Virtual Money trading platform experiences a major security incident, causing industry turmoil

On February 21, 2025, a well-known Virtual Money trading platform suffered a serious security breach incident, leading to the theft of approximately $1.5 billion in assets from its Ethereum cold wallet. This incident is considered the largest single theft amount in the history of Virtual Money, surpassing previous records such as the $611 million stolen from a certain online platform in 2021 and the $620 million stolen from a certain game-related network in 2022, causing a huge impact on the entire industry.

This article will detail the hacker incident and its money laundering methods, and remind readers that in the coming months, there may be large-scale fund freezes targeting over-the-counter trading groups and Virtual Money payment companies.

Theft Process

According to the description of executives from the trading platform and preliminary investigations from a certain data analysis platform, the theft process is roughly as follows:

1. Attack Preparation: The hacker deployed a malicious smart contract at least three days before the incident (February 19) to prepare for the subsequent attack.

2. Infiltrating the multi-signature system: The platform's Ethereum cold wallet uses a multi-signature mechanism, which typically requires multiple authorized signatories to execute transactions. Hackers infiltrated the computer managing the multi-signature wallet through unknown means, possibly using a disguised interface or malware.

3. Cloaked Transactions: On February 21, the platform planned to transfer ETH from the cold wallet to the hot wallet to meet daily trading needs. Hackers took advantage of this opportunity, disguising the transaction interface as normal operations, and induced the signer to confirm what appeared to be a legitimate transaction. However, the signature actually executed a directive that altered the logic of the cold wallet smart contract.

4. Fund Transfer: After the instructions took effect, the hacker quickly took control of the cold wallet and transferred approximately $1.5 billion worth of ETH and ETH staking certificates to an unknown address. Subsequently, the funds were dispersed to multiple wallets and began the money laundering process.

Money Laundering Techniques

The cleaning of funds can be roughly divided into two stages:

The first stage is the early capital split. The attacker quickly exchanged the ETH staking certificate tokens for ETH tokens, rather than opting for stablecoins that might be frozen. Subsequently, they strictly split the ETH and transferred it to lower-level addresses in preparation for laundering.

At this stage, the attacker's attempt to exchange 15,000 mETH for ETH was thwarted, preventing greater losses for the industry.

The second stage is the specific fund laundering work. The attacker transfers the obtained ETH through various centralized or decentralized industry infrastructures, including multiple cross-chain transactions and decentralized trading platforms. Some platforms are used for fund exchange, while others are used for cross-chain fund transfer.

As of now, a large amount of stolen funds has been converted into mainstream cryptocurrencies such as Bitcoin, Dogecoin, Solana, etc., and some people have even issued meme coins or transferred funds to exchange addresses for obfuscation.

A data analysis platform is monitoring and tracking addresses related to stolen funds, and relevant information will be synchronously pushed in its professional version and a certain decentralized trust platform to prevent users from mistakenly receiving stolen funds.

Criminal Record Analysis

Analysis of a specific address in the capital chain reveals that this address is related to two theft incidents that occurred in October 2024 and January 2025, suggesting that these three attacks may have been orchestrated by the same entity.

Combining its highly industrialized money laundering techniques and attack methods, some blockchain security practitioners attribute this incident to a notorious hacker organization that has launched cyber attacks on institutions or infrastructure in the Virtual Money industry multiple times over the past few years, illegally acquiring cryptocurrencies worth billions of dollars.

Freezing Risk

A data analysis platform has found in its investigation over the past few years that the organization not only uses unlicensed industry infrastructure for money laundering but also heavily relies on centralized platforms for dumping, which directly leads to a large number of exchange users' accounts, whether intentionally or unintentionally receiving illicit funds, being subjected to risk control, and the business addresses of OTC traders and payment institutions being frozen.

In 2024, a Japanese Virtual Money exchange was attacked, resulting in the illegal transfer of Bitcoin worth up to $600 million. The attackers transferred part of the funds to a Virtual Money payment institution in Southeast Asia, leading to the freezing of the institution's hot wallet address, locking over $29 million in funds that could not be transferred.

In 2023, another trading platform was attacked, and over 100 million USD worth of funds were illegally transferred. Some of the funds were laundered through over-the-counter trading, leading to the freezing of business addresses for many over-the-counter traders, or the risk control of exchange accounts used for holding business funds, which had a huge impact on their business activities.

Summary

Frequent hacker attacks have caused significant losses to the Virtual Money industry, and subsequent money laundering activities have also polluted more personal and institutional addresses. For these innocents and potential victims, it is essential to closely monitor these high-risk funds in business activities to prevent their own interests from being affected.