F2Pool collaborates to test Private Key security! 500 Bitcoins were hacked and 490 were taken.

On December 21, Wang Chun, co-founder of F2Pool (Fish Pool), one of the world's largest Bitcoin mining pools, revealed on X his astonishing experience of having 500 BTC stolen. The incident was triggered by the community's heated discussion about the “50 million USDT phishing attack” event. Wang Chun quoted the on-chain message sent by the victim to the hacker and joked that the hacker was very “generous,” only taking 490 coins and leaving him 10 Bitcoins as living expenses.

50 million USDT phishing attack's absurd operation

(Source: Wang Chun)

The incident that triggered Wang Chun's self-exposure is itself a security disaster worth 50 million dollars. Recently, a whale/institution withdrew 50 million USDT from Binance, first “testing” by transferring 50 USDT to the planned receiving address. As a result, the attacker quickly generated a similar address with the first and last 3 digits the same, and transferred 0.005 USDT of dust tokens to the victim.

The victim, during the formal transfer, allegedly copied the address directly from recent transaction records, resulting in a total of 50 million USDT being transferred to a similar address of the attacker. This type of attack method is known as “Address Poisoning,” which exploits the habit of users copying addresses from transaction records and implants a similar address to mislead them into making the wrong transfer.

After the attack incident, the victim has sent an on-chain message to the hacker: “We have officially filed a criminal lawsuit. With the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, we have gathered substantial and specific intelligence regarding your activities. The wallet address you control is currently under 24/7 surveillance. This is your last chance to resolve this matter peacefully. You are required to return 98% of the stolen assets within 48 hours, and you may keep $1,000,000 as a 'white hat bounty' for discovering the vulnerability.”

This “first courtesy, then force” negotiation strategy is very common in the crypto space. Victims usually first try to negotiate with hackers, offering a white hat bounty in exchange for asset return, as it is extremely difficult to recover stolen cryptocurrency. If the hacker refuses, they then track through law enforcement and blockchain analysis companies, but the success rate is still very low.

The Three Stages of Address Poisoning Attacks

Phase One, Generate Similar Addresses: The attacker uses tools to generate addresses that share several leading and trailing digits with the target address, making them look extremely similar.

Phase Two, Send Dust Tokens: Send a very small amount (e.g., 0.005 USDT) to the victim's address, causing similar addresses to appear in the transaction record.

Phase Three, Inducing Wrong Transfers: When victims copy addresses from transaction records, they may mistakenly copy similar addresses, leading to large amounts of funds being transferred to the attacker's wallet.

The defense method against this type of attack is very simple: carefully check the full address each time a transfer is made, rather than just looking at the first and last few digits. However, human laziness and habits cause this simple mistake to happen repeatedly. When the transfer amount reaches 50 million USD, the cost of this carelessness is catastrophic.

Wang Chun's absurd logic of testing 500 BTC

While the community lamented the 50 million USDT victims, F2Pool co-founder Wang Chun's revelation completely shocked everyone. “Last year, I suspected that my private key had been leaked. To confirm whether that address was indeed compromised, I transferred 500 Bitcoins into it.” The absurdity of this operation lies in the fact that, clearly suspecting a private key leak, a normal person should immediately stop using that address and transfer all assets, but Wang Chun instead did the opposite and actively transferred a large sum to 'test' it.

This kind of logic is similar to: instead of promptly fixing a suspected broken door lock at home, one chooses to leave a large sum of cash in the house to see if it gets stolen. If it does get stolen, it not only verifies that the lock is indeed broken, but also results in a loss of property. Wang Chun's testing method is completely incomprehensible to security experts, as it transforms suspicion into certainty and potential losses into actual losses.

What surprised me was that the hacker was very “generous,” only taking 490 coins and leaving me 10 Bitcoins as living expenses. Wang Chun's sarcastic tone is even more shocking. At that time (February 2024), 490 Bitcoins were worth about 24.5 million USD, while 10 were worth about 500,000 USD. For an ordinary person, 500,000 USD is enough to change one's fate, but in Wang Chun's words, it is merely “living expenses.”

Regarding the hacker address provided by Wang Chun, 14H12PpQNzrS1y1ipjF4mPuVgQEpgfGA79, after tracking the historical records, it was found that there was indeed a related transaction record on February 12, 2024. This confirms that what Wang Chun said is not false; it is not a fabricated story, but a real substantial loss that occurred. However, Wang Chun himself has not provided further explanations regarding this matter, neither revealing how he suspected the private key was leaked, nor stating whether he reported it for tracking, let alone explaining why he chose such a ridiculous testing method.

The World of the Wealthy and the Tears of Lessons on Private Key Security

Wang Chunyun's lighthearted self-exposure makes everyone in the community sigh, “The world of the wealthy is truly beyond the comprehension of ordinary people.” As one of the largest Bitcoin mining pools in the world, F2Pool's wealth indeed exceeds common imagination. However, this attitude of “losing 25 million USD yet still able to laugh and chat” serves as both envy and a warning for ordinary investors.

What is envied is the realm of financial freedom. When the wealth you possess far exceeds your living needs, a loss of 25 million USD, though painful, is not fatal. Wang Chun's calmness indicates that his total wealth may be in the hundreds of millions of USD, and the loss of 490 BTC is merely a small part of his assets. This kind of financial freedom allows him to bear risks and losses that ordinary people cannot even imagine.

The warning is about the brutality of private key security. “Not your keys, not your coins” is a hard rule in the crypto world. Once the private key is leaked, regardless of whether you are a billionaire or an ordinary investor, your assets can instantly go to zero. Even more terrifying is that cryptocurrency transfers are irreversible; no bank can freeze them, no court can retrieve them, and once hackers take them, it's almost impossible to get them back.

Wang Chun's case reveals several key lessons. First, when suspecting a private key leak, the correct action is to immediately disable that address and transfer assets to a new address, rather than testing with a large sum. Second, private key management must adopt security measures such as multi-signature, hardware wallets, and cold-hot separation; the risk of a single private key is too high. Third, even top industry experts like F2Pool co-founder can make fatal mistakes regarding security, and no one can afford to be complacent.

For ordinary investors, this story provides an extremely valuable yet costly lesson. If you suspect a private key leak, you should immediately: stop using that address, transfer assets to a new address (after testing with a small amount before transferring a large amount), check all possible leak channels (computer viruses, phishing websites, social engineering), consider reporting to the authorities and seek assistance from professional security companies. Absolutely do not do as Wang Chun did, actively transferring large sums for “testing,” as you may not have the financial capacity to bear the losses like he does.

The hacker's “generous” act of leaving behind 10 BTC is also worth analyzing. This could be a psychological tactic by the hacker: completely emptying the wallet might infuriate the victim into tracking them down at all costs, but leaving a little “living expense” might lead the victim to choose to let it go. For Wang Chun, who has assets worth hundreds of millions, losing 490 coins is painful but not worth spending a lot of time and energy tracking it down. The hacker has accurately grasped this mentality, taking away the vast majority of the assets while also reducing the risk of being pursued with full force.

This incident contrasts with the phishing attack involving 50 million USDT. The former was due to the victim's careless copying of the wrong address, while the latter was the victim actively transferring despite knowing the risks. The common point of both is: human error is the biggest reason for the loss of crypto assets, far exceeding exchange hacks or smart contract vulnerabilities. No matter how advanced the technology, it cannot defend against human negligence and the psychology of luck.

For the cryptocurrency industry, these cases serve as a warning to all participants: the security of private keys is a fundamental skill that can be a matter of life and death. Whether you are a retail investor holding 0.1 BTC or a whale holding 500 BTC, once the private key is leaked or sent to the wrong address, the consequences are irreversible. In this world where “code is law,” there is no remedy for regret; the only protection is to double-check each operation, harbor more doubts, and exercise more caution. Wang Chun's 25 million USD tuition has provided the entire industry with an expensive yet profound lesson in security.