A significant security threat has emerged, putting over 14,500 Tron (TRX) wallets at risk of silent hijacking, according to security firm AMLBot. This vulnerability, uncovered in Q4 of 2024, has exposed a total of $31.5 million in digital assets to potential theft, highlighting an ongoing security issue within the Tron network that could go undetected for extended periods.
The Hidden Danger of Silent Hijacking
What makes this attack particularly dangerous is its stealthy nature. Unlike traditional hacks where funds are immediately stolen, this exploit allows attackers to quietly gain control over wallets while keeping the victim unaware. Once compromised, the attackers lock legitimate users out of their wallets, preventing them from making transactions. However, victims may continue to deposit funds into these compromised wallets without realizing their funds are at risk.
As explained by Mykhailo Tiutin, Chief Technology Officer at AMLBot, “The typical victim doesn’t realize their wallet is compromised. They may continue depositing funds into it, not knowing that their access has been blocked.”
Exploit Tied to Tron’s UpdateAccountPermission Function
The vulnerability stems from the UpdateAccountPermission function, which is designed to enhance security by allowing users to set specific permissions for their accounts. This feature, while initially beneficial, can be exploited by attackers if they gain access to a victim’s private key. By adding their own key to the account, hackers can configure the wallet in such a way that the original owner is unable to make transactions, despite still having access to the wallet.
This system, meant to offer a multisignature-like security feature, becomes a weak point when the private key is leaked. With both the original key and the attacker’s new key, the attacker effectively gains control of the account. Unfortunately, there are no notifications within the wallet to alert the user that a new key has been added, leaving them unaware until they try to make a transaction.
A victim of this exploit, who wished to remain anonymous for fear of retaliation, shared their experience. After unknowingly adding more funds into their compromised wallet, they said, “If the thief had immediately drained my wallet, I would have realized something was wrong. But since the funds were locked, I continued adding more without knowing I had lost access.”
What Can Users Do to Protect Themselves?
The primary way to protect against this type of attack is to keep private keys secure. If an attacker gains access to a private key, they can exploit the UpdateAccountPermission function. This emphasizes the importance of securing private keys and mnemonic phrases offline, preferably in hardware wallets or other secure storage solutions.
Tiutin also advises users to avoid using wallets with low TRX reserves, especially if the wallet is involved in frequent USDT transactions. The UpdateAccountPermission function requires a minimum fee of 100 TRX to operate, making it harder for attackers to target wallets with little TRX stored in them. In addition, wallets that allow USDT transactions without burning TRX may be less susceptible to these types of attacks.
Furthermore, conducting regular reviews of account permissions can help identify unauthorized changes and minimize the risk of compromise.
The Role of Security Functions in Tron’s Ecosystem
The UpdateAccountPermission function on Tron was originally designed to offer enhanced security, particularly for businesses or decentralized organizations that require shared control over funds. While the feature provides added safety by preventing unauthorized transactions, it becomes problematic when an attacker gains control of the private key, allowing them to alter account settings without the owner’s knowledge.
Despite the security benefits of this system, the lack of alerts for changes to account permissions leaves users vulnerable. This issue highlights a broader concern about the importance of notification mechanisms within cryptocurrency networks to help users stay aware of potential threats.
A Growing Problem Across the Blockchain Space
This type of exploit is not unique to Tron. Across the blockchain space, attackers have been leveraging similar vulnerabilities on other platforms, such as Ethereum, to manipulate account permissions and siphon funds. On Ethereum, for example, malicious actors have exploited widely used functions like “approve” and “permit” to access user funds after obtaining private keys. The total value of phishing-related losses on Ethereum was substantial, with Scam Sniffer reporting a significant amount of funds lost due to phishing tactics in 2024.
The problem of silent hijacking is compounded by the increasing sophistication of phishing schemes, which make it harder for users to detect fraud until it’s too late.
What’s Next for Tron Users?
The key takeaway for Tron users is to be vigilant about their account security. While the Update Account Permission feature can be an excellent tool for enhancing security when used correctly, it also opens the door for attackers if private keys are not properly secured. The ability to silently hijack wallets without immediate signs of theft is a significant concern that users must take seriously.
For those with Tron wallets, it is critical to review account settings regularly, avoid storing large amounts of TRX or other assets in wallets susceptible to manipulation, and prioritize secure storage solutions for private keys.
Conclusion
As this silent hijacking attack continues to affect Tron users, the importance of securing private keys and understanding the risks associated with blockchain functionalities cannot be overstated. While the UpdateAccountPermission feature has legitimate use cases, the lack of notification and oversight leaves accounts vulnerable to attack. By following best practices for crypto security and being aware of the risks, users can protect their assets from this emerging threat.
