TL;DR
Yesterday we heard news that Bill Murray’s personal wallet had been compromised leading to the loss of funds raised in the actor's charity NFT collection. Looking onchain, we can see that the exploiter wallet stole 112.05 wETH which was then swapped for ETH. From there, the funds were broken up and sent to Binance. We can see multiple interactions with centralized exchanges that require KYC which give hope to the eventual prosecution of the exploiter.
Event Summary
John Resig, the co-founder and President of The Chive said that Bill Murray was first introduced to the concepts of NFTs in discussions on future Bill Murray image licensing products. Once the actor and comedian became familiar with the concept of digital scarcity, he was happy to go ahead with a collection that would consist of unique stories from his life.
The project's website states that 100% of the funds raised from the collection will go to Chive’s charities which supports military families, first responders and rare medical diagnosis' with life changing grants. You can find more information on the charity work of the organization here
Bill Murray recently introduced his biographical NFT collection which is inspired by the life of the actor, writer and comedian. Firstly, he minted the collection to his wallet and then listed on 0x Exchange with the first round of funds being delivered on 15 July 2022. In total, there have been two airdrops so far raising 240.7 ETH, with charity auction making up 119.2 ETH. The next one is scheduled for 7th September.
Unfortunately, funds that were raised in the charity auction were stolen from Bill Murray’s wallet and sent to EOA 0xaDaC… What we can see is that the transfer of the stolen assets doesn’t show anything malicious which suggests that a seed phrase compromise was highly likely the cause of exploit.
The attacker then swapped the stolen wETH for ETH, before breaking up the stolen funds by sending them to 5 separate EOAs which ultimately found their way to Binance. The exploiter wallet was also funded by EOAs that received their funds from Coinbase. This is important since it should be relatively straight forward in identifying the individual or individuals involved in this case.
Onchain Evidence
Bill Murray wallet was first funded on 30 June 2022 and began receiving funds from his NFT collection on 15th July 2022 where he raised 110.7 ETH. In these transactions, Bill Murray received 1.35 ETH for every NFT sold and raised 110.7 ETH into his wallet.
The next auction was for charity which raised 119.2 ETH in which Bill Murray received 107.28 wETH which we can see in this transaction:
Less than 24 hours later we see a transfer of 112.05 wETH into the exploiter wallet, EOA 0xaDaC… There isn’t anything suspicious about the transaction which suggests that Bill Murray’s seed phrase was highly likely compromised. Once the funds enter the exploiter's wallet, they are then swapped for ETH and distributed to 5 separate wallets, four of which are then transfer the funds to Binance. In total, the hacker stole 112.05 wETH worth $177,873 on the day of the exploit. However funds directly from the auction amounted to $166,308.74.
Using CertiK SkyTrace we can see the breakdown of this flow:
The hackers wallet receives receives a transaction from EOA 0x6139… which can be seen here:
From there, we can see that 0x6139 was funded by Coinbase. This is an important detail because it means that there is a KYC record of the wallet that funded the hacker, as well as the wallets that sent the funds to Binance.
Luckily, Bill’s personal NFT collection was safe guarded by transferring them to 0x971E multisig wallet
Conclusion: Protect Your Seed Phrase
Due to no obvious onchain exploit that allowed the hacker to steal funds from Bill Murray, the only other explanation is that the actor’s seed phrase was compromised. Once a malicious actor has this, they are able to take control of your wallet and move funds out as they please. There are some ways in which you can protect yourself from this kind of compromise. Firstly, never store your seed phrase on your computer. If your device is compromised then that puts your seed phrase at risk. Secondly, consider investing in a cold wallet.
CertiK’s highly skilled and motivated analysts are always here to help trace stolen assets and report to our law enforcement network.
