Hackers made off with 732 Ether (ETH), worth around $950,000, from an address created at the Ethereum vanity wallet address generator Profanity. They also reportedly utilized the sanctioned crypto mixer Tornado Cash.
Profanity is once again in the limelight as 1inch Network, a decentralized exchange aggregator, had warned its community members that their addresses were not safe if they were generated through Profanity. 1inch said the vanity address generator used a random 32-bit vector to seed 256-bit private keys. In other words, it lacks safety.
It should be noted that vanity addresses are customized crypto wallet addresses that are created to include words or specific characters chosen by the owner. But its safety remains questionable. Moreover, Profanity is available via GitHub. According to the readme.md file, the repository is abandoned due to fundamental security issues in the generation of private keys.
A blockchain investigator, ZachXBT said an exploit of the vulnerability in Profanity has allowed some hackers to get away with up to $3.3 million worth of cryptocurrencies. Tal Be’eryBe’ery, CTO and Security Head at ZenGo, said it seems that the attackers were sitting on the vulnerability and trying to find as many private keys as possible of vulnerable Profanity-generated vanity addresses before alarm about the flaw was raised. Once exposed, the hackers cashed out in a few minutes from multiple vanity addresses.