In the previous installment of the Web3 Security Guide, we discussed the risks associated with downloading or purchasing wallets, how to find official websites, methods to verify the authenticity of wallets, and the dangers of private key/seed phrase leaks. The phrase “Not your keys, not your coins” emphasizes the importance of controlling your private keys. However, there are situations where even possessing the private keys or seed phrases does not guarantee control over your assets, such as when a wallet is compromised by a malicious multisignature setup.
Based on data collected from MistTrack’s stolen funds report, some users find that their wallets contain funds, but they cannot transfer them due to malicious multisignature configurations. In this guide, we use the TRON wallet as an example to explain the concept of multisignature phishing, the mechanics of multisignature systems, common tactics used by hackers, and strategies to prevent your wallet from being maliciously configured with multisignature settings.
A multisignature (multisig) mechanism is designed to enhance wallet security by allowing multiple users to collectively manage and control access to a digital asset wallet. This setup means that even if some managers lose or leak their private keys/seed phrases, the assets within the wallet may remain secure.
TRON’s multisignature system includes three distinct permission levels: Owner, Witness, and Active, each serving specific functions and purposes.
Owner Permissions:
Hold the highest level of authority, capable of executing all contracts and operations.
Only an owner can modify other permissions, including adding or removing signers.
When a new account is created, the account itself is assigned the owner permission by default.
Witness Permissions:
Active Permissions:
As mentioned earlier, a new account’s address automatically receives owner permissions (the highest level) by default. This owner can then adjust the account’s permission structure, deciding which addresses receive permissions, the weight of these permissions, and setting thresholds. The threshold determines the required weight of signatures to execute specific actions. For example, if the threshold is set to 2, and each of the three authorized addresses has a weight of 1, then at least two signatories must approve for the operation to proceed.
When a hacker obtains a user’s private key or seed phrase, and the user has not implemented a multisignature mechanism (meaning the wallet is solely controlled by the user), the hacker can either grant themselves Owner/Active permissions or transfer the user’s Owner/Active permissions to their own address. These actions are commonly referred to as malicious multisignature, but this term can be broadly defined. In reality, the situation can be categorized based on whether the user still retains any Owner/Active permissions:
In the scenario depicted below, the user’s Owner/Active permissions have not been removed; instead, the hacker has added their own address as an authorized Owner/Active party. The account is now jointly controlled by the user and the hacker, with the threshold set at 2. Both the user’s and the hacker’s addresses have a weight of 1. Despite the user possessing the private key/seed phrase and retaining Owner/Active permissions, they cannot transfer their assets. This is because any request to transfer assets requires the approval of both the user and the hacker, as both signatures are necessary for the operation to proceed.
While the process of transferring assets from a multisignature wallet requires multiple signatures, depositing funds into the wallet does not. If users do not regularly check their account permissions or have not made any recent transfers, they may not notice changes to their wallet’s permissions, leading to prolonged losses. If the wallet contains only a small amount of assets, hackers might wait until the account accumulates more assets before stealing everything at once.
In another scenario, hackers exploit TRON’s permission management system by directly transferring the user’s Owner/Active permissions to the hacker’s address, with the threshold still set at 1. This action strips the user of their Owner/Active permissions, effectively removing their control over the account, even the “voting rights.” Although this is not technically a case of malicious multisignature, it is commonly referred to as such.
In both cases, whether the user retains any Owner/Active permissions or not, they lose actual control over the account. The hacker, now possessing the highest permissions, can alter account settings and transfer assets, leaving the legitimate owner unable to manage their wallet.
Based on data collected from MistTrack’s stolen funds report, we have identified several common causes of malicious multisignature attacks. Users should be vigilant in the following situations:
Downloading Fake Wallets: Users may download fake wallets by clicking on links to fraudulent websites sent via Telegram, Twitter, or other sources. This can lead to the leak of private keys or seed phrases, resulting in malicious multisignature attacks.
Entering Private Keys on Phishing Sites: Users who enter their private keys or seed phrases on phishing sites offering services like fuel cards, gift cards, or VPNs can lose control of their wallets.
OTC Trading: During OTC (over-the-counter) transactions, someone may capture or otherwise acquire the user’s private keys or permissions, leading to a malicious multisignature attack.
Scams Involving Private Keys: Scammers may provide a private key, claiming they cannot withdraw assets and offering a reward for assistance. Although the associated wallet appears to have funds, the withdrawal permissions are configured to another address, preventing any transfer.
In this guide, we used the TRON wallet as an example to explain the multisignature mechanism, how hackers conduct malicious multisignature attacks, and common tactics used. This information aims to enhance understanding and improve prevention against malicious multisignature attacks. Additionally, some users, especially beginners, may accidentally configure their wallets for multisignature, requiring multiple signatures for transfers. In such cases, users need to meet the multisignature requirements or revert to a single signature by assigning Owner/Active permissions to only one address.
In the previous installment of the Web3 Security Guide, we discussed the risks associated with downloading or purchasing wallets, how to find official websites, methods to verify the authenticity of wallets, and the dangers of private key/seed phrase leaks. The phrase “Not your keys, not your coins” emphasizes the importance of controlling your private keys. However, there are situations where even possessing the private keys or seed phrases does not guarantee control over your assets, such as when a wallet is compromised by a malicious multisignature setup.
Based on data collected from MistTrack’s stolen funds report, some users find that their wallets contain funds, but they cannot transfer them due to malicious multisignature configurations. In this guide, we use the TRON wallet as an example to explain the concept of multisignature phishing, the mechanics of multisignature systems, common tactics used by hackers, and strategies to prevent your wallet from being maliciously configured with multisignature settings.
A multisignature (multisig) mechanism is designed to enhance wallet security by allowing multiple users to collectively manage and control access to a digital asset wallet. This setup means that even if some managers lose or leak their private keys/seed phrases, the assets within the wallet may remain secure.
TRON’s multisignature system includes three distinct permission levels: Owner, Witness, and Active, each serving specific functions and purposes.
Owner Permissions:
Hold the highest level of authority, capable of executing all contracts and operations.
Only an owner can modify other permissions, including adding or removing signers.
When a new account is created, the account itself is assigned the owner permission by default.
Witness Permissions:
Active Permissions:
As mentioned earlier, a new account’s address automatically receives owner permissions (the highest level) by default. This owner can then adjust the account’s permission structure, deciding which addresses receive permissions, the weight of these permissions, and setting thresholds. The threshold determines the required weight of signatures to execute specific actions. For example, if the threshold is set to 2, and each of the three authorized addresses has a weight of 1, then at least two signatories must approve for the operation to proceed.
When a hacker obtains a user’s private key or seed phrase, and the user has not implemented a multisignature mechanism (meaning the wallet is solely controlled by the user), the hacker can either grant themselves Owner/Active permissions or transfer the user’s Owner/Active permissions to their own address. These actions are commonly referred to as malicious multisignature, but this term can be broadly defined. In reality, the situation can be categorized based on whether the user still retains any Owner/Active permissions:
In the scenario depicted below, the user’s Owner/Active permissions have not been removed; instead, the hacker has added their own address as an authorized Owner/Active party. The account is now jointly controlled by the user and the hacker, with the threshold set at 2. Both the user’s and the hacker’s addresses have a weight of 1. Despite the user possessing the private key/seed phrase and retaining Owner/Active permissions, they cannot transfer their assets. This is because any request to transfer assets requires the approval of both the user and the hacker, as both signatures are necessary for the operation to proceed.
While the process of transferring assets from a multisignature wallet requires multiple signatures, depositing funds into the wallet does not. If users do not regularly check their account permissions or have not made any recent transfers, they may not notice changes to their wallet’s permissions, leading to prolonged losses. If the wallet contains only a small amount of assets, hackers might wait until the account accumulates more assets before stealing everything at once.
In another scenario, hackers exploit TRON’s permission management system by directly transferring the user’s Owner/Active permissions to the hacker’s address, with the threshold still set at 1. This action strips the user of their Owner/Active permissions, effectively removing their control over the account, even the “voting rights.” Although this is not technically a case of malicious multisignature, it is commonly referred to as such.
In both cases, whether the user retains any Owner/Active permissions or not, they lose actual control over the account. The hacker, now possessing the highest permissions, can alter account settings and transfer assets, leaving the legitimate owner unable to manage their wallet.
Based on data collected from MistTrack’s stolen funds report, we have identified several common causes of malicious multisignature attacks. Users should be vigilant in the following situations:
Downloading Fake Wallets: Users may download fake wallets by clicking on links to fraudulent websites sent via Telegram, Twitter, or other sources. This can lead to the leak of private keys or seed phrases, resulting in malicious multisignature attacks.
Entering Private Keys on Phishing Sites: Users who enter their private keys or seed phrases on phishing sites offering services like fuel cards, gift cards, or VPNs can lose control of their wallets.
OTC Trading: During OTC (over-the-counter) transactions, someone may capture or otherwise acquire the user’s private keys or permissions, leading to a malicious multisignature attack.
Scams Involving Private Keys: Scammers may provide a private key, claiming they cannot withdraw assets and offering a reward for assistance. Although the associated wallet appears to have funds, the withdrawal permissions are configured to another address, preventing any transfer.
In this guide, we used the TRON wallet as an example to explain the multisignature mechanism, how hackers conduct malicious multisignature attacks, and common tactics used. This information aims to enhance understanding and improve prevention against malicious multisignature attacks. Additionally, some users, especially beginners, may accidentally configure their wallets for multisignature, requiring multiple signatures for transfers. In such cases, users need to meet the multisignature requirements or revert to a single signature by assigning Owner/Active permissions to only one address.