dhingra, the exploit may be due to the firm's hot wallet being compromised and manipulating a bug in the smart contract. Evgeny Gaevoy, the firm's founder and CEO, called out the attackers to get in touch as they are open to treating the exploit as a white hat hack.

THORSwap relaunches cross-chain trading on four of five networks   Oct. 12, 2021
THORChain loses up to $7.6M in ‘Chaosnet’ exploit, offers hacker a bounty to return funds   July 16, 2021
Furucombo to issue iouCOMBO tokens to repay victims of $15M exploit   March 9, 2021
The aftermath of Axie Infinity’s $650M Ronin Bridge hack   April 12, 2022
Another depeg — Acala trace report reveals 3B aUSD erroneously minted   Aug. 17, 2022