Multichain hack could be an insider job, says Loki Zeng

July 8, 2023

A Twitter user, @Loki_Zeng said that what happened at Multichain is not a hack.

Loki Zeng’s analysis raises doubts that Multichain was involved in a hacker attack. They said that the asset transfer process was carefully executed, starting with a small test amount of 2 USDC. The asset was transferred to a separate wallet and no further actions were taken. The receiving wallet is completely clean. The transferor has definitely gained complete control over private key fragments exceeding the threshold, considering the technical characteristics of MPC.

The summary of their argument

1) The asset transfer lasts for a long time, indicating that the transferor is not in a hurry

2) A small test of 2USDC was carried out before the asset transfer, and USDC was also transferred to 2 coins 2U, indicating that the transferor has sustainable transfer ability

3) Each asset is transferred to an independent wallet, and there is no further action after that (such as transfer to an exchange, swap, currency mixing)

4) The receiving wallet is completely clean, not even gas

Circle and Tether freeze “Multichain Suspicious Addresses”

Three #Multichain hacker addresses (0x027F / 0xefEe / 0x48Be) have been frozen by @circle.

These addresses held a total of 65M in assets, including 63.2M $USDC, which are now frozen.

Address:https://t.co/gLpjpC2TvX https://t.co/YtZUmhaxeg pic.twitter.com/sAzOQMPmrG

— 0xScope (🪬 . 🪬) (@ScopeProtocol) July 7, 2023

Three Multichain addresses, 0x027F, 0xefEe, and 0x48Be, linked to the recent hack have been frozen by Circle. These addresses were known to hold a staggering total of 65 million in assets, with the majority being 63.2 million USDC.

Tether also froze two Ethereum addresses that hold approximately 2.53 million USDT: 0x9d5…2b68 and 0x48B…4537. These addresses have raised suspicion as they have received funds from the Multichain’s MPC address and are now flagged.

The MPC addresses that were hacked on July 6 have been promptly and accurately flagged by Etherscan as “Multichain Suspicious Addresses,” leaving no room for doubt or confusion.