MyAlgo hack: First Wave - Addresses & Data
This article presents data from the initial MyAlgo attack wave - February 20 - as well as subsequent movements of stolen funds. 24 addresses were impacted for an approximate value of $9.4MM. We highlight some DeFi transactions executed by the attackers.
The MyAlgo attacks have so far been clustered around three distinct waves, roughly corresponding to these dates:
First Wave: February 20, 2023
Second Wave: March 5, 2023
Third Wave: March 6, 2023
This article presents data from the initial wave - February 20 - as well as subsequent movements of stolen funds during March 5th. Wallets attacked on March 5th are not included.
Aggregates and Addresses
In the first wave, 24 addresses were impacted for the following aggregate losses:
The approximate value at the time was $9.4MM.
The impacted addresses are:
26CRE7V2TPFKA7L5SLMSQW6YSZ5GLSIVRZINGO24C6Y6YKHTYVZLKPFWGM 3PLI5DQRPE3WJBXK7IWYKB7CR3K76QNYAFPBVOGBBWY2TJG7KPWRIJIC4A AIRFOUDOHO37NAV5O7NNSKCFHVDQKP46U5IHSN6D7XQVWROYXBZNU7QEQ BNJVT3P3B4PRR4GVNXD5ZUWKNXZ6WB6QQ35TJJVFVOLJV47CVZXOBW4UAU FHN2CDLPUGRBIZ3YDRLB3T2PLTXHXL23SXWYZAVW66GYYCI62AL35PTJ7Q GLAXZZUWBRJ5KVXU7D3CLTOKNMDUL4TA3NRQTOLPVUBYLYGV5N732OEX4A H3Y634PNDDHLSYIA2UUMXOUN5FOCMJEDFOFCPA6WPGG5AQAJRKNPFQL7WY H65YELCBPRTNKPLYPIL4UW7VWJ4E52227QW3ZYKIHRKJO46P2JZUPNW3TY HTCESSSDUU2JBBVPOS7EJ4GDHFXPUDK2TVDNTDZYKJOFLSJN7ORJQCTTKU I7TKXLELT7V6OXLT76OCJ6H74U73UNKJZUBMNDDHNSG65QQB5UOY7EVURY IVSTVERD2KNSM4MKTSMWFRHZLMEKXIOVCCDGM2PI7ISNK3FHJJCI53HUNY JKPP3NDDGPNHSVNEYZL5HDKD56K4JG5R4GPHTMSPM6EJM6MM4BCENII33I JNBW7AMBSFEDLBCWJA6EJLDFMZQKWDS7YK2F6FQUJM2VQT6KNN44X77JQE KJGVU75NBKJG52JJ7BFSQZ664UJT7JRIS3V7ZGBR464QSOAKQLWALPGEYU M5YTAZJJJFAZZ2BANOT2A7BF7ZCQ5WW6QL43JI3WE5CNH5SXPCXY4GM36A O62QU75IDI7EVM7ZZZCJTAZULZQLJV6RXOKBAMQNSR3S4DALGC62G5EPKQ O74MYOAFM4KJ5G72IBKGRQKXU43M75VIDEUH6TNCUNRLBXI5SXI7GRQHYQ OLM2Y25BNLA3LIIIAN2J65BOXRHCSPIGOCV5KXJ75JUPGZRIAIBVKAHHSA QPOQMWKLA2XOULRJRZGIHPMVH6XM3GPO6FISZEJQ5OWN6AMF33M6JI7MV4 VO57GKHQKCQLIV3WSTVVVP4M6YC3GVI3ASA6JOFXGEQJD6VFZK6Z53VF3E XCCFG56BW3YF3MXBHVNQ4MP2OF6V54XB2UOJWKOYPJQPPUHNSTONGXZGSM XD6TQN6BT6AJG7LPORDUZGLKOFM5NKKG3Z7IZMPEIR6O3EATNEEGYL4DTU XIH4JVQAVE6IUQZI6XDUEI624FP7A64RCC5PXDBOQNYHTAAT7325MLLH74 ZKEFAKXB5H4J64OPS3362AWCW4SJ3ICPEG6J422GAN7O6KDKB4Q5KFNISQ
You can find a timeline view of all attacker transactions relating to these accounts in this spreadsheet. Atomic group transactions have been parsed down to inputs and outputs with respect to the address interacting with the contract. If you spot any mistakes or inconsistencies, please let us know.
Several DeFi platforms were used for swapping, lending & borrowing.
It is interesting to note that the attackers swapped 300,000 USDC on-chain and in quick succession on February 20th, causing a sharp dip in USDC price. The remaining USDC was deposited into an exchange.
Some of the attacker accounts controlling these funds became active on March 5th.
We highlight an account controlled by the attackers that held a significant amount of goBTC and goETH. They caused two similar dips to the goBTC/ALGO pair after swapping goBTC.
The remaining goBTC and goETH were deposited as collateral on AlgoFi and ALGO was borrowed against it.
March 5th also saw new attacks on users with large asset holdings. Data for this second wave will be released in a few days.
If you were impacted by this, first you need to get in touch with your local Law Enforcement.
Then you should submit a report on https://wallet.myalgo.com
If you have any information or require help from the investigation & response team, please reach out to any of the following:
MyAlgo / RandLabs - nimble - VP Blockchain - D13
If you think this article is noteworthy you may want to amplify it on Twitter: