Over 14,500 Tron Addresses at Risk of Silent Hijacking

A troubling situation has emerged. Around 14,545 Tron crypto wallets are now at risk of theft, with about $31.5 million in digital assets in jeopardy. This information comes from a report by the security firm AMLBot.

In the fourth quarter of 2024, 2,130 wallets fell victim to a vulnerability linked to the UpdateAccountPermission transaction. What's particularly alarming about this exploit is its stealthy nature. Unlike typical hacks that drain funds quickly, this method allows attackers to take control of wallets without being noticed. They block legitimate transactions, locking the rightful owners out of their funds.

Many victims may unknowingly continue to deposit money into these compromised wallets. This enriches the hackers while the owners remain unaware of the breach. “Typically, a victim doesn’t understand that the wallet is gone,” says Mykhailo Tiutin, the CTO of AMLBot. One victim, who asked to stay anonymous, added 1,000 USDT to their wallet before realizing it had been compromised. “If the thief took all my money right away, I would have known I lost my wallet and wouldn’t have added more funds,” they explained.

UpdateAccountPermission Opens Backdoor

The UpdateAccountPermission transaction is meant to enhance account security. It allows owners to assign specific roles to keys and set thresholds for transaction authorization. For example, if the threshold is 10 and two keys each have a weight of 5, both must sign to validate a transaction.

While this system aims to strengthen security, it can become a vulnerability if an attacker gains access to the owner’s private key. Using the compromised key, an attacker can add their own key to the account, effectively locking the legitimate owner out. As Tiutin says, “Wallets don’t notify you when someone adds another key. There’s no indication that your wallet is compromised until you try to make a transaction.”

Even after discovering the breach, victims have limited options. The best immediate action is to stop depositing funds into the compromised wallet. “This attack is especially concerning because there’s no way to recover funds for the user. The attacker’s private key is needed for any further transactions,” notes Sattvik Kansal, co-founder of Rome Protocol.

Tron did not respond to requests for comment from Cointelegraph.

Benefits of UpdateAccountPermission

Despite its risks, the UpdateAccountPermission function is not inherently malicious. It serves legitimate purposes, like allowing businesses to enforce shared control over funds. This reduces the risk of unauthorized transactions by requiring multiple approvals.

This feature is also vital for decentralized governance, especially in community-controlled accounts managed by decentralized autonomous organizations. By requiring multiple signatures, it helps prevent unilateral control over community funds. Individual users can benefit too by assigning multiple keys to their accounts, lowering the risk of losing access due to a single compromised device.

Exploitation Is Not Unique to Tron

The misuse of blockchain functionalities isn’t limited to Tron. On Ethereum, malicious actors often exploit widely used functions like “approve” and “permit,” which are crucial for decentralized finance platforms. When combined with phishing tactics, these functions can lead to significant losses for unsuspecting users. In November 2024, phishing scams across blockchains (excluding Tron) resulted in losses of $9.38 million, with nearly $7 million coming from Ethereum alone. This is a drop from the $20 million reported in October.

Some of this decline may be due to advancements in wallet security. Many Ethereum-based wallets now alert users about suspicious transactions before they sign. Additionally, increased user awareness has helped reduce the effectiveness of phishing schemes.

How to Prevent Silent Wallet Hijackers

A key factor in exploiting the UpdateAccountPermission function is the leakage of a private key. Without this, attackers can’t manipulate account permissions. Once a private key is leaked, the account is already at risk. This attack vector allows hackers to siphon even more funds from victims.

Axel Leloup, lead security researcher at Dowsers, emphasizes the importance of understanding Tron’s permission system and regularly reviewing account permissions. He also stresses a fundamental principle of crypto security: “Make sure to store private keys and mnemonic phrases securely, preferably offline, and never share them with untrusted parties.”

In the case of the anonymous victim, the wallet's vulnerability arose from poor operational security. The wallet was used for testing smart contracts, and its private key was embedded in plain source code that moved across multiple devices. Another precaution is minimizing the amount of Tronix stored in wallets, especially for users involved in USDT transactions. The UpdateAccountPermission function requires a 100 TRX fee, making it harder for attackers to exploit accounts with limited TRX reserves. Tiutin suggests using wallets that allow USDT transactions without burning TRX.