🚨 Critical Alert: We need your help to vote and upgrade runtime! 200k DOT are at risk of being stolen 🚨

Summary of Incident

An attacker maliciously upgraded the Parallel parachain runtime, granting themselves administrative privileges. This allowed them to steal over 312,185 DOT and 126,837 USDT. The attacker is actively unbonding approximately 125,688 DOT, putting additional capital at risk in 4 days. Immediate action is required to vote on a referendum supported by Parity to recover the stolen assets within the next 4 days. The goal is to secure 112M votes with conviction to prevent further losses. Currently, 26.7M votes have been collected.

Details: Incident Report
Vote Now: Polkadot Referendum #1322

Key Details

Attacker Actions

Malicious Runtime Upgrade: Gained "sudo" privileges by upgrading the runtime with malicious code.
Unauthorized Token Minting: Created unauthorized DOT and USDT tokens.
Asset Transfers: Stolen assets were transferred across chains to obfuscate the trail.
Liquidation: Unstaked funds were sold on exchanges like Binance and Huobi.
Governance Blockade: Disabled governance mechanisms to hinder recovery efforts.

Current Risk

The attacker is actively unbonding 125,688+ DOT, putting over $1.5M in additional assets at risk.
Without intervention, these funds will be transferred to the attacker’s account.

Attacker Accounts

Multiple accounts and addresses across Polkadot, Moonbeam, and Acala were used to facilitate the theft and conceal transactions.

Timeline of Events

October 31, 2024: Attacker proposed and approved a malicious runtime upgrade, granting themselves administrative powers.
November 7, 2024: Malicious upgrade executed; attacker gained control of parachain governance and proxy permissions.
November 22-24, 2024:
Unauthorized minting of DOT and USDT tokens.
Transferred 303,208 DOT from staking ledgers to attacker-controlled accounts.
Cross-chain transfers and asset swaps to obscure stolen funds.
November 27, 2024: Continued unbonding of staked DOT, putting additional funds at risk.
November 30, 2024: All remaining DOT transferred to the Ethereum network. The relaychain now shows zero balance.

Exchange Deposit and Cross-chain Activities

Huobi Deposit Records

Binance Deposit Records

https://polkadot.subscan.io/extrinsic/23562402-6 3700 DOT https://polkadot.subscan.io/extrinsic/23562002-8 3700 DOT https://polkadot.subscan.io/extrinsic/23561704-10 3700 DOT https://polkadot.subscan.io/extrinsic/23555169-3 3700 DOT https://polkadot.subscan.io/extrinsic/23554861-4 3700 DOT https://polkadot.subscan.io/extrinsic/23554219-2 1850 DOT https://polkadot.subscan.io/extrinsic/23593355-2 3700 DOT

FixedFloat Deposit Records

WhiteBit Deposit Records

https://polkadot.subscan.io/extrinsic/23466096-4 3000 DOT https://polkadot.subscan.io/extrinsic/23465666-3 3000 DOT https://polkadot.subscan.io/extrinsic/23464980-3 3000 DOT https://polkadot.subscan.io/extrinsic/23317105-2 4000 DOT https://polkadot.subscan.io/extrinsic/23316529-2 3000 DOT https://polkadot.subscan.io/extrinsic/23579972-2 1000 DOT https://polkadot.subscan.io/extrinsic/23585207-3 3700 DOT

To obfuscate the trail, the attacker moved assets across chains

https://polkadot.subscan.io/extrinsic/23594945-2 The hacker first deposited 10,003 DOT to a new address on the Acala parachain: 22EZbDcLVkeGRPsRFRTbWpHAi3tLymN3unv6tpnhqsLiaPkV

https://acala.subscan.io/xcm_message/polkadot-200c01df2b59ce87981452eb50e05799726f3b91 Next, it was cross-chained from the Acala parachain to another new address 12My1JCJeqtzropnC6fMjocvFCTQRw4r2PNnjzMhDKPqkuhM on Polkadot via XCM communication At the new address, the hacker deposited to the exchange again.

https://polkadot.subscan.io/extrinsic/23594996-2 100 DOT FixedFloat https://polkadot.subscan.io/extrinsic/23595014-2 1000 DOT FixedFloat https://polkadot.subscan.io/extrinsic/23595037-2 1000 DOT FixedFloat https://polkadot.subscan.io/extrinsic/23595068-3 1000 DOT FixedFloat https://polkadot.subscan.io/extrinsic/23595978-3 Finally, the hacker transferred the remaining 7,000 DOT back to the initial hacker address. Note: The hacker may subsequently use similar actions to "obfuscate the trail" by creating more new addresses to evade monitoring (possibly involving other parachains in the Polkadot ecosystem).

Moving all DOT to Ethereum

https://moonscan.io/address/0xf6b852758a34c31641994ca6b4357b34ad1c18dc#tokentxns DOT-Moonbeam-Squidrouter https://etherscan.io/tx/0x3d131a8f255e8a1b7a991f9b3a607ac550c1b5275917d147488c6d3f918da805 swap to BTC https://etherscan.io/address/0xf6b852758a34c31641994ca6b4357b34ad1c18dc#internaltx All DOT move to Ethereum account

Impact

Financial Loss

Over $3-4M in stolen assets, with additional $1-2M funds at risk.

Governance Disruption

The attacker disabled democracy and technical committee pallets, preventing upgrades or recovery actions.

Ecosystem Damage

Unauthorized token minting diluted the ecosystem.
Cross-chain transfers further complicated recovery efforts.

Call to Action

The community must urgently vote on the referendum to recover stolen assets within the next 4 days. Securing 112M votes with conviction is critical to prevent further losses and long-term damage to the ecosystem.

Vote Now: Polkadot Referendum #1322
Additional Information: Community Post

Latest Update

In the past 24 hours, the hacker transferred all remaining DOT to Moonbeam and used cross-chain bridges to move the funds to Ethereum. The hacker now holds close to a zero balance on Polkadot.

We strongly urge the community to vote on the proposal to recover and rebond the remaining 125,000+ DOT as quickly as possible and regain control of the parachain.