On 15 September, a publicly doxed Mark Cuban wallet was drained in a private key compromise leading to the loss of multiple ERC-20 tokens and ETH. The stolen tokens were swapped for ETH and transferred to externally owned address 0x981 where the funds have been split into smaller denominations of ETH to launder the funds.
On 15 September, a wallet owned by Mark Cuban that is publicly doxed as ‘Mark Cuban 2’ on Etherscan was compromised leading to the loss of approximately $870,000 worth of crypto assets. The funds in Mark Cuban’s compromised Etherscan wallet were transferred to externally owned address 0x5b9. The hacker stole a variety of ERC-20 tokens which were then swapped for ETH. In total, the hacker controls approximately 525.92 ETH worth $859,861.07 at the time of writing.
The malicious transactions were initiated via normal transfer’s indicating that the cause of the loss was a private key compromise. Mark Cuban disclosed to DL News that the wallet in question was compromised and confirms the attack. Whilst it is not known exactly how the malicious actor compromised the wallet, Mark Cuban indicated that it could be due to a malicious MetaMask wallet. Mr. Cuban is quoted by DL News as saying “I’m pretty sure I downloaded a version of MetaMask with some sh_t in it” and searched for Circle on Google, not MetaMask.
This incident bring to total lost this year to private key compromises to approximately $292 million. While compromised private keys disproportionately affect large centralized exchanges, this incident is a reminder that famous media personalities are often targeted by criminal groups in order to steal funds.
The hacker began transferring out valuable ERC-20 tokens to the wallet controlled by the malicious entity at 22:55 UTC on September 15. From there, the hacker transferred out approximately 5.29 ETH at 22:59 UTC.
However, the hacker realized that they had not stolen all the available ERC-20 tokens available to them and transferred back to Mark Cuban’s wallet 0.1 ETH at 0:05 UTC. These funds were then used to pay gas to transfer the rest of the ERC-20 tokens. This enabled the attacker to grab 8.2 WETH, 697,478 RARE, 16,671 BIT, 5.92 gOHM and 10,000 AUDIO.
After being alerted to the compromise, Mark Cuban took actions to secure assets on Polygon by transferring ERC-20 tokens on Polygon to Coinbase.
We can see the flow of stolen funds below.
From EOA 0x981, the funds were split into smaller chunks and and then transferred to ChangeNOW and Binance.
Mark Cuban disclosed to DL News that the cause of the exploit was likely due to downloading a malicious MetaMask application. He stated that “I’m pretty sure I downloaded a version of MetaMask with some sh_t in it”. It is well known that scammers will attempt to trick victims into visiting and then downloading malicious wallet applications through fake domains. For example, CertiK was able to find 1,966 domains with the keyword METAMASK in the url.
Fake wallet applications also make their way onto trusted stores such as iOS App Store. For example, in June this year, a search of “Trezor” on the Apple App Store would have returned a malicious Trezor Application that would request a user's seed phrase.
We have seen how devastating private key compromises can be especially against centralized entities. But the incident involving Mark Cuban’s show’s that scammers will look to compromise individuals' wallets, especially if holding a large amount of funds. Users should alway make sure that they are navigating to the legitimate URL or application for a wallet provider. Trusted third parties such as Coin Market Cap and Coin Gecko are great sources to legitimate links to project’s social media and websites. You can also visit skynet.certik.com and see a project’s socials. If you are looking to download a wallet application from a trusted app store, it is always good practice to check the number of reviews that an application has. A low number and a low average score can be a good indication that an application is malicious. Always be sure to double check URLs and applications before downloading and depositing funds into them.