The whole process: How to Lose 1155 BTC in 80 Minutes
Colin Wu . 2024-05-16 . Data

Author: 胡飞瞳


On the evening of May 3rd, Beijing time, due to an inadvertent operation, a whale mistakenly transferred 1155 BTC to a phishing wallet address, valued at approximately $71 million at the time of the incident. Such a large sum of money virtually evaporated in an instant, serving as a significant lesson to the industry.

Chronology of Events

Let’s first examine the sequence of events (May 3rd, all times in Beijing time):

● 17:14:47 — Wallet address 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5 (whale) transferred 0.5 ETH to address 0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91 and created the address.

● 17:17:59 — Wallet address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 (hacker) transferred 0 ETH to wallet address 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5.

● 18:31:35 — Wallet address 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5 (whale) transferred 1155.28802767 WBTC to address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 by calling the WBTC contract.

● May 4th, 10:51:11 — Address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 (hacker) transferred all WBTC to a new address: 0xfB5bcA56A3824E58A2c77217fb667AE67000b7A6.


Here’s a breakdown from the hacker’s perspective:

1. The hacker continuously monitored the whale’s activity on the blockchain and noticed the creation of a new address by the whale on the evening of May 3rd. The hacker immediately took action.

2. By bruteforce-randomly generating private keys and addresses, the hacker obtained an address similar to the one generated by the whale (please carefully examine the addresses highlighted in red in steps 1 and 2 above, they are identical except for minor differences). The hacker then transferred 0 ETH to the whale’s wallet address to create a transaction history containing the phishing address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91.

3. Upon confirming the receipt of 0.5 ETH in their address, the whale began transferring WBTC to a new address. At this point, a fatal mistake occurred. In the transfer history, the whale found an address with the same numbers before and after as their target address and mistakenly copied and pasted the phishing address.

4. The hacker monitored their phishing address and was pleasantly surprised to find a “huge harvest” — 1155 BTC. They likely celebrated immediately, had some beers, slept, and then transferred the WBTC to another new address.


Have you noticed a crucial aspect? Look at the timeline. After the whale created a new address, the hacker prepared the phishing address in about 3 minutes and completed the transfer to the whale. This indicates several points:

● The hacker was well-prepared, with the entire process automated. The script was likely prepared in advance.

● The hacker had access to significant computational power. The addresses generated here share specific bytes (the first two bytes and the last three bytes), which equates to roughly 2⁴⁰ calculations. GPUs would undoubtedly be required, and in large numbers.

● Therefore, this is likely not an individual’s action but rather organized behavior.

The blockchain brings decentralization and eliminates intermediaries, allowing individuals to control their wealth and data. However, it also requires a heightened sense of security. High levels of personal security awareness and knowledge are essential.

This whale demonstrated strong security awareness by periodically changing addresses and conducting tests and confirmations before large transfers. However, one copy-paste mistake undid everything.

Some Security Tips for Transfers

This $71 million lesson serves as a wake-up call for every holder of digital assets. Hackers and phishing attempts are ubiquitous, and you are the first and only responsible party for your property. Here are some security tips for wallet security, especially for wallets holding large amounts:

● Generate private keys and mnemonic phrases offline and store them offline.

○ Most wallets now have offline signature capabilities.

○ Hardware wallets can also be used, but backup the private keys when using them.

● If there is suspicion that the private key or mnemonic phrase may be compromised, replace it as soon as possible and transfer the assets.

● Store transfer addresses in an address book and add notes. Do not copy addresses temporarily.

● Choose addresses from the address book for transfers and always perform test transfers. Confirm success with the recipient before proceeding.

● For large transfers, consider splitting them into multiple transactions.

● Do not click directly on transfer links or online transactions sent by others.

○ Phishing often involves forging similar links or addresses.

● For larger fund management, consider using multi-signature methods.

○ This is suitable for company or organization fund management.

○ Individual assets can also be managed in this way. For example, individuals can hold multiple private keys and give signing authority to friends who do not know each other to prevent loss of assets due to personal key loss.

● CEX and DEX website addresses should be obtained through official channels, and deposit addresses should be confirmed repeatedly. Test transfers are also necessary steps.

Follow us