$160 Million Wintermute Hack: Allegedly an ‘Inside Job’

DeFi Editors' Choice
$160 Million Wintermute Hack: Allegedly an ‘Inside Job’

The Wintermute crypto fraud analysis has revealed evidence of a possible in-house operation. Recent detailed observation shows that a member of the Wintermute team might have executed the hack. 

Analysts Suspect Wintermute Insider on $160M Crypto Hack

Hacks and frauds have recently been a common news feature in the crypto industry. It gets even scarier with team members allegedly hacking their own network.

On the 20th of this month, the news of Wintermute’s loss of about $160 million in crypto made the rounds on all tech news platforms. And just when we were beginning to recover, a viral analysis on Medium made shocking revelations about the crypto fraud. 

In the recent Wintermute attack, about 70 different NFTs were eliminated on the network. The hacker was said to have exploited a bug in the organization’s smart contract, which gave them access to 70 tokens, including $29.5 million in Tether (USDT), $61.4 million in USD Coin (USDC), and $13m Wrapped Bitcoin (wBTC).

However, upon extensive analysis of the attack, evidence that an internal party could have executed the hack has surfaced.

Evidence of In-house Operation

According to a Medium post shared by James Edwards, there are obvious transparency concerns surrounding Wintermute. In his opinion, several shady transactions and smart contract codes do not match the post-mortem analysis.

Considering how Wintermute’s smart contracts were interacted with and exploited, chances are that an internal agent conducted the hack.

The EOA Theory Debunked

Edward has highlighted how the existing presumptions focusing on an externally owned address (EOA) might be wrong. 

The initial theory states an EOA called on the ‘compromised’ Wintermute smart contract, which was itself compromised through the team’s use of a faulty “online vanity address generator tool”. 

New opinions suggest that the hacker could control the Wintermute smart contract, which allegedly had admin access, by obtaining the private key for that EOA. However, there is no evidence of uploaded or verified code for the smart contract in question. This makes it difficult to confirm that the attack was from an external agent.

According to Edward, “This, in itself, is an issue in terms of transparency on behalf of the project. One would expect any smart contract responsible for the management of user/customer funds that’s been deployed onto a blockchain to be publicly verified to allow the general public an opportunity to examine and audit the unflattened Solidity code,”

Wintermute’s Transactions To Compromised Smart Contracts

Following the attack, Wintermute’s etherscan transaction history has shown transfers of more than $13 million USDT in two different exchanges to a compromised smart contract. Soon after this transaction, all of the said Tether was sent out from the wallet in a manual transfer to the smart contract. A regular wallet address initiated this transfer. 

This raises questions about the possibility of the team initiating “two withdrawals from two different exchanges (Binance and Kraken) to their smart contract less than two minutes from the time they were compromised?”

This possibility only implies that the hacker was able to compromise the team’s exchange accounts. Which is impossible for an outsider without the knowledge of the existence of these accounts.

More Questions

Another pointer to the possibility of an inside job has been noted in Wintermute’s use of the profanity wallet generator containing huge amounts. Profanity tools are known to be vulnerable and susceptible to attacks.