More than 14,500 Tron addresses are at risk of being silently hacked.

A little-known exploit has put an estimated 14,545 Tron crypto wallets at risk, putting millions of dollars worth of digital assets at risk of theft.

In the year In the fourth quarter of 2024 alone, 2,130 wallets were compromised by a vulnerability related to the UpdateAttackPermissions transaction, security firm AMLBot said in a report to Cointelegraph. Collectively, these accounts hold approximately $31.5 million in digital assets as of press time.

What makes this attack particularly insidious is its stealthy nature. Unlike typical hackers who withdraw funds immediately, this exploit allows attackers to take control of wallets while remaining undetected. They block legitimate outbound transactions, effectively locking out the rightful owner from accessing their funds.

Victims may continue to unknowingly deposit funds into compromised wallets, enriching hackers without realizing the breach.

“Usually, the victim doesn't realize the wallet is missing,” AMLBbot chief technology officer Michael Tiutin told Cointelegraph.

Cointelegraph spoke to one victim of this attack vector, who asked to remain anonymous for fear of being targeted by hackers. Before he knew it, he added an additional 1,000 USDT to his wallet.

“If the thief had taken all my money immediately, I would have known immediately that I had lost my wallet, and I would not have added more money to it,” they said.

Related: Crypto Drainers Are Retiring As Investigators Start Shutting Down

UpdateAccount Permission opens a backdoor.

The UpdateAccountPermission transaction on Tron is designed to improve account security with many sig-like functions. This feature allows account holders to assign specific roles to keys, define their weight values, and set limits for transaction authorization.

For example, if the transaction limit is set to 10 and two keys contain a weight of five each, both must be signed to confirm the transaction. While this system is intended to strengthen account security, it is vulnerable when an attacker uses the owner's private key.

Using the compromised key, the attacker can add his own key to the account and configure it to meet the transaction threshold when paired with the original key. This effectively locks out legitimate owners, as they can no longer complete transactions individually, but can continue to deposit funds into the compromised wallet. As Tyutin said:

“Wallets do not have any notification or information that someone has added another key to your wallet. There is no indication that your wallet is missing until you send a transaction manually.

Even after discovering the breach, victims are left with limited options. The only immediate step is to stop depositing funds in a compromised wallet.

Satvik Kansal, founder of Rome Protocol, told Cointelegraph, “This attack is especially serious because there is no way for the user to recover money.

Tron did not respond to Cointelegraph's request for comment.

Benefits of the UpdateAccount license

The UpdateAccountPermission function on Tron is not malicious in nature. The design serves as legal purposes for businesses to exercise collective control over funds. This reduces the risk of unauthorized transactions by requiring multiple parties to approve actions.

This feature is useful for decentralized management, especially in accounts managed by community-controlled autonomous organizations. By requiring multi-signature approvals, the function helps prevent unilateral control over community funds.

Even single users can benefit from UpdateAccountPermission by assigning multiple keys to their own account. This reduces the chance of losing access to funds from a damaged device or key.

Exploitation isn't just for Tron.

Abuse of blockchain functions is not limited to Tron. On Ethereum, malicious actors take advantage of widely used functions such as “approval” and “licensing” that are essential to the communication of decentralized financial platforms.

When combined with phishing methods, these activities lead to catastrophic losses for unsuspecting users. According to security firm Scam Sniffer, phishing scams on blockchain (excluding Tron) caused $9.38 million in losses by November 2024.

Of this, nearly $7 million came from Ethereum alone. That's significantly less than the $20 million scam Sniffer reported in October.

The decline may be due to advances in wallet security, with many Ethereum-based wallets now notifying users of suspicious transactions before signing them. Additionally, increased user education has helped reduce the potential of phishing schemes.

RELATED: Tether, Tron and TRM Labs Jointly Launch $126M USDT by 2024

How to prevent silent wallet hackers

A critical prerequisite for using the UpdateAccountPermission function is to leak the private key. Without this, attackers cannot gain the access needed to manipulate account permissions. Once the private key is extracted, the account is already compromised, but this particular attack vector allows hackers to extort more money from victims.

Axel Lelop, chief security researcher at Dowsers, emphasizes the importance of understanding Tron's licensing system and performing regular reviews of account permissions.

He also echoed the basic principle of crypto security:

“Ensure that private keys and passphrases are stored securely, preferably offline, and never shared with untrusted parties.”

As for the anonymous victim, the wallet's vulnerability is due to poor operational security. The wallet was used to test smart contracts, so the private key was embedded in the open source code that was invented on many devices.

Another possible defense is to reduce the amount of Tronics (TRX) stored in the wallet, especially for users dealing with USDT transactions. The UpdateAccountPermission function requires a 100 TRX payment, which makes it difficult for attackers to exploit accounts with limited TRX reserves. Tyutin recommends using wallets that allow USDT transactions without burning TRX.

Magazine: As Ethereum Mining Intensifies, Drains Move to TON and Bitcoin