Beware of the risk of mnemonic leakage caused by registering a wallet on the Replit platform

Be Cautious of Mnemonic Leakage When Registering a Wallet on the Replit Platform

Background

In recent days, victims have contacted the SlowMist Security Team regarding the theft of 90,000 ATOM. The victims reported that they were using the online programming platform Replit to create the Atomicals protocol wallet and gradually transferred ATOM (the ARC20 token minted by Atomicals protocol) into it, resulting in the theft. According to the victims, the private key/mnemonic phrase was leaked due to copying and pasting on the web page.

Analysis of Replit Wallet Creation

atomicals-js (https://github.com/atomicals/atomicals-js) is a command-line interface and JavaScript library developed and released by the official Atomicals development team on Github. It facilitates user interaction with JavaScript and Atomicals.

• Blockchain meets Metaverse: Oasys and AltLayer Join Forces
• China’s Blockchain Dance: From Banning Cryptos to Verifying Identities with RealDID
• FTX and the IRS: A Battle of Billions

Replit is a well-known online programming platform. Its web version is an online IDE that supports various programming languages such as Python and JavaScript. It allows users to write code directly in the browser, quickly start projects, and share code.

There are many ARC20 wallet registration tutorials on platforms such as Weibo, Twitter, and YouTube:

However, some of these tutorials explain how to use Replit to deploy the atomicals-js project online to generate wallets and transfer ATOM ARC20 tokens, etc.

(https://weibo.com/ttarticle/p/show?id=2309404950524427632902)

(https://twitter.com/Web3heinu/status/1730186061744136654)

Although these tutorials are not limited to ARC20 subscription tutorials, they still recommend using the Replit platform.

(https://twitter.com/Coinowodrop/status/1728042508687475187)

Due to the openness of the Replit platform, the code deployed on it is open to everyone. When the atomicals-js project is deployed and run, a wallet.json file is generated in the project directory, which contains sensitive information such as the generated mnemonic phrase, private key, and address.

It is worth noting that by simple searches or using techniques like Google Hacking, projects that use atomicals-js and run on Replit can easily be discovered, leading to cases in which the wallet.json file is found.

Therefore, creating wallets based on these so-called tutorials carries significant risks. It should be avoided to run code that contains sensitive information on publicly accessible platforms, especially when it comes to cryptocurrency wallets or private keys. Instead, it is advisable to choose a more secure and reliable environment for generating and managing cryptocurrency wallets.

Malicious Address Analysis

Using MistTrack for analysis, it was found that on September 23rd, the victims transferred multiple ATOM (according to the victims, around 98,000) to the ARC20 wallet address they created, which is “bc1pt046u0mew4yq83ftwrp3eqfalvf8d6g6lncnmnf3l4zaaalpl54qwvxuqp”. However, on September 24th, these tokens were transferred to the hacker’s address, which is “bc1psanyvngxqgwxcssfwryl8mva7em4pmp37jcck2m67xtux8l887js7ezvev”.

Using https://satsx.io/ to query, you can see that there are still 68,000 ATOM ARC20 tokens stolen by hackers that have not been transferred.

Summary

This type of attack is extremely low-cost, as attackers only need to have basic search and scanning skills to launch it. SlowMist Security Team would like to remind you that if you accidentally use Replit to generate a wallet, please transfer the related funds and delete sensitive files as soon as possible! Also, when using the generated wallet or mnemonic phrase on unfamiliar web platforms, please remain vigilant. SlowMist Security Team recommends that users choose wallets services that have undergone security audits and are well-known to reduce the risk of leaks.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!