Yesterday, cybersecurity firm Beosin posted an update on Twitter about the recent Multichain exploit. Beosin’s team has detected a transfer of ETH, DAI, USDC, fUSDT, WBTC, and WETH worth almost $103.3 million from Ethereum, Polygon, Arbitrum, Avalanche, BNB Chain, Optimism, Cronos and Moonbeam to the attacker's address.
This time, the hacker transferred the largest amounts in fUSDT ($29,657,932), USDC ($23,999,250), and WETH ($17,168,126).
Beosin emphasizes that the actor responsible for the transfers has very specific behavior. First of all, the exploiter uses privileges to transfer significant amounts of money. Secondly, assets protected by private keys are transferred. Finally, the actor takes quite long pauses between transfers.
Back on July 7, when another cybersecurity firm PeckShield announced the possible hack, Beosin shared its analysis of the incident with the Twitter community. At the time, Beosin noted, "The interval between each transaction ranges from a few minutes to more than ten minutes, which can roughly rule out the possibility that 'hackers' are stealing in bulk through scripts or vulnerabilities."
The company suggested that the six addresses originally used by the attacker may have been created for temporary purposes, while the private keys are in all likelihood backed up.
"This indicates that the attacker may have taken control of all the assets and is not in a hurry to transfer them. Based on the previous analysis, we speculate that it may be from an internal operation," Beosin’s team surmises.
In an earlier tweet, Beosin also spoke of three possible methods the exploiter could have used. One is an attack on the server side of Multichain, which could have allowed the hacker to gain control of the entire project, while it is also possible that the malicious actor "attacked the project's device, obtained the private key, and directly transferred funds using the private key."
Beosin also stresses the possibility that the exploit is MultiChain's own responsibility. The cybersecurity firm highlights the delayed response of the MultiChain team to transfer the remaining funds to secure them. Moreover, MultiChain did not stop its operations immediately after the exploit was detected.
A day before Beosin’s report on the new transfer was released, the Web3 analytics company Chainalysis had published its theory about the Multichain exploit. Although Chainalysis acknowledges that the "experimental designs" of the cross-chain bridge protocols, combined with the allocation of "large, centralized repositories of assets bridged by users to other blockchains," are "lucrative targets for hackers," the team nevertheless suspects that the incident was an "inside job or rug pull."
As evidence for this theory, Chainalysis mentioned the disappearance of the pseudonymous Multichain CEO Zhaojun, with whom the bridge protocol’s team is believed to have had no contact since May 31, 2023.
"In the past two days, the Multichain protocol has experienced multiple issues due to unforeseeable circumstances. The team has done everything possible to maintain the protocol running, but we are currently unable to contact CEO Zhaojun and obtain the necessary server access for maintenance," the Multichain team tweeted on May 31, adding that there was also an issue that occurred during the scanning of Router5's node network. The team also reported the same problem affected Route2 a week earlier.
As a result, Multichain decided "to suspend the corresponding cross-chain service for the affected chain on the UI." The team named Omax, Findora, Planq, Kekchain, PublicMint, Dyno Chain, Ekta, HPB, ONUS, Red Light Chain, and Dexit as the chains affected by the problem.
Presumably, Multichain's technical problems were exacerbated by the absence of Zhaojun, who was rumored to have been arrested in China, where police supposedly seized $1.5 million from him.
Chainalysis also mentioned the unusual behavior of the Multicahin exploiter, which did not exchange USDC and other centrally controlled assets. The cybersecurity firm believes it is not typical for hackers who prefer to swap such assets as soon as possible. As a result, Circle and Tether froze the addresses that held nearly $65 million stolen from Multichain.
In addition, on-chain detective Spreek reported another suspicious activity related to Multichain on Twitter yesterday. According to Spreek, the protocol’s executor "took anyToken addresses across many chains moving them all to a new EOA."
"It is unclear whether this is authorized behavior. Previously, the same method was used yesterday by a different MPC address on the anyUSDT token on the mainnet. The tokens were then immediately sold to ETH, suggesting that this similar address was the actions of a malicious actor," Spreek continued.
Meanwhile, scammers continue to pose as the Multichain support services and lure crypto users with promises of compensation.
Immediately after the suspicious withdrawal activity on Multichain became known, scammers flooded Twitter with fake posts purporting to belong to Multichain and looking quite genuine. Furthermore, the scammers are using accounts marked with a blue checkmark, which the social media says means the account has an active subscription to Twitter Blue and meets eligibility requirements."
The professional appearance of the accounts used by the Multichain scammers has triggered discussions in the crypto community which wonders how it was possible to prepare an entire website and domain, and even receive a Blue Checkmark Twitter page thus soon after the announcement of the abnormal activity on Multichain.
"The fake Twitter account and the blue check are prepared a long time ago, and a phishing site takes only a few hours to set up," Beosin explained. According to its June 7 report, the scammers stole at least $44,000 from Multichain users who wanted to get compensation for the stolen funds.