Summary of Incident

An attacker maliciously upgraded the Parallel parachain runtime, granting themselves administrative privileges and enabling them to steal over 312,185 DOT and 126,837 USDT. They continue to actively unbond approximately 125,688 DOT+, putting an additional capital at risk. Immediate action is required to vote on a referendum supported by Parity to recover the stolen assets within the next 5 days, aiming for 112M votes with conviction to prevent further losses. We currently have 36 million votes so far.

Link for details: https://docs.google.com/document/d/1qxGBsAe99avsuj0ArEaDwCGM5nhT5X5P7b6A83x-KuI/edit?tab=t.0#heading=h.54s39aaeu4rx

Link for vote: https://polkadot.subsquare.io/referenda/1322

---

Key Details:

• Attacker Actions:

  • Upgraded the runtime with malicious code to gain "sudo" privileges.
  • Minted unauthorized tokens (DOT and USDT).
  • Transferred stolen assets across chains and obfuscated the trail.
  • Sold unstaked funds on exchanges (e.g., Binance, Huobi).
  • Disabled governance mechanisms to prevent recovery efforts.

• Current Risk:

  • The attacker is actively unbonding staked DOT, with 125,688 DOT still at risk.
  • Over $1.5M in additional assets could be transferred to the attacker’s account without intervention.

• Attacker Accounts:

  • Multiple accounts and addresses across Polkadot, Moonbeam, and Acala have been used to facilitate the theft and obfuscate transactions.

---

Timeline of Events:

1. October 31, 2024:

   • Attacker proposed and approved a malicious runtime upgrade, granting themselves administrative powers.

2. November 7, 2024:

   • Malicious upgrade executed; attacker gained control of parachain governance and proxy permissions.

3. November 22-24, 2024:

   • Unauthorized minting of DOT and USDT tokens.
   • Transferred 303,208 DOT from staking ledgers to their accounts.
   • Cross-chain transfers and asset swaps to conceal stolen funds.

4. November 27, 2024:

   • Continued unbonding of staked DOT, putting additional funds at risk.

5. November 30, 2024:

   • Transfer all remaining DOT to Ethereum network. Currently, zero balance on relaychain.

---

Impact:

• Financial Loss: Over $1.5M in stolen assets, with more at risk.
• Governance Disruption: The attacker disabled democracy and technical committee pallets, preventing any upgrades or recovery actions.
• Ecosystem Damage: Unauthorized token minting diluted the ecosystem, and cross-chain transfers complicated recovery efforts.

---

Call to Action:

The community must urgently vote on the referendum to recover stolen assets within the next 6 days. Failure to secure 112M votes with conviction will result in further losses and long-term damage to the ecosystem.

---

Other Community information to share: https://x.com/alice_und_bob/status/1862469090654216461?s=46&t=GtuLra8SRZQbc5hjUKgo2Q

Additional update:
In the past 15 hours, the hacker transferred all remaining DOT to Moonbeam and utilized cross-chain bridges to move the funds to Ethereum. Currently, the hacker holds a close to 0 balance on Polkadot.

We strongly urge our community to vote on this proposal to recover/rebond the remaining 125,000+ DOT as quickly as possible and regain parachain control subsequently.

Transaction details:
Etherscan Link: https://etherscan.io/tx/0x3d131a8f255e8a1b7a991f9b3a607ac550c1b5275917d147488c6d3f918da805
https://etherscan.io/address/0xf6b852758a34c31641994ca6b4357b34ad1c18dc#internaltx

Polkadot Subscan Link: https://polkadot.subscan.io/account/16cm11H5g5ZgiaqGL6FYDQVDFGPfujLe8kadQA36BdcTuwRt?tab=transfer