On the afternoon of November 10, 2022, Beijing time, the personal Trust Wallet hot wallet of Shen Bo, founder of Distributed Capital, was attacked between 00:46 and 01:02 Eastern Time, with approximately 42 million dollars worth of assets transferred in just a few minutes. The stolen assets all came from his personal account, strictly isolated from the fund operation capital of Distributed Capital, which he repeatedly emphasized afterward. But the more glaring fact is: even top investors who have delved deep into cryptocurrency for years could not keep their hot wallet security intact, so how should ordinary users with small amounts of assets protect themselves in the same technical and attack environment?
15 Minutes of Blood Loss at Midnight...
According to public blockchain records, this attack occurred between 00:46 and 01:02 on November 10, 2022, Eastern Time, which corresponds to the afternoon of the same day in Beijing time. Starting from 00:46, the attacker began transferring assets from Shen Bo's Trust Wallet hot wallet on his iPhone 12 Pro Max, rapidly emptying various assets such as USDC, ETH, USDT, BTC, and TRON within minutes. The entire process was highly concentrated and fast-paced, almost giving no window for any manual intervention.
The funds involved flowed synchronously across multiple mainstream public blockchains: Ethereum addresses, traditional Bitcoin addresses, Bech32 addresses, and TRON addresses all started showing large outflow records in almost the same timeframe. Single-source statistics show that among the stolen assets are approximately 38.23 million USDC, 1,607 ETH, 719,760 USDT, and 4.13 BTC, forming a highly valuable multi-chain capital pool. The attacker evidently understood the distribution and scale of these assets in advance; the operation was not random probing but a direct hit on core positions.
More crucially, after the funds were transferred from the original hot wallet address for the first time, they were quickly further split, layered, and transferred multiple times to new address sets. USDC, USDT and other assets that can be frozen by blacklist were rapidly spread across multiple wallets and mixed with other assets; the paths between cross-chain assets were also disrupted. This “rapid dispersion and multi-hopping” model significantly increased the difficulty of later reconstructing a single attack path, and practically delayed the enforcement freezing and protocol blacklisting, making on-chain transparency able to reveal fund trajectories but difficult to outpace the already prepared attackers in terms of speed.
Not a Wallet Vulnerability but a Lost Key
After the incident broke out, some public opinion pointed the finger at Trust Wallet itself, questioning whether there were critical security vulnerabilities. However, a single-source viewpoint from security company SlowMist drew a different conclusion: the existing evidence points more towards the leakage of mnemonic phrases or private keys, rather than the underlying wallet software being hacked, and there were no obvious signs of phishing contracts for authorization in the attack paths. In other words, the problem was more likely to occur with the “key” itself rather than the program code of the “lock.”
From the public's perspective, “being hacked with a certain wallet” is easily understood as “this wallet is not secure,” but in the cryptocurrency asset system, user-side security and wallet software security are two different levels of responsibility boundaries. Whether the private key/mnemonic phrase has been photographed, whether it has been backed up offline, whether it is entered on an untrusted device, whether it is exposed in a malicious application or jailbroken environment, all fall under user-side operational risks; while whether the wallet application has signature logic vulnerabilities or remote code execution vulnerabilities belongs to the security flaws of the software itself. Blurring the lines between the two can lead to incorrect security expectations: overly relying on “a secure wallet” while neglecting how that crucial string of characters is managed.
In this incident, SlowMist clearly stated that it has provided on-chain analysis and investigative support, technically analyzing the attack path and fund flow, providing foundational data for asset freezing and judicial cooperation; on-chain analysts and other security teams are also continuously supplementing evidence through public channels. This post-incident response highlights the role of security companies: not just selling audits and discussing risk control beforehand, but also attempting to control the losses and spillover effects within a smaller range under the premise that “the attack has occurred” through on-chain intelligence, address profiling, and other means.
The Convenience and Deadly Cost of Carrying a Hot Wallet
The attacked wallet was a Trust Wallet hot wallet on an iPhone 12 Pro Max, which quickly shifted the discussion towards the structural risks of mobile hot wallets. The advantages of hot wallets are: private keys are online, can sign at any time, and the transfer and interaction are extremely convenient, satisfying high-frequency scenarios such as daily transactions, DeFi operations, and participating in new openings. However, also because they are always online and carried around, their exposure is far greater than that of offline devices—device loss, system vulnerabilities, malicious apps, jailbroken environments, public Wi-Fi, or even physical contact all amplify the potential attack surface. As long as the attacker gets hold of the “key,” on-chain funds have no natural protective layers from geographical or judicial jurisdiction.
In contrast, cold storage (hardware wallets, offline signing devices, multi-signature custody, etc.) significantly raises the attack threshold by utilizing disconnection and physical isolation. The private keys of cold wallets typically do not appear in plain text on connected devices, and the signing process is completed within independent hardware; even if the computer is infected or the phone is compromised, the attacker has difficulty directly accessing the real private keys. This level of security comes at the cost of operational thresholds and complexity: complex setups, cumbersome signing steps, and unsuitability for high-frequency small operations make it extremely unfriendly for beginners.
For high net worth users, concentrating large amounts of long-term-held assets in a single hot wallet is fundamentally a systemic single point of failure design. A single phone, a single mnemonic phrase, a single backup logic—all of these elements, once any part has an error, expose the entire asset to the same attack surface. The more cross-chain and multi-asset large positions are held, the more unreasonable this single point of risk exposure becomes—hot wallets are suitable as “checking accounts” and operational fronts, not as the basket that carries all “fixed assets” and core principal amounts.
A Tug of War from Reporting to On-Chain Pursuit
After the incident occurred, public information shows that Shen Bo has reported to law enforcement agencies including the FBI, and has involved lawyers to handle the case. This means that the case was treated as a cross-border financial crime from the very beginning, rather than simply self-digesting within the circle. The involvement of the traditional law enforcement system provides a legal basis for further cooperation with trading platforms, payment channels, and custodians, but also exposes a reality: the response speed of public power in the on-chain world often fails to keep pace with the automated operating rhythm long planned by hackers.
On the on-chain intelligence side, SlowMist and on-chain analyst zachxbt participated in tracking and marking related addresses. According to single-source disclosures, they assisted in identifying multiple fund migration paths and communicated freezing measures with potential service providers accordingly. This “on-chain pursuit” model has become a routine action in recent large theft cases: once hacker assets enter centralized platforms or compliant service radii, there is an opportunity for them to be identified and frozen, creating the possibility of partially recouping losses or at least leaving traces.
However, the high transparency on the chain is a double-edged sword. On the one hand, it allows everyone to see the flow of funds in real time, providing conditions for security teams to construct fund flow maps and identify suspicious addresses; on the other hand, attackers can also utilize this transparency to adjust their strategies in real time—choosing to disperse hops, using mixing services, avoiding heavily regulated platforms, and even “cold-storing” some assets for an extended period to wait for the storm to pass. Therefore, tracking and freezing become more of a race against time: as technology advances, both sides of black and white are enhancing their ability to make decisions based on the same information, yet this does not automatically lead to “the just side moving faster.”
When Industry Leaders Also Fall Over Security
The reason this incident has sparked widespread discussion within and outside the industry lies significantly in the identity of the person involved: founder/partner of Distributed Capital, who has been active at the forefront of cryptocurrency for many years, participating in numerous projects and transactions, and is regarded as a typical “veteran player and professional investor.” Such a role naturally leads the public to bestow higher security literacy expectations on them—yet the outcome suffered a severe blow in the most fundamental “personal wallet security” aspect, and this contrast itself rings alarm bells for the entire industry: professional experience does not automatically mean good security practices.
For high net worth cryptocurrency users, the reality is often much more complex than “one wallet one private key”: assets distributed across multiple chains including ETH, BTC, TRON; multiple devices online at the same time, including smartphones, computers, and hardware wallet intermediaries; multiple accounts coexisting, including personal long positions as well as various investment vehicles and operational wallets. In such an environment, how to set different permissions and limits for wallets with different purposes, how to distinguish between “experimental funds” and “core principal,” and how to manage multiple mnemonic phrases and private keys constitute a complex set of asset management processes. A slight oversight may leave security blind spots in some edge accounts or backup devices.
It is worth noting that Shen Bo repeatedly emphasized after the incident that the stolen funds were from his personal assets, completely isolated from the fund funds and operational accounts of Distributed Capital. This clear isolation has exemplary significance in institutional governance: many professionals manage company funds, multi-signature vaults, LP assets, and personal positions separately, using different wallet systems and risk control processes. Although this incident caused significant personal losses, it at least prevented a systemic risk on the fund level of “LP funds getting hacked,” indicating that the separate management of personal funds and operational funds can indeed play a role in isolating impacts in extreme risk scenarios.
How Not to Let the Next Hot Wallet Tragedy...
The real takeaway from this $42 million theft incident is not a specific address or the name of a particular wallet, but several simple yet often overlooked fundamental principles. First, management of private keys and mnemonic phrases is the absolute core of security: never store mnemonic phrases in plain text on connected
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
