Back to all stories
Reports
Incident Analysis
Bill Murray Hacked Wallet
9/2/2022
Bill Murray Hacked Wallet

TL;DR

Yesterday we heard news that Bill Murray’s personal wallet had been compromised leading to the loss of funds raised in the actor's charity NFT collection. Looking onchain, we can see that the exploiter wallet stole 112.05 wETH which was then swapped for ETH. From there, the funds were broken up and sent to Binance. We can see multiple interactions with centralized exchanges that require KYC which give hope to the eventual prosecution of the exploiter.

Event Summary

John Resig, the co-founder and President of The Chive said that Bill Murray was first introduced to the concepts of NFTs in discussions on future Bill Murray image licensing products. Once the actor and comedian became familiar with the concept of digital scarcity, he was happy to go ahead with a collection that would consist of unique stories from his life.

The project's website states that 100% of the funds raised from the collection will go to Chive’s charities which supports military families, first responders and rare medical diagnosis' with life changing grants. You can find more information on the charity work of the organization here

Bill Murray recently introduced his biographical NFT collection which is inspired by the life of the actor, writer and comedian. Firstly, he minted the collection to his wallet and then listed on 0x Exchange with the first round of funds being delivered on 15 July 2022. In total, there have been two airdrops so far raising 240.7 ETH, with charity auction making up 119.2 ETH. The next one is scheduled for 7th September.

6d1d2485-28c2-4e7d-8c55-beb21914ae72

Unfortunately, funds that were raised in the charity auction were stolen from Bill Murray’s wallet and sent to EOA 0xaDaC… What we can see is that the transfer of the stolen assets doesn’t show anything malicious which suggests that a seed phrase compromise was highly likely the cause of exploit.

The attacker then swapped the stolen wETH for ETH, before breaking up the stolen funds by sending them to 5 separate EOAs which ultimately found their way to Binance. The exploiter wallet was also funded by EOAs that received their funds from Coinbase. This is important since it should be relatively straight forward in identifying the individual or individuals involved in this case.

Onchain Evidence

Bill Murray wallet was first funded on 30 June 2022 and began receiving funds from his NFT collection on 15th July 2022 where he raised 110.7 ETH. In these transactions, Bill Murray received 1.35 ETH for every NFT sold and raised 110.7 ETH into his wallet.

713b6bb1-4491-4407-bc81-38b3c51c05d3

The next auction was for charity which raised 119.2 ETH in which Bill Murray received 107.28 wETH which we can see in this transaction:

c334b1f8-eebb-4627-b3cc-af78cfc3e829

Less than 24 hours later we see a transfer of 112.05 wETH into the exploiter wallet, EOA 0xaDaC… There isn’t anything suspicious about the transaction which suggests that Bill Murray’s seed phrase was highly likely compromised. Once the funds enter the exploiter's wallet, they are then swapped for ETH and distributed to 5 separate wallets, four of which are then transfer the funds to Binance. In total, the hacker stole 112.05 wETH worth $177,873 on the day of the exploit. However funds directly from the auction amounted to $166,308.74.

Using CertiK SkyTrace we can see the breakdown of this flow:

b4f415e5-4296-4177-982b-dea96ddc7d39

The hackers wallet receives receives a transaction from EOA 0x6139… which can be seen here:

79c57f32-f045-441d-b754-6e1cc15a1c7e

From there, we can see that 0x6139 was funded by Coinbase. This is an important detail because it means that there is a KYC record of the wallet that funded the hacker, as well as the wallets that sent the funds to Binance.

c7c542c5-61fc-42cc-9056-79fec5fe47d4

Luckily, Bill’s personal NFT collection was safe guarded by transferring them to 0x971E multisig wallet

7af8dac7-a284-4af1-9856-7b1bdb1da227

Conclusion: Protect Your Seed Phrase

Due to no obvious onchain exploit that allowed the hacker to steal funds from Bill Murray, the only other explanation is that the actor’s seed phrase was compromised. Once a malicious actor has this, they are able to take control of your wallet and move funds out as they please. There are some ways in which you can protect yourself from this kind of compromise. Firstly, never store your seed phrase on your computer. If your device is compromised then that puts your seed phrase at risk. Secondly, consider investing in a cold wallet.

CertiK’s highly skilled and motivated analysts are always here to help trace stolen assets and report to our law enforcement network.