As Arbitrum (ARB) airdrop became the largest and most anticipated retroactive token distribution in the history of crypto, a number of hackers decided to get the maximum out of it. Here's how some of them managed to benefit from the most impressive "cash rain" in Web3.
$500,000 from vanity addresses: Hacker used well-known vulnerability
On March 23, 2023, Alexander Tkachenko, founder and CEO of Hashscan NFT growth platform, shared his analysis of the potential hack of wallets eligible for the Arbitrum (ARB) airdrop. All of them were created with Profanity, an easy-to-use tool for the activation of so-called "vanity addresses."
Someone made $500k+ by claiming Arbitrum airdrop with hacked vanity addresses pic.twitter.com/aSWmx7MySS— jq (@jackqack) March 23, 2023
Mr. Tkachenko indicated a number of "vanity addresses" — unusual Ethereum (ETH) addresses with personalized names like 0xaaaaaaaaad57... and so on — that the hacker might be using to receive the airdrop. Allegedly, he or she exploited the vulnerability of the Profanity mechanism that made stealing private keys easy for some vanity addresses.
Even before airdrop crypto intelligence firm Arkham spotted a wallet that was preparing to get airdrop rewards from over 2,400 presumably hacked wallets. He/she was sending small amounts of ETH to pay for gas to claim ARB.
gm— Arkham (@ArkhamIntel) March 20, 2023
A reported hacker on Arbitrum has been sending money over the past 12 hours to around 2400 presumably compromised wallets.
These wallets then approve the ARB token in anticipation of receiving the airdrop.
address - 0x59d4087f3ff91da6a492b596cbde7140c34afb19
By press time, the address of the alleged attacker has already withdrawn almost 22,000 ARB to third-party wallets. As the ARB price has stabilized in the last few hours, this is equal to about $30,000. However, during peak network activity, the hacker was able to sell this loot for $220,000.
253 million ARB tokens distributed among Sybil attackers
Meanwhile, the most detailed report about suspicious activity among the ARB airdrop was released by Chinese journalist Colin Wu and the X-Explore team. They tracked the behavior of "abuser" wallets created for Sybil attacks, i.e., to gain an inappropriate allocation of ARB tokens.
While all modern airdrops have multi-level Sybil protection filters, some of them appeared to be too easy to circumvent. For instance, Arbitrum (ARB) tokens were assigned to Sybil attackers who used bridges, centralized exchanges or smart contracts. Also, Sybil hunters active on other chains — Optimism and Ethereum — were not excluded from distribution.
As a result, researchers say, 150,000 Sybil addresses and at least 4,000 Sybil communities managed to pass all eligibility checks. As such, almost one out of four ARB tokens ended up in their pockets.
As covered by U.Today previously, Arbitrum L2 scaler for Ethereum (ETH) distributed 1.16 ARB tokens between early testers and the most active DAOs on March 23, 2023.