Incident Summary
Between May 31 and June 1, a series of irregular unlocking transactions were detected on Ethereum and Binance Smart Chain. Upon investigation, we discovered that several validator nodes had been executing a malicious Docker image, which exfiltrated private validator keys via encrypted payloads sent to a remote endpoint.
Key timeline:
- April 16–17: A system upgrade was deployed to validator nodes via an automated script, introducing the malicious code.
- April 17 & April 23: Two suspicious unlocking transactions occurred, triggering the malicious code and resulting in the leakage of three private keys.
- April 25: The malicious code was removed through a second upgrade, privately distributed to node operators.
Root Cause Analysis
Through the collection and analysis of substantial evidence, we successfully reconstructed the attacker’s method and timeline. The attack unfolded through several coordinated steps:
Malicious Code Injection
Upon receiving the initial alert, we immediately isolated the compromised servers and dumped all historical Docker images running on them. In one of these images, we discovered the presence of malicious code. This code had been embedded in the Ethereum-related logic and was absent from the public source code — it had been injected via a locally built Docker image.
In the early stage of the investigation, we found that the attacker lacked a thorough understanding of Docker internals and failed to adequately conceal the injected code. We analyzed the image layer by layer, and extracted the attack payload with associated debugging information. This analysis significantly narrowed the pool of potential suspects.
This concrete technical evidence helped us quickly identify the attack vector.
Private Key Exfiltration
The recovered malicious source code clearly demonstrated the mechanism used to exfiltrate private keys. Under certain API requests, the private keys were encrypted using the attacker’s RSA public key and embedded within seemingly normal responses, thereby evading standard monitoring systems.
However, since all of our services were protected by strict outbound network whitelisting, the use of remote network requests for exfiltration further reduced the set of individuals who could have orchestrated the attack.
As noted above, the attack relied on specific API triggers. During the window in which the malicious Docker image was active (April 17–25), only two such requests were made — one resulting in the leakage of a single private key, and the other leaking two. These requests shared a unique characteristic, further validating our hypothesis.
Supply Chain Compromise
With the exfiltration method identified, we turned our attention to tracing the origin of the malicious code. Through historical logs, we were able to reconstruct how the malicious Docker image was deployed to validator nodes — it’s a typical supply chain compromise.
The attacker had tampered with the upgrade script. While it appeared to reference an official GitHub release, it had in fact been modified to pull a custom Docker image from an unofficial registry. This was achieved by adding a release tag on a non-main branch, thereby bypassing internal code reviews.
Attempted Cover-Up
After acquiring the compromised private keys, the attacker did not immediately drain funds from the contracts. Instead, the attacker attempted to cover their tracks. A new Docker image — using the same version tag — was published to overwrite the malicious one in the public registry.
This trick was ineffective. The original Docker Image, as the critical evidence, was preserved on the validators’ servers, enabling our team to narrow the investigation scope significantly within three days of the incident.
With a clearer picture of what happened, we were able to act quickly and bring in the right partners for the next stage of the response.
SlowMist and Law Enforcement Engagement
All relevant evidence — including the compromised Docker image, recovery procedures, API calls, modified upgrade scripts, and additional supporting materials — was preserved promptly and has been submitted to law enforcement.
Following a narrowed scope of suspects, we formally engaged SlowMist, a leading blockchain security firm, to assist with expert analysis and further validation of the attacker’s identity.
Additionally, a formal criminal case has been opened by the local law enforcement.
We have full confidence in the capabilities of both SlowMist and law enforcement to advance the investigation effectively.
Now, we are actively preparing to ensure users are protected, regardless of the eventual outcome of the fund recovery process.
Commitment to Users
We make the following commitment to our community:
If the stolen funds cannot be recovered within a reasonable timeframe, Magickbase will advance full compensation to affected users.
We are currently evaluating multiple compensation plans and will share further details in the near future.
Appreciation
We sincerely thank our community for its patience, and we deeply appreciate the support of the broader ecosystem. Our gratitude also goes to the security professionals assisting with the investigation.
We remain fully committed to transparency, user protection, and the long-term resilience of the Nervos ecosystem. We will continue to keep the community informed as the situation evolves.
) of a major hack before, losing a substantial amount of money.