Over 14,500 Tron addresses at risk of silent hijacking

A lesser-known exploit has put an estimated 14,545 Tron crypto wallets at risk, exposing millions of dollars in digital assets to potential theft.

In the fourth quarter of 2024 alone, 2,130 wallets were compromised via a vulnerability tied to the UpdateAttackPermissions transaction, security firm AMLBot said in a report shared with Cointelegraph. Collectively, these accounts hold nearly $31.5 million in digital assets as of publication time.

What makes this attack especially insidious is its stealthy nature. Unlike typical hacks that drain funds immediately, this exploit allows attackers to seize control of wallets while remaining undetected. They block legitimate outbound transactions, effectively locking the rightful owner from accessing their funds.

Victims may unknowingly continue depositing funds into compromised wallets, enriching the hackers while remaining oblivious to the breach.

“Typically, a victim doesn’t understand that the wallet is gone,” Mykhailo Tiutin, chief technology officer at AMLBot, told Cointelegraph.

Cointelegraph talked to one victim of this attack vector, who requested anonymity out of fear of being targeted by hackers. He had added an additional 1,000 USDT (USDT) into his wallet before realizing it.

“If the thief would immediately take all my money away, I would have immediately understood that I lost my wallet, and I wouldn’t have added more funds to it,” they said. 

Related: Crypto drainers are retiring as investigators start to close in 

UpdateAccountPermission opens backdoor

The UpdateAccountPermission transaction on Tron is designed to enhance account security through multisig-like functionalities. This feature allows account owners to assign specific roles to keys, define their weight values, and set thresholds required for transaction authorization.

For instance, if a transaction threshold is set to 10, and two keys each hold a weight of five, both must sign to validate the transaction. While this system is meant to strengthen account security, it becomes a vulnerability when an attacker gains access to the owner’s private key.

By leveraging the compromised key, an attacker can add their own key to the account and configure it to meet the transaction threshold when combined with the original key. This effectively locks the legitimate owners, as they can no longer finalize transactions independently but may continue depositing funds into the compromised wallet. As Tiutin said:

“Wallets do not have any kind of notifications or information to say that somebody has added another key to your wallet. There is absolutely no indication that your wallet is gone until you send an outgoing transaction yourself.”

Even after discovering the breach, victims are left with limited options. The only immediate course of action is to stop depositing funds into the compromised wallet. 

“This attack is especially concerning, as there is no way to recover funds for the user because the attacker’s private key is required for any further transactions,” Sattvik Kansal, co-founder of Rome Protocol, told Cointelegraph.

Tron did not respond to Cointelegraph’s request for comment.

Wallet owners are greeted with an error message when attempting to send funds out of a stolen wallet. Source: Tiutin/TronLink

Benefits of UpdateAccountPermission

The UpdateAccountPermission function on Tron is not inherently malicious. Its design serves legitimate purposes, such as enabling businesses to enforce shared control over funds. This reduces the risk of unauthorized transactions by requiring multiple parties to approve actions.

This feature is also valuable for decentralized governance, particularly in community-controlled accounts managed by decentralized autonomous organizations. By requiring multisignature approvals, the function helps prevent unilateral control over community funds.

Even individual users can benefit from UpdateAccountPermission by assigning multiple keys to their own accounts. This reduces the likelihood of losing access to funds from a single compromised device or key.

Exploitation is not unique to Tron

The misuse of blockchain functionalities is not exclusive to Tron. On Ethereum, malicious actors often exploit widely used functions like “approve” and “permit,” which are essential for interacting with decentralized finance platforms.

When combined with phishing tactics, these functions can lead to devastating losses for unsuspecting users. Security firm Scam Sniffer reported that phishing scams across blockchains (excluding Tron) resulted in $9.38 million in losses during November 2024. 

Of this, nearly $7 million came from Ethereum alone. That’s significantly lower than the $20 million Scam Sniffer reported in October. 

Almost $500 million was lost to phishing schemes in 2024. Source: Scam Sniffer

The decline may be attributed to advancements in wallet security, with several Ethereum-based wallets now notifying users about suspicious transactions before they sign. Additionally, increasing user education has helped reduce the potency of phishing schemes.

Related: Tether, Tron and TRM Labs jointly froze $126M USDT in 2024

How to prevent silent wallet hijackers

A critical precondition for exploiting the UpdateAccountPermission function is the leakage of a private key. Without this, attackers cannot gain the access needed to manipulate account permissions. Once a private key is leaked, the account is already compromised, but this particular attack vector allows hackers to siphon even more funds from victims.

Axel Leloup, lead security researcher at Dowsers, emphasized the importance of understanding Tron’s permission system and conducting regular reviews of account permissions.

He also echoed a foundational principle of crypto security:

“Ensure private keys and mnemonic phrases are stored securely, preferably offline, and never shared with untrusted parties.”

In the case of the anonymous victim, his wallet’s vulnerability stemmed from poor operational security. The wallet was used for testing smart contracts, so its private key was embedded in plain source code, which migrated across multiple devices.

Another potential safeguard is minimizing the amount of Tronix (TRX) stored in wallets, particularly for users dealing with USDT transactions. The UpdateAccountPermission function requires a 100 TRX fee, making it difficult for attackers to exploit accounts with limited TRX reserves. Tiutin recommends using wallets that allow USDT transactions without burning TRX.

Magazine: As Ethereum phishing gets harder, drainers move to TON and Bitcoin