{"id":45040,"date":"2021-06-27T13:03:39","date_gmt":"2021-06-27T10:03:39","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=45040"},"modified":"2025-08-31T19:48:25","modified_gmt":"2025-08-31T16:48:25","slug":"experts-dissect-the-blender-wallet-hack","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/experts-dissect-the-blender-wallet-hack\/","title":{"rendered":"Experts dissect the Blender Wallet hack"},"content":{"rendered":"

The hack of the non-custodial Blender Wallet<\/a> on June 22 may very likely be an insider attack. This is what ForkLog’s experts polled concluded.<\/p>\n

The Blender Wallet site states that, to compensate funds, they require users’ seed phrases, although non-custodial wallets are architecturally unable to access them and should not have access to them.<\/p>\n

Kirill Chikhradze, Director of Product Development at Crystal Blockchain<\/a>, said that their team managed to identify several service wallets of Blender Wallet and the Blender.io mixer, through which since early 2019 about 70 BTC in total have passed, which casts doubt on the claimed loss total of 100 BTC.<\/p>\n

\"Visualization
Visualization of part of the transactions related to the Blender.io mixer. Some funds were sent to sanctioned addresses in 2020. Data: Crystal Blockchain.<\/figcaption><\/figure>\n
\n

\u201cIt is still unclear exactly how the claimed attack could have occurred. Perhaps in a way similar to the Electrum attack in 2019<\/a>. However the request to provide the seed phrase and password to recover funds should raise suspicion,\u201d he noted.<\/p>\n<\/blockquote>\n

It remains unclear how the service’s team calculated losses. Consensus protocols researcher Andrey Sobol told ForkLog that Blender Wallet operators could have learned the amount of losses if all requests went through their API.<\/p>\n

\n

\u201cThat is, when a user registered a new wallet, then their set of public addresses was sent to the server,\u201d he speculated.<\/p>\n<\/blockquote>\n

According to him, such a mechanism is used in many non-custodial solutions.<\/p>\n

\n

\u201cIn reality, the alternative is some decentralised network of nodes. Something similar to Electrum, but it slows it down. The telltale sign is, if the wallet operates stably and normally in updating information about new transactions, then the owner of the service has their own dedicated infrastructure,\u201d Sobol explained.<\/p>\n<\/blockquote>\n

Theoretically there are cases where sending the private key may be a prerequisite for compensation, the expert continues:<\/p>\n

\n

\u201cPerhaps they fear that random people will start posing as owners of other people’s wallets. If we assume they are not scammers, they may request the seed phrase as 100% identification.\u201d<\/p>\n<\/blockquote>\n

Sobol noted that the company could ask users to sign a message with the private key, but for this the wallet would need a signing feature built in. Otherwise it would be easier to request the seed phrase.<\/p>\n

\n

\u201cI do not rule out that hackers might attempt to steal money twice. First from wallets, and then, knowing the private key, they will ask the owners for a refund,\u201d added Andrey Sobol.<\/p>\n<\/blockquote>\n

According to Trustee Wallet CTO Ksenia Zhytomyrskaya, the incident currently looks like an insider breach:<\/p>\n

\n

\u201cMost likely, code was injected inside the app that used user funds without their knowledge. This would explain the disabling of the Replace-By-Fee (RBF) function in the interface. If mnemonic phrases were leaked, then through any wallet you could withdraw,\u201d she told ForkLog.<\/p>\n<\/blockquote>\n

The expert noted that in an exit-scam the team would have taken all the money.<\/p>\n

Zhytomyrskaya suggested that the seed-phrase requests could have been motivated by the team tracking a public address via it and confirming ownership.<\/p>\n

\n

\u201cThey simply want to collect the addresses of users who will claim reimbursement. Those who are afraid to send them simply won\u2019t be compensated. Otherwise everyone would have to be compensated according to logs, since they saw the thieves\u2019 transfers.\u201d<\/p>\n<\/blockquote>\n

Overall, the demand to provide seeds and passwords is excessive, emphasized the CTO of Trustee Wallet.<\/p>\n

Among probable reasons for the hack of non-custodial wallets, Ksenia Zhytomyrskaya named sloppy log management, openly stored seed phrases, auto-fill of passwords, and classic credential-harvesting malware.<\/p>\n

\n

\u201cMoreover, not all non-custodial projects are truly non-custodial, but that can be attributed to the injection of malicious code. Hence the importance of code auditing,\u201d she added.<\/p>\n<\/blockquote>\n

Zhytomyrskaya could not find the Blender Wallet source code. In a BitcoinTalk thread dedicated to the wallet, in May 2021 project representatives wrote<\/a> that they \u201cdecided not to open the source code.\u201d<\/p>\n

The cybersecurity expert Yuri Melashchenko of Security Services Group warns of the potential danger of anonymous projects.<\/p>\n

\n

\u201cFrom the outset the project was anonymous and private; it is impossible to determine who owns this email and Jabber. If you use mixers, you should understand that filing a report to the police or complaining to someone is unlikely to work. Initially the project deals in shady acts and appealing to some sense of justice in this case is even foolish.\u201d<\/p>\n<\/blockquote>\n

He noted that access to the server or hosting is held either by the owners or by hackers who can alter the site code.<\/p>\n

\n

\u201cPerhaps from the outset the private keys were not accessible, but after hackers breached the hosting, changed the homepage and the code, they gained access to them,\u201d the expert suggested.<\/p>\n<\/blockquote>\n

Melashchenko stressed that if users are asked to send seed phrases, this means there can be no talk of non-custodianship.<\/p>\n

\n

\u201cNo non-custodial wallet service has access to private keys by design. I would never, under any circumstances, send the seed phrase, and would try entering it into another wallet to check the balance. If you see that everything is stolen, you can provide the seed, but never again accept funds to that wallet.\u201d<\/p>\n<\/blockquote>\n

Disclaimer<\/span><\/p>\n

Sending seed phrases from wallets to third parties endangers the safety of your funds. If you decide to send a seed phrase in the Blender Wallet incident, to minimise risk ensure via a third-party interface that the wallet balance is zero, and never again accept funds to it.<\/p>\n<\/div>\n

He noted that the team could just as easily have requested a public key rather than a seed phrase, but evidently users were not told where to generate or view it.<\/p>\n

The Trustee Wallet CTO also says that without the source code it is difficult to draw conclusions.<\/p>\n

\n

\u201cIn a web app such as Metamask, mnemonic phrases are encrypted in storage, so it all comes down to developers. You need to look at the code and figure out why not everyone was hacked and what it depended on: perhaps only those who were active in the last days or who updated the version,\u201d she noted.<\/p>\n<\/blockquote>\n

A person identifying as a Blender Wallet representative told ForkLog that the team cannot establish wallet ownership without seed phrases, because they do not store any user data.<\/p>\n

The loss amount in Blender Wallet was calculated based on \u201cwhich addresses were generated in our wallet and the balance on them.\u201d<\/p>\n

Zhytomyrskaya notes that access to balance on addresses requires only the public key:<\/p>\n

\n

\u201cIf they require seed phrases, they contradict themselves. They can see the balance of an address after they receive it. But I don\u2019t know whether they tracked them before the breach \u2014 for that you need the source code.\u201d<\/p>\n<\/blockquote>\n

According to the person who calls himself Blender Wallet\u2019s representative, access to the source code is closed because, as they say, \u201cit\u2019s not an application but a website.\u201d Melashchenko counters that running such a business without disclosing the code is unethical practice given that it deals with money.<\/p>\n

\n

ForkLog\u2019s interviewee who claimed to be Blender Wallet\u2019s representative confirmed that a seed phrase created at registration can be used in other wallets.<\/p>\n<\/blockquote>\n

From the team\u2019s side, he promised to provide transactions involving the stolen funds later.<\/p>\n

ForkLog will continue to monitor developments. If you were a victim of the Blender Wallet hack or have additional information, please write to the editorial desk at newsroom (@) forklog.com.<\/p>\n

Follow ForkLog news on VK<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

The Blender Wallet non-custodial wallet hack on June 22 may very likely be an insider attack. This is what ForkLog’s experts polled concluded.<\/p>\n","protected":false},"author":1,"featured_media":45041,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,57],"class_list":["post-45040","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-wallets"],"aioseo_notices":[],"amp_enabled":true,"views":"24","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/45040","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=45040"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/45040\/revisions"}],"predecessor-version":[{"id":45042,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/45040\/revisions\/45042"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/45041"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=45040"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=45040"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=45040"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}