On Thursday, January 9, 2025, Moby, an options protocol on Arbitrum and Berachain, announced that it had suffered from a “private key leak.”
In its initial statement on Twitter, the company asserted that the root cause was not a smart contract vulnerability, but the result of hackers stealing funds through “upgrading existing smart contracts using stolen proxy private keys.”
To protect users, Moby initiated a downtime at 6:00 PM UTC on Wednesday, January 8 that was set to last until Thursday, January 9 1:00 PM UTC. Despite the service interruption, Moby assured users that all options positions and all liquidity pool (LP) assets will be restored to their treasury.
While the situation is still developing, here is what we know so far:
The ETH address 0xee8f25c7d139c67ff44befa8723badf346737c3b was on September 27, 2024 through a withdrawal of .9706 ETH from Tornado Cash. Blacklisted by the Office of Foreign Control Assets (OFAC) on August 8, 2022, Tornado Cash is a popular mixer. Users deposit their funds into a pool, where it is mixed with funds from other users, and receive an equal amount to what they deposited, breaking the link between senders and recipients. On January 9, 2025, .02 ETH were bridged to Arbitrium, a Layer 2 chain on Ethereum.
Separately, the private keys to the Arbitrum address 0x44a80e0a45f5285665bf3026f61c5d1340049404 were leaked, compromising its security. This is the attack vector through which they gained access to the protocol’s implementation contract.
On January 9, 2025, Moby funded ARBETH to 0x2a566d111d0a5be888fec5f3834434af3245bb1b with 206.9757 ETH and 3.7012 WBTC. The hacker then exploited the emergencyWithdrawERC20 function to extract 206.9757 ETH and 3.7012 WBTC, which were swapped and bridged into ETH. The funds have been further split up with various transfers, distributing ETH into smaller amounts across various addresses. 9.5634 ETH were also sent to Railgun, a smart contract system with zero-knowledge privacy, for further obfuscation.
The hacker also extracted 1,470,191.7154 USDC, which was then deposited to OKX, an exchange headquartered out of Seychelles. This transfer could be an attempt to use the exchange as an exit node into fiat. Including the WBTC, ETH, and USDC, the funds totaled approximately $2.5 million, making it the largest hack of the early year so far.
Moby later announced that they recovered the USDC thanks to “the support of the SEAL911 team,” but made no mention of recovery for the WBTC and ETH.
Key takeaways
The hacker employed a grab-bag of evasion and layering techniques, including swaps, chain hopping, privacy-centric protocols, coin mixers, and multi-wallet transfers. Organizations need a blockchain analytics tool that has the technical sophistication to track illicit trails through this obfuscation.
The funds are now dispersed across more than ten different addresses. It would be difficult to manually monitor these addresses, given that the criminals may be biding their time (there was a 100 day gap alone between their initial activity on one of their wallets and the eventual hack). Organizations need a tool that can automatically track movement of flagged wallets. To this end, with the Moby hack now visible on Merkle Science’s Tracker, investigators can easily use the watch function to monitor the wallet, customizing alerts based on transfer type, value range, and whether to include only inflows, outflows, or both.
One destination for Moby funds was OKX. Crypto investigators commonly use exchanges for attribution—tying real world identity to addresses associated with a given crime. Merkle Science makes this task easier because Tracker’s technology does not operate as a black box: we provide insight into how our technology works, so that prosecutors and judges can bring charges against criminals with full confidence.
If you are an organization interested in using Tracker for your own investigations, contact us for a free demo.
