MultiChain Drained Of $103M After Malicious Actors Siphoned $126M Last Week

After Tether and Circle froze millions in stablecoins to prevent malicious actors from moving the funds drained from the cross-chain technology MultiChain, another $103 million in crypto was moved to various blockchain addresses, with a MultiChain Executor address being pointed at as the culprit.

A person, who has access to the MultiChain Executor, is using it to drain tokens linked with the AnySwap bridging protocol, an online sleuth and Twitter user, who goes by the handle @spreekaway, revealed in a tweet Tuesday.

"The MultiChain Executor address has been draining anyToken addresses across many chains today and moving them all to a new EOA (externally owned account)," the on-chain sleuth said.

An image shared by the on-chain sleuth revealed a transaction labeled "anySwapFeeTo" on the MultiChain router: V4 contract minted approximately $15,275.90 worth of anyDAI, a derivative version of DAI on Ethereum, and sent it to the MultiChain Executor, who burned it and exchanged it for the DAI backing the asset.

"It is unclear whether this is authorized behavior. Previously the same method was used yesterday by a different MPC address on the anyUSDT token on mainnet. The tokens were then immediately sold to ETH, suggesting that similar address was the actions of a malicious actor," the sleuth said, before adding that "this EOA has not yet sold anything, however, they are still actively in the process of draining. Would assume it is malicious until proven otherwise."

The Twitter user further reported the MultiChain Executor made "another 5.4m from arbitrum," adding funds to the wallet, which at the time contained funds of "up to $53m."

The online sleuth also documented the "executor wallet just withdrew 7k FTM from Binance," and toyed with the possibility of a transaction, suggesting it was "more likely to be [the] actual team" (doing the transactions).

Security firm Beosin detailed the $103 million transfer consisting of "$USDC: $23,999,250, $fUSDT: $29,657,932 , $WBTC: $2,139,053, $WETH: $17,168,126, $ETH $10,102,001 , $DAI : $2,994,317."

It also noted the transfer behavior as "transfer a large amount of assets via privileges, Assets are from multiple chains, involving a large number of private keys" and "long time interval between transfers."

According to the security firm, "This indicates that the attacker may have taken control of all the assets and is not in a hurry to transfer them. Based on the previous analysis, we speculate that it may be from an internal operation."

Blockchain security firm Chainalysis, in a recent blog post, suggested the "abnormal transfers" have the marking of a rug pull.

"On July 6, 2023, cross-chain bridge protocol MultiChain experienced unusually large, unauthorized withdrawals in what appears to be a hack or rug pull by insiders," it said in the post.

"MultiChain's exploit is potentially the result of administrator keys being compromised. While it's possible those keys were taken by an external hacker, many security experts and other analysts think this exploit could be an inside job or rug pull, due in part to recent issues suffered by MultiChain," the firm noted.

Last week, Blockchain security and data analytics company Peckshield called out MultiChain about several transactions on-chain, which saw approximately $126 million of funds siphoned.

MultiChain eventually tweeted about the incident and explained that "the lockup assets on the Multichain MPC address have been moved to an unknown address abnormally," before announcing that "the team is not sure what happened and is currently investigating." It asked users to "suspend the use of MultiChain services and revoke all contract approvals related to MultiChain."