Notorious ‘Blockchain Bandit’ Resurfaces, Moves 51,000 ETH in Largest Fund Transfer

After a brief hiatus, the notorious “Blockchain Bandit” has re-emerged as the year ends, consolidating a staggering 51,000 ETH, valued at approximately $172 million, into a single multisig wallet.

This transfer was made on December 30.

“Blockchain Bandit” Returns

In the latest  update , prominent blockchain investigator ZachXBT revealed that the consolidation originated from 10 wallets, which have been dormant for almost two years, with the last activity being  flagged in January 2023. Alongside the Ether transfer, 470 BTC were also moved.

The Blockchain Bandit earned infamy between 2016 and 2018 through an insidious technique called “ Ethercombing .” By exploiting cryptographic vulnerabilities, the attacker systematically guessed weak private keys, which were often generated by faulty random number algorithms or misconfigured wallets.

This method allowed the malicious entity to steal more than 45,000 ETH across 49,060 transactions by compromising 732 private keys. While brute-forcing private keys is generally deemed improbable due to their vast numerical range, the Bandit capitalized on predictable flaws such as non-random key generation and poorly implemented recovery phrases.

Cybersecurity analysts suggest that state-sponsored actors, possibly North Korean hacker groups, could be behind the attacks, noting parallels with other large-scale crypto thefts. Such groups are known to target cryptocurrency platforms to fund illicit operations, including weapons programs.

The Bandit’s recent activity – coupled with the use of multi-signature wallets – signals preparations for potentially laundering the funds through mixers or decentralized exchanges to obscure their origins.

From Fake Meetings to Seed Phrase Traps

This attacker’s resurgence comes amid a wider uptick in crypto cybercrime as fraudsters develop new strategies to ensnare unsuspecting targets. Earlier this month, hackers were reported to have exploited fake Zoom meeting links to target crypto users and steal sensitive credentials as well as digital assets.

SlowMist traced the malware’s code to Russian-linked operatives, revealing over $1 million converted to ETH.

Another scam targeted opportunistic thieves by sharing seed phrases of fake crypto wallets. Once accessed, the wallets demand TRX for transaction fees, rerouting funds to scammers instead. Kaspersky warns that this scheme, disguised as a beginner’s mistake, manipulates thieves into becoming victims of their own greed.