A real-world Polkadot wallet drain & why we now need

Real funds lost. Real malware found. Real lessons to share.

After helping a user in distress on Discord, I decided to document the entire case not just as a cautionary tale, but as a wake-up call for the ecosystem.

What follows is a complete breakdown: what happened, what went wrong, and what we can do better together.

1. Origin of the investigation

Everything started on the Hydration Discord when user @bzssalamon reported an unexplained loss of funds.
For anyone who wants the raw discussion, the entire public thread is still visible:

• Part 1 (Hydration server): https://discord.com/channels/744493635764224071/744493636355489815/1371606012385169418
• Part 2 (Polkadot Discord): https://discord.com/channels/722223075629727774/1329887069073313874/1371949604366717160

I jumped in, suspecting a live compromise that required immediate triage.

2. The hard facts we uncovered

Wallets & on-chain trail

Binance and law-enforcement already have those IOCs, but feel free to add them to every community block-list.

3. Likely kill-chain

1. User downloads uTorrent from a sponsored ad (not the real site)
2. Installer drops a packed spyware that sleeps until the machine is idle
3. When Polkadot{.js} is unlocked (password cached 15 minutes) the malware injects JS, signs three XCM transfers and exits
4. Funds reach the attacker wallet, then two Binance deposit addresses

4. What went wrong (human layer)

• Blind trust in Windows Defender only
• No VPN → IP & browsing habits exposed to malvertising campaigns
• Torrent client on the same laptop that holds hot wallets
• “Remember password 15 min” left enabled on Polkadot{.js}
• 75 % of portfolio kept in a hot wallet, no cold storage fallback

5. Actionable defence playbook

1. Proper antivirus (not just Defender) – The victim uninstalled Avast while setting up a miner, which turned out to be a fatal mistake. Defender alone is not sufficient in a real threat scenario. At minimum, maintain a real-time antivirus (ESET, Bitdefender…) and pair it with on-demand tools like Malwarebytes.
2. Always-on VPN to break ad-tracking, avoid malicious redirections, and hide your IP from scanner bots.
3. Segregate machines / VMs – Never install torrents or mining tools on the same device used for wallet access. Consider isolating sensitive actions inside a virtual machine or clean OS.
4. Disable Polkadot{.js} “Remember password” feature or better, switch to Ledger or Polkadot Vault to remove hot wallet exposure.
5. Harden your router: keep firmware updated, disable UPnP and WPS, restrict admin interface to local access only.
6. Cold storage only for any holdings above minimal interaction balances.
7. Migrate away from LastPass prefer 1Password, Bitwarden, or NordPass + FIDO2 hardware key for all critical logins.

6. Why the Polkadot ecosystem needs a dedicated incident response unit

This case shows that once funds hit a CEX, community efforts stall.
A coordinated task-force could:

• Freeze obviously stolen funds within the first hour (multichain escrow or CEX liaison).
• Maintain a live IOC feed (malware hashes, malicious addresses, phishing domains).
• Provide a rapid-response playbook & tooling for validators, parachains and CEX partners.

A few months ago, I had proposed the creation of an advanced fund-tracking tool based on on-chain tree structures, specifically to improve this type of analysis. Unfortunately, I received little to no support at the time, and the idea was shelved. This recent case highlights it painfully: to this day, no such tool exists in the Polkadot ecosystem .

Here’s the original post: Advanced Analysis Tool Proposal for the Polkadot Ecosystem

7. Critical reflections for the community

• Should the “remember password” feature in Polkadot{.js} be entirely removed, or at the very least, be clearly labeled as unsafe and restricted to advanced/dev usage only?
• Isn’t it time to establish a dedicated task-force capable of responding within the first hour to freeze stolen funds or trigger automated alerts across the ecosystem?

This incident proves that convenience features can become attack surfaces and that reactive governance is not enough when attackers move fast.

8. TL;DR

A fake uTorrent installer, a forgotten “remember password” checkbox in Polkadot{.js}, and no antivirus that’s all it took. Result: 547 DOT drained in minutes.
Attacker hash: 4ac56c959e…aeef | Wallet: 1586EK…s5nASw | Funds routed through two Binance deposit wallets. Let’s stop saying “we should have” and start building real defences tools, playbooks, task forces.

Stay paranoid. Stay prepared. Stay helpful.

— Cyphertux

Hi Cyphertux,

Great breakdown of a potential hack! Just to let you know, many of the things you describe are already being done by the Polkadot Anti-Scam team.

We maintain the Polkadot Anti-Scam repo and, when notified about stolen funds, we can quickly add the known hacker address to the Polkadot.js blacklist. Note that actual on-chain freezing isn’t possible because Polkadot is decentralized, but blacklisting can often slow attackers down.

We also have contacts in the Crypto Defenders Alliance Telegram group. When we report the destination of stolen funds on a centralized exchange (CEX), they help us quickly freeze the funds on that CEX. For those funds to remain frozen and potentially be recovered (which, for the record, we do manage to achieve sometimes), the victim must file a police report and answer some verification questions—this helps us confirm they’re truly the victim and not the attacker.

If someone gets hacked, it’s important they notify us as soon as possible. The best way to do this is by emailing victimsupport@antiscam.team and pinging us in the #scam channel on the Polkadot Discord.

Best regards,

Tim

Hi @TimJanssen, thanks for your message and for clarifying what’s already in place.

That said, I genuinely hope the Anti-Scam team is fully operational and responsive.

Have the addresses I shared (especially the attacker wallet and the Binance deposit ones) already been added to the blacklist? I checked the GitHub repo and unless I missed something, they don’t seem to be there yet. Please correct me if I’m wrong.

Also, when I speak of “freezing” I’m not referring to an on-chain freeze obviously, Polkadot is decentralized. I was referring to a coordinated escrow mechanism, which is entirely feasible and quite different. Such mechanisms could greatly enhance response efficiency without compromising the protocol’s decentralization.

I understand that internal processes may be in place and if they’re effective and consistently executed, all the better.
But let’s be real for a moment: the Anti-Scam team was recently granted 90,000 DOT, and yet from what I’ve heard, the main tracking solution in use is a third-party subscription tool that doesn’t even fully support parachains.

With that level of funding, not having a custom-built, ecosystem-native tracking solution is hard to justify.
It’s time to build native tools, not duct-tape services.

I’ll stay discreet here, but you all obviously know about Incognitee.
Under such conditions, things are going to get increasingly complicated and the only real answer might be the ability to act accordingly, though it’s likely to be both complex and utopian.

— Cyphertux

If you want adresses added best ping us in the #scam channel of polkadot discord. I am not going to blacklist binance deposit adresses, this is pointless they dont even use polkadot.js or any of the native wallets that use the blacklist (being subwallet, fearless, talisman, nova, parity signer). What I can do is contact binance and they will freeze it on their end which is much more useful. But going on a forum is not the process we do things. Note we often get contacted by hackers themselves too pretending to be victims. And when I contact exchanges they will ask for a victim to file a police report and some proof the wallets that are drained belong to them.

I can also blacklist the hacker wallet but again just ping me or dm me a list of wallets you want blacklisted and I will have a quick look into it.

As for your other remarks. Our grant is mean for operation of a entire year and not just for victim support but also to pay for tooling to do our job and taking down scams. We dont have enough budget to spend a lot of funds to built such a native tool. Also note that this third party tool you are talking about is actually about to support parachains very soon, its something we have been talking about with them for quite a while now.

However if you know a better tool or think you can built something better we are more then happy to talk.

Thanks for your reply @TimJanssen

Let’s be clear I do know how to distinguish a Binance hot wallet from a Binance deposit address.
What I shared in the post are user-specific deposit wallets observed during the XCM outflows not general CEX infrastructure.

Just to clarify: these are not Binance’s main liquidity hot wallets they are deposit addresses used by Binance to credit individual user accounts. That’s precisely why identifying them matters.

Also, the user in question has already contacted Binance and shared evidence, including our full investigation.
I’m not publishing this on the forum for fun, I did it because this kind of incident deserves transparency, peer review, and long-term follow-up.
If that’s not part of your current process, then maybe it should be.

Regarding your mention of scammers pretending to be victims:
Trust me if someone’s faking it, I’ll find out fast.

And when I do, I don’t just expose them, I go after them. I take these things seriously, and I don’t let them slide . So let’s not twist the situation here. If I publish something, it’s because I’ve already done the vetting.

Now, about the 90k DOT grant that’s a substantial budget. Saying it’s “not enough” to build a native tracking tool feels off.
Did you even read my initial proposal?
We’re not talking about building an enterprise-grade SIEM or AI detection engine.
Just a basic, usable, Polkadot-native tracing tool with graph/tree logic to improve speed and precision in fund tracking.

For context: I’ve already built a working MVP of such a tool locally in less than 48 hours, and I linked it in my first message. No budget. No grant. No excuses. I’m unemployed. No funding, no backing just time, conviction, and a sense of duty to the ecosystem.
If I can do that in 48 hours, imagine what could be built with just 2% of the 90k DOT grant (2000 DOT Crazy!).

If your team doesn’t have the bandwidth or technical expertise, that’s fine but let’s not claim it’s unfeasible. With your resources, you could’ve shipped something far better already.

This isn’t about tools.
It’s about priorities.

— Cyphertux

Thanks for the write up - would you expect that this exploit is only for Polkadot.js or would you expect other browser extension wallets would be affected too?

@birdo I haven’t dug into the code yet probably this weekend. So let’s assume it mainly targets well-known wallets like MetaMask, Rabby, and others. But what I hadn’t realized is that it also affects Polkadot{js}.

Based on my initial quick analysis, this is a relatively recent development less than a year old that attackers started targeting and understanding the vulnerability linked to that checkbox.

(It’s still a classic approach: grabbing data from cache via the usual injection method typical of this kind of malware.)

Don’t rely on the date of the first detection you should know that if you’re familiar with this field.

The signature gives some insight, but that date should obviously not be considered a primary source.

Many hacker groups reuse large portions of code, and of course, that code evolves over time.

Thanks for the detail here.

Would you be able to explain in a little more detail what has happened in the browser / extension here?

Which ‘cache’ is the malware grabbing data from?
By ‘injection’ you mean JS script injection into a certain page?
You suggest that once the user chooses for extension to ‘remember my password’ it’s game over but
1 - wouldn’t the attack still be possible by the malware caching the password as it is entered, even if the extension does not cache it?
2 - how is the malware able to access the extension within its sandbox - does this require targeted memory access, not just filesystem access (and are you therefore saying that, yes, this malware has it)?

Thanks @Mork for the thoughtful questions let me break it down:

Malware like this typically bundles multiple capabilities: clipboard hijacking, keylogging, file extraction, and in this case browser code injection. This specific one demonstrated long-sleep evasion, WMI calls, and Tor traffic classic signs of stealthy spyware.

What happens in the browser / extension?

When the user enabled the “remember password for 15 minutes” checkbox in the Polkadot{.js} extension, the password was cached temporarily likely in memory, not just on disk. The malware didn’t need to extract the seed phrase or persistently compromise the extension — it clearly exploited the unlocked state during the 15-minute password caching window to perform the attack. But during that 15-minute window, it could hook into the browser process, inject JavaScript, and trigger actions (signing extrinsics) as the extension was unlocked and operational.

About your specific questions:

1. “Couldn’t the malware just keylog the password?”
   In theory, yes but this one didn’t need to. By waiting for the cached-unlocked state, it avoided brute-forcing or logging anything. It simply piggybacked during the window when the extension was already authenticated and signing was permitted.

2. “How can malware access the extension? Doesn’t the sandbox protect it?”
   Once malware lives on the same machine, the sandbox model collapses. The browser becomes a playground.
   It doesn’t need to “hack” the extension it just hooks into the browser process (especially Chromium-based ones like Brave or Chrome) and injects scripts that manipulate DOM or simulate interactions. No need for sophisticated memory access just standard JS injection or browser API abuse.

Let me be clear: this only works if the machine is already compromised. But once that happens, all bets are off whether you use an extension, desktop wallet, or even browser-based cold-wallet interfaces.

If the extension is locked, the attack surface is smaller.
If the password is cached and unlocked the attacker has a green light.

That’s why I consider the 15-minute password caching option a non-negligible risk and believe it should be removed or at least clearly flagged as unsafe.

Hope that helps clarify.

— Cyphertux

You are making a lot of assumptions here. We are very quick at tracking lost funds even without tools in most cases and have been succesful in recovering funds in quite a lot of cases. We built or have people built things for us when we feel there is a need for it. At this moment that need has not arrived yet. A tool that would seriously help us better in our estimate would be worth quite a big chunk of the budget but if you can proof otherwise by all means show us. But again in by far the most cases we are very quick in determining where the funds went and quite often are able in recovering the funds…

Note we have very qood contacts with most exchanges that help us freezing funds on their side and in many cases even recover funds.

As for the 15min option of wallets thats not up to us. We dont built the wallets itself we just maintain the phishing repo among other things. Same thing about the escrow thing, thats not up to us and honestly I am against it as I feel it goes against anything crypto stands for. Crypto is supposed to be censorship resistant and building something like that would hurt neutrality and censorship resistance. But again its not my job changing the wallets or core protocol. We aim to take down scams and help users fallen victim to scams.

One last thing about our budget. Our budget was approved with a very specific budget in mind where each dot goes too. We really don’t have that much budget for building a tool. If you think you can built something great for not too much money we are willing to talk and see if we can fund it but most of this 90k has been assigned to other things and we really don’t pay ourselves outrageous bounties imo. If you hire third parties they are far more expensive and in our experience dont take down nearly as much as we do…

@TimJanssen Forget it honestly, that kind of answer is just a joke.

Obviously I’m making hypotheses that’s the starting point of any serious investigation into a live attack. It’s called threat analysis, not storytelling.

That’s great but recovering funds isn’t the core issue here. The real need is for rapid public reporting and traceability to enable coordinated responses across the ecosystem.

If the standard process in 2025 is still ‘send an email and prove you’re the victim’, then my brother… we’ve got a serious agility problem. It’s time to wake up.

Then maybe this is the moment it arrives

Maybe I wasn’t clear enough: I can send you a video of the tool built solo, in under 48 hours, and just so you know, I’m not even a developer by trade.

Yet the first reflex on your side is to bring up the budget. So tell me what exactly is that budget for, if not to build tools? I’ve seen the pretty tables, but let’s talk results.

Then they shouldn’t hesitate to share that process publicly. Maybe I missed it, but to this day, I’ve seen no clear documentation or transparency about how it actually works in practice.

Come on we’re paying 90k DOT and now you’re telling us you’re not even involved in this part?

At the very least, raising a clear public alert when a feature increases risk should be part of your role.

If this had been a more serious exploit, we’d all want to know immediately, not after it’s too late.

Don’t worry I’m actually one of the first to defend censorship resistance in crypto.
But that doesn’t mean we should ignore the need to think about systems that could enable proactive defense when appropriate.

Let’s not forget: Gavin himself once envisioned Polkadot offering bank-grade security.
No one’s saying this should run at the Relay level, but it’s definitely worth exploring especially when millions are at stake.

Also, let’s not pretend your actions exist in a vacuum.
Anti-scam teams should contribute to improving the ecosystem not just by blocking links, but by educating, alerting, and helping design better safeguards. That’s part of the job.

Honestly, I’m just shocked. With that kind of funding, the idea that “we don’t have enough” is surreal. And taking 10 hours to react to an incident?

Anyway this exchange is going nowhere. Let’s stop wasting time.

I’ll leave it here but let’s be real: with that level of funding, you could have fed entire villages for months. Time to come back down to earth, friends. Here in France, there are people working themselves to the bone for €30k a year. So please, spare us the excuses.

— Cyphertux

I dont even know where to start here… But that 15min feature was there years ago so what do you mean new?

If you bothered to read our proposal you would know what the money is used for its described in detail how our funds is justified and where it goes too. And no most of our funds is in fact not for building tools… Never has been

The majority of our funds is take pro actively find scams, add them to the blacklist and also take them down. Note we don’t get paid any bounty until a scam is actually taken down. On top of this we do victim support and help recovering funds among other things. We would like to improve on this but fact of the matter is looking at the amount of people that contact us about this and the amount of money involved (and btw you can find the exact numbers in our proposal) we dont feel its worth it atm to spend a lot of money on tracking tools as of this moment. We can track and freeze by far most of the cases very quickly and easily without a tracking tool so far. Usually tracing only cost me a couple of minutes at most and I have it frozen in a couple of hours at most… I wish I could do this faster but I depend on exchanges to actually freeze it. The bottleneck so far has never been tracking for us but first and foremost the speed at which victims contact us and secondly our contacts reacting to our request to freeze stuff.

I do think we could improve on the first point especially as I think many people dont know where to go, we could use some help with that. Btw that mail we mainly use to gather information but people can also just ping us on discord and we are usually very quick to react.

To end things just how much money do you think we make? This funds is not for 1 individual but the entire team for a entire year…

Just a crazy idea: Polkadot Vault, or some Polkjadot Vault fork, could add support for Ledger.

First, you have some air gapped device that decodes the chain/transaction metadata and QR code, and display your transaction, just like if you used Polkadot Vault. After verifying this transaction on that device then you’d actually sign the transaction using your Ledger device, maybe the Ledger only plugs into the airgapped Vault device using a USB-OTG adaptor. It’d be funny to stream the Ledger updated via QR code too. lol

Edit: Someone pointed out that newer Ledgers actually have screens and display tx, so maybe this matters less now, but amusing idea anyways, and maybe good for people who do not have newer Ledgers.

Hi @Cyphertux, my name’s Alina, I’m a member of the Anti-Scam Team. I often track stolen funds and contact CEX about freezing them, and I thought I can add something to this discussion.

I agree that tracking and reporting is very time-sensitive. Unfortunately, victims don’t always immediately realize what happened or where to seek help. More often than not, a case is already cold when we get to it. I’m afraid it’s not feasible for us to monitor every crypto-related server and group chat for messages like the one that started your investigation. I’d also like to highlight that the quality of tracking and reporting matters as much as swiftness. False positives can lead to our reports and requests being treated as low priority, and rushing to blacklist anything remotely suspicious can do more harm than good.

I’m afraid you cannot tell just from looking into the blockchain is something’s a user-specific deposit wallet. Many centralized swap services use larger CEX infrastructure, but have much lower KYC requirements. What looks like a user-specific Binance deposit address to you, may actually be assigned to unrelated users of some swap service (and I believe that’s the case here). What you labeled as “very active user” is probably a hot wallet operated by another swap service. These services rarely require KYC; in some cases, they don’t even ask for an email address. Unfortunately, the chances of identifying the attacker are not as high as you anticipate.

Nobody said the 15-minute feature was new.
The point is: it exists, it’s targeted, and it’s now been successfully exploited in the wild.
The real question is: were you even aware of that before this case, or are you just pretending now?

You really think I didn’t read your proposal? Come on.

I’ve seen the 90k DOT breakdown, the fancy tables, and the vague allocations and guess what? That’s exactly why I’m reacting like this.

You’re sitting on a massive grant, and your answer is basically:
“Yeah well, building actual tools was never the plan.”

Seriously?
So what was the plan stickers and a Google Sheet?

You can’t wave the “we don’t build tools” excuse and still claim to be the core anti-scam team of the ecosystem.
At some point, priorities need to match the responsibilities and the funding.

Don’t take people for fools. Not everyone here blindly signs off on 6-figure DOT allocations without asking real questions.

Let’s stop this pointless discussion, my brother. I’ll leave you to work hard as I’m sure you do.

We had raised during the early stage of the last Anti-Scam team referendum that the tasks on which the Anti-scam were focusing on were not legitimate or useless for most of it. @TimJanssen

Loading a database with fake/phishing sites, most of it not even related to the ecosystem, is not what we expect from the Anti-Scam team. Moreover, most of these fake site can be found on the web, you can download files for this.

What we expect is what @Cyphertux is doing.
Building tools, being proactive to detect issues and share the results of the investigation to the Community.

If the anti-scam team needs help, maybe they should use the 90k DOT to ask people with dev skills like Cyphertux to help them to build better tools for the ecosystem.

The Treasury is not here to pay for 10 people if they can’t fullfill their tasks. The size of the team was a real concern compared to the results, and here it is another proof of the inefficiency of the anti-scam team for its size.

Please review your anti-scam strategies, you have people in the community that may help you.

Cheers.
Le NEXUS

I don’t mean to disrespect you, but stop right here if you’re the so-called expert on the team the same team that took hours to even show up yesterday, all relaxed.

Here’s a screenshot that should end this whole story where you try to explain to me how onchain analysis works. Don’t make me laugh.

Screenshot 2025-05-15 at 17.40.12986×1004 44.1 KB

Alright, let’s stop the damage here.

— Cyphertux

I see you rely on the labeling provided by the “duct-tape service” fully JFYI, these labels are based on the wallet activity. If a wallet receives DOT and sends them to an identified Binance hot wallet, it gets labeled as “Binance user wallet”. Maybe, another condition is to not send DOT anywhere else, or there are some other conditions, but there are definitely no off-chain insights.

As I’ve said, Binance deposit addresses can be assigned to services, not individuals. I don’t doubt that Binance received stolen funds; I doubt that they have any personal information of the person that deposited them.

Stop writing @AlinaZ you’re an absolute joke.

Did you even realize the tool your team is paying for is exactly what Subscan is using?
You seriously need to revisit the basics.

I also suggest you go play around with some Binance, Kraken, etc. transfers to understand how CEX deposit flows actually work, my friend. It’s urgent.

Screenshot 2025-05-15 at 17.51.59540×194 17 KB

Well, let’s wait for your team to bring better data then if you really believe Merkle Science is completely wrong, what a joke. You can’t be serious.

— Cyphertux

Thanks, I’m fully aware of what tool Subscan uses to label addresses. I’m not saying that Merkle Science is completely wrong (and I thought I was clear about it), they just don’t have the full information. I’ll make sure to update you once I identify the swap services used.

I will refrain from commenting on the other parts of your message. Let’s stay civil. We remain open to discussing your tool and its capabilities.