Hackers steal $500,000 from Arbitrum users through vanity-address spoofing

Unknown actors during the Arbitrum airdrop that began yesterday siphoned $500,000 by forging vanity addresses of legitimate token recipients. This drew attention from Twitter users.

Someone made $500k+ by claiming Arbitrum airdrop with hacked vanity addresses pic.twitter.com/aSWmx7MySS

— jq (@jackqack) March 23, 2023

Vanity addresses are vulnerable to brute force — a systematic enumeration of all possible character combinations. Hackers created wallets that mirrored those entitled to receive ARB tokens, and directed the coins to them.

Affected users are attempting to resolve the issue on their own.

Dear @kucoincom my stolen $ARB token has been transferred to your exchange by the hacker. How can you help?

— CryptoLord NE ?? (@CryptoDefiLord) March 23, 2023

According to analytics firm Nansen, participants in the airdrop have already received more than 914 million ARB or 79% of the total 1.1 billion ARB allocated for distribution in the first phase. 138,671 addresses have not yet claimed governance tokens.

The ARB airdrop that began on March 23 caused network congestion, temporarily rendering the Arbitrum Foundation sites and the on-chain explorer Arbiscan unavailable.