{"id":86387,"date":"2023-10-31T09:57:53","date_gmt":"2023-10-31T07:57:53","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=86387"},"modified":"2025-09-13T05:17:20","modified_gmt":"2025-09-13T02:17:20","slug":"unknown-attacker-hacked-unibot-telegram-bot","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/unknown-attacker-hacked-unibot-telegram-bot\/","title":{"rendered":"Unknown attacker hacked Unibot Telegram bot"},"content":{"rendered":"<p>On 31 October the Unibot trading Telegram bot was compromised by unknown parties. Project representatives confirmed the incident.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We experienced a token approval exploit from our new router and have paused our router to contain the issue.<\/p>\n<p>Any funds lost due to the bug on our new router will be compensated. Your keys and wallets are safe.<\/p>\n<p>We will release a detailed response after investigations conclude.<\/p>\n<p>\u2014 Unibot (@TeamUnibot) <a href=\"https:\/\/twitter.com\/TeamUnibot\/status\/1719239188514844735?ref_src=twsrc%5Etfw\">October 31, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to them, they faced a token-approval vulnerability in the new router. To address the issue, developers temporarily paused the router&#8217;s operation.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cAny funds lost due to the bug in the new router will be compensated, and keys and wallets will remain safe,\u201d Unibot assured.<\/p>\n<\/blockquote>\n<p>Nevertheless, external experts urged users to urgently transfer funds to other wallets or revoke approvals of the <a href=\"https:\/\/etherscan.io\/address\/0x126c9fbab3a2fca24edfd17322e71a5e36e91865\">contract<\/a>.<\/p>\n<p>At the time of writing, the damage stood at nearly $650,000 \u2014 the hacker <a href=\"https:\/\/etherscan.io\/address\/0x413e4fb75c300b92fec12d7c44e4c0b4faab4d04\">withdrawn<\/a> 305 ETH and 39 000 USDC. Subsequently he <a href=\"https:\/\/twitter.com\/PeckShieldAlert\/status\/1719251390319796477\">sent<\/a> the coins to the Tornado Cash mixer.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"963\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/2023-10-31-08.43.05-1024x963.jpg\" alt=\"2023-10-31-08.43.05\" class=\"wp-image-219057\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/2023-10-31-08.43.05-1024x963.jpg 1024w, https:\/\/forklog.com\/wp-content\/uploads\/2023-10-31-08.43.05-300x282.jpg 300w, https:\/\/forklog.com\/wp-content\/uploads\/2023-10-31-08.43.05-768x722.jpg 768w, https:\/\/forklog.com\/wp-content\/uploads\/2023-10-31-08.43.05.jpg 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Data: Telegram channel DEFI Scam Check.<\/figcaption><\/figure>\n<p>The UNIBOT token launch took place on May 21, with the attacker\u2019s wallet funded on May 25 \u2014 on the first day of heightened trading activity.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Unibot hacker address seeded 1 week after launch<\/p>\n<p>hmm <a href=\"https:\/\/t.co\/kA6nREjnQw\">https:\/\/t.co\/kA6nREjnQw<\/a> <a href=\"https:\/\/t.co\/2GqJFNP5q9\">pic.twitter.com\/2GqJFNP5q9<\/a><\/p>\n<p>\u2014 Fudzy (@fozzydiablo) <a href=\"https:\/\/twitter.com\/fozzydiablo\/status\/1719222211892875506?ref_src=twsrc%5Etfw\">October 31, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In the crypto community, theories circulated about an insider-like nature of the attack \u2014 allegedly the hacker waited for the meme-coin cycle peak to earn more.<\/p>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">31 October 2023 | 09:22<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p>Blockchain-detective Arhat outlined a suspected exploit scheme that allowed the hacker to bypass balance checks and withdraw funds through repeated transferFrom calls.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Allowed to Drain? A Devious Exploit Bypassed Unibot&#8217;s Balance Checks and Made Off With 300+ ETH<\/p>\n<p>More than 300 ETH was exploited from <a href=\"https:\/\/twitter.com\/TeamUnibot?ref_src=twsrc%5Etfw\">@TeamUnibot<\/a> users. More than $500k, at least at the time of writing this.<\/p>\n<p>The hacker wrote a pseudocode to exploit the Unibot contract. <\/p>\n<p>Read\u2026 <a href=\"https:\/\/t.co\/Ns7bm6RYuP\">pic.twitter.com\/Ns7bm6RYuP<\/a><\/p>\n<p>\u2014 Arhat (@0xArhat) <a href=\"https:\/\/twitter.com\/0xArhat\/status\/1719252468646002873?ref_src=twsrc%5Etfw\">October 31, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Beosin experts also noted the changes made by the attacker to the bot&#8217;s code.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">?<a href=\"https:\/\/twitter.com\/hashtag\/Unibot?src=hash&#038;ref_src=twsrc%5Etfw\">#Unibot<\/a> exploited? <br \/>Hacker:<a href=\"https:\/\/t.co\/vSnl9xNmBD\">https:\/\/t.co\/vSnl9xNmBD<\/a><\/p>\n<p>The root cause is CAll injection, where an attacker can pass custom malicious calldata into the 0xb2bd16ab() method to transfer tokens approved to Unibot contracts.<\/p>\n<p>Users need to revoke approval for\u2026 <a href=\"https:\/\/t.co\/7PYJVwO6Ga\">pic.twitter.com\/7PYJVwO6Ga<\/a><\/p>\n<p>\u2014 Beosin Alert (@BeosinAlert) <a href=\"https:\/\/twitter.com\/BeosinAlert\/status\/1719230693782507993?ref_src=twsrc%5Etfw\">October 31, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<p>Against this backdrop, the price of the native UNIBOT token plunged 32% and, according to CoinGecko, stands at $38.44.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/chart-45-1024x1024.png\" alt=\"chart-45\" class=\"wp-image-219058\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/chart-45-1024x1024.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/chart-45-300x300.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/chart-45-150x150.png 150w, https:\/\/forklog.com\/wp-content\/uploads\/chart-45-768x768.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/chart-45.png 1200w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Data: CoinGecko.<\/figcaption><\/figure>\n<p>Earlier experts warned of <a href=\"https:\/\/forklog.com\/en\/news\/experts-warn-of-risk-of-crypto-loss-when-trading-via-telegram-bots\">risk of losing cryptocurrency<\/a> when trading via Telegram bots, as they are not protected from hacker attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On 31 October, the Unibot trading Telegram bot was compromised by unknown parties.<\/p>\n","protected":false},"author":1,"featured_media":86388,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1442,44,723],"class_list":["post-86387","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-bot","tag-cybercrime","tag-telegram"],"aioseo_notices":[],"amp_enabled":true,"views":"27","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/86387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=86387"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/86387\/revisions"}],"predecessor-version":[{"id":86389,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/86387\/revisions\/86389"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/86388"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=86387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=86387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=86387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}