<p><span style="font-weight: 400;">A hacker drained $3.3 million from multiple Ethereum addresses generated with a tool called Profanity,</span> <span style="font-weight: 400;">according</span><span style="font-weight: 400;"> to <a href="https://etherscan.io/txs?a=0x6ae09ac63487fcf63117a6d6fafa894473d47b93">on-chain data</a> from Etherscan. </span></p> <p><span style="font-weight: 400;">Anonymous security analyst ZachXBT first <a href="https://twitter.com/zachxbt/status/1570927217840132097">noticed</a> the exploit, which took place on September 16. </span></p> <p><span style="font-weight: 400;">Vanity addresses are a type of custom wallet that contain identifiable names or numbers within them. They are used in the crypto sector primarily to show off, much in the way car drivers pay over the odds for expensive license plates. </span><span style="font-weight: 400;">These addresses can be created using certain tools, one of them being Profanity.</span></p> <p><span style="font-weight: 400;">Last week, decentralized exchange aggregator 1inch </span><a href="https://blog.1inch.io/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool-68ed7455fc8c"><span style="font-weight: 400;">published</span></a><span style="font-weight: 400;"> a security disclosure report claiming that “vanity addresses” generated with Profanity were not secure. Per 1inch, the private keys linked to Profanity-generated addresses could be extracted with brute force calculations.</span></p> <p><span style="font-weight: 400;">But the security issue highlighted by 1inch could not be fixed in time to prevent an exploit. D</span><span style="font-weight: 400;">evelopment work on Profanity stopped a few years ago, according to its anonymous developer who goes by "johguse." </span></p> <p><span style="font-weight: 400;">Even before 1inch's report, johguse</span> had recognized the vulnerability in the tool and <a href="https://github.com/johguse/profanity"><span style="font-weight: 400;">warned</span></a><span style="font-weight: 400;"> users against its use. </span><span style="font-weight: 400;">In a subsequent investigation, on-chain sleuth ZachXBT last Friday claimed an unknown hacker had seemingly exploited the very same vulnerability to drain an estimated $3.3 million in crypto assets from various Profanity-based addresses soon after the report by 1inch. The stolen funds moved from victims’ addresses to a new Ethereum </span><a href="https://etherscan.io/address/0x6ae09ac63487fcf63117a6d6fafa894473d47b93#tokentxns"><span style="font-weight: 400;">address</span></a><span style="font-weight: 400;"> believed to be controlled by the hacker</span></p> <p><span style="font-weight: 400;">The $3.3 million exploit has drawn comments from experts who suspect that malicious hackers may have known about the security issue in advance. </span></p> <p><span style="font-weight: 400;">“Seems like the attackers were sitting on this vulnerability, trying to find as many private keys as possible of vulnerable Profanity-generated vanity addresses before the vulnerability gets known. Once publicly exposed by 1inch, the attackers cashed out in a few minutes from multiple vanity addresses,” Tal Be'ery, security lead and chief technology officer at ZenGo, </span><a href="https://twitter.com/TalBeerySec/status/1571616042291499012"><span style="font-weight: 400;">said</span></a><span style="font-weight: 400;">.</span></p> <p><span style="font-weight: 400;">Notably, 1inch had also stated in its report that the vulnerability had previously been used by hackers for potential exploits worth millions of dollars. To come to its conclusion, 1inch claimed that it was able to recompute some of the private keys of Profanity’s vanity addresses with GPU chips. </span></p> <p><span style="font-weight: 400;">"We have proof of concept of recovering a private key from a public key. So you can send us a public key (not address) generated via Profanity and we'll send you back a private one," the team told The Block in a statement.</span></p><br /><span class="copyright"><p>© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.</p> </span>