UPVU's Exploit Technical Post-Mortem ReportsteemCreated with Sketch.

in #upvu6 months ago


  • Things aren't quite over yet, but EVERYTHING IS OK. (Your precious STEEM and SP are completely SAFU!)
  • All On-chain records are also attached to make it transparent to everyone.
  • Today(On Dec 7 2022), there was a malicious attempt to hack into UPVU by hackers supposed to be Hive witnesses or users.
  • The hacking attack was launched by precisely targeting the time zone when we are asleep (around 5:00 am KST).
  • Looking at the hacker's transactions or the record of bypassing STEEM coins to an anonymous DEX, the hacker is an expert with a very high understanding of the Steem blockchain system.
  • The service was temporarily suspended due to the update of @upvu account information, but now EVERYTHING HAS BEEN RESOLVED and the service is operating normally.
  • Although team-owned assets and part of the fund for user reward distribution were stolen due to hacking, they can be covered by the personal assets of UPVU team members, and USERS'S ASSETS ARE NOT AFFECTED.
  • We ask for your understanding of the delay in the distribution of today's Liquid STEEM curation rewards. THE SAFETY OF OUR USERS' ASSETS IS OUR TOP PRIORITY. Therefore, we quickly covered the hacked user distribution assets with team members' personal funds.
  • Today's reward distribution has just been completed, and from tomorrow it will be distributed as usual.

Sequence of Events

스크린샷 2022-12-07 오후 2.10.36.png

Today(On Dec 7 2022), a series of unauthorized transactions occurred on our main account @upvu. A precise hacking attack was started that precisely targeted the time zone when we sleep (around 5:00 am Korean time).

After hacking the @upvu account, the hacker changed the private key and recovery account, initiated a powerdown, and sent 168,889 STEEM worth approximately $29,640 to an account named @securityfund. This account is a newly created account just before the hacking attack begins.

Hackers, presumed to be Hive witnesses or well-informed users, even deleted our recovery accounts shortly after updating our account information. (Changing the recovery account, even setting it to @null, is possible only for users who have a good understanding of the Steem account system)

As soon as we became aware of the hacking incident, we started responding to recovery. After quickly recovering the @upvu account through the recovery account (@happyberrysboy) set up in advance, the private key was changed through account update, and the current voting service of UPVU and the SP you delegated are NOT AFFECTED in any way.

Due to the high security design structure of the Steem blockchain, even if the account is hacked, the delegated SP is completely safe without any impact.

Protocol Impact

UPVU has completed all recovery tasks and THERE IS NO PROBLEM NOW. The power-down initiated by the hacker has been stopped, and the upvoting is proceeding normally.

However, some of the liquid assets were stolen and the details are as follows.

Total Assets Stolen : 168,889 STEEM (=$29,640)

  • Assets belonging to UPVU team : 50,000 STEEM
  • Assets to be distributed to users : 118,889 STEEM

We have always kept the liquid quantity to a minimum to minimize risk, but the liquid quantity was exceptionally large to respond to the demand for UPVU token conversion due to the recent Steem Engine hacking issue.



스크린샷 2022-12-07 오후 4.17.08.png

  • You can check recovery fund related transactions here.

Hacker's transaction to liquidation of stolen assets

Hacker is monetizing stolen assets through several channels. Currently, we are working closely with the security teams of Binance, Simpleswap, and StealthEX, and the hacker's Binance account has now been frozen.

We have also referred the police to investigate the incident and will do our best to catch the hacker.

(1) Direct Deposit (24,800 STEEM x 2 times)

(a) Direct deposit to Binance (@deepcrypto8 /memo: 101546624)

(b) Direct deposit to Binance (@deepcrypto8 / memo: 101546624)

(2) Indirect Deposit via Simpleswap - 50,000 STEEM
(a) from @securityfund to @swap2020 (this account is deposit address of Simpleswap)

(b) from @swap2020 to @deepcrypto8 (memo : 107104617)

(3) Indirect deposit via StealthEX - 69,289 STEEM

(a) from @securityfund to @exchangeme (this account us deposit address of StealthEX)

(b) from @exchangeme to @deepcrypto8 (memo : 100160970)

Why we assume Hive is behind the hacker

(1) High Understanding of System Design

스크린샷 2022-12-07 오후 2.50.43.png

  • Common hackers only target the theft of liquid assets, but this hacker created transactions that cannot be done without a high understanding of Steem's system design, such as setting the recovery account to @null to make recovery impossible.

(2) Using an anonymous DEX frequently used on Hive

스크린샷 2022-12-07 오후 12.20.52.png

<Image source : https://peakd.com/wallet/exchanges>

  • Hacker is using anonymous DEXs such as Simpleswap and StealthEX, primarily used by Hive users to monetize stolen assets, making tracking difficult.

Post Incident Plan

  • Since the fork of Steem and Hive, Hive witnesses and users have continued to launch attacks with the malicious goal of destroying the Steem ecosystem.

  • They have dominated Steem since its genesis, knowing all too well how the system was designed and what the vulnerabilities were in the design, and there are still remnants of tools and apps created by Hive Witnesses (ex Steem Witnesses) and developers. .

  • In order to maintain a stronger security level for the UPVU service, we will manage accounts for distribution and reserve separately, and we will apply the multi-sig function to accounts for reserve. (Multisig function is already under development internally, but it is expected to take more time)

  • From now on, liquid STEEM curation rewards will be distributed from @upvu.bank account.

Letters to the Steem community

The cause of the hacking is currently unknown, but we will continue to track the cause, and we strongly recommend that all users change their account passwords periodically, even if they are inconvenient.

We are involved with Hive witnesses or developers, but we are still analyzing the source of all tools and apps available on Steem, and we will share it with the community as soon as the cause is revealed.

We sincerely apologize for any inconvenience caused to members of the Steem community. As always, we will do our best to provide safe and stable services on the Steem blockchain, and we will quickly respond to Hive's continuous malicious behavior and win.



Hi @happyberrysboy and @realmankwon,

I'm so sorry to see that this has happened.

The cause of the hacking is currently unknown

As a line of thought which you may / may not have considered...
You shared this post a few days ago. Did you post this via your new front end or via steemit.com? It's possible that the new interface has been targeted rather than steemit.com so if it's possible to review security logs, etc. from your hosting then this might help.

I hope that you have some success retrieving the funds 👍

Thanks for your reply. This hack has nothing to do with the security of our new frontend (upvu.org). We are currently investigating other causes.

Thanks for getting back to me - good luck with your investigation and we look forward to hearing anything that you uncover.

모바일에서 업뷰로 글 볼 때, 이미지가 보이는 글이 있고 안 보이는 글이 있네요. 오늘 갑자기 이 증상이 생긴 것 같아요.

관련해서 수정 완료했습니다!

어떻게 이런일이.... 고생 많으셨습니다.

아이고 고생 많으셧습니다 ㅠㅠㅠㅠ

It's very very unfortunate :(
168K Steem stolen......huge loss.
But, the million dollar question is - "Where is the security hole ? How to hacker got this?"

We're looking for it, but we still can't find it.
Now, rather than identifying the cause, we are looking for and developing what we can do to prevent recurrence.

It means that no accounts are safe and can be hacked in steem

We do not believe that the cause of this hack was a design flaw in the Steem blockchain. We should always be careful about Hive's attacks, but we shouldn't create FUD by ourselves. Perhaps the biggest problem is that many tools and apps created by Hive's developers or witnesses are still available on Steem. We believe that Steemit Inc needs to focus on building Steem's infrastructure from zero base through DIP.

We believe that Steemit Inc needs to focus on building Steem's infrastructure from zero base through DIP.

That would be very desirable.

After hacking the @upvu account, the hacker changed the private key and recovery account,

I find it very disturbing that someone was able to "hack" your keys. The changes you mentioned require at least the private owner key. If these keys were not stored somewhere in your systems and were nevertheless grabbed, this means that the key could be determined from the system! And that is very worrying!
You absolutely have to clear this up so that all users are aware. We may also have to bring forward changes on the code side....

Nothing has been clearly identified yet, but as already mentioned, it is neither a code-wise problem nor a Steem blockchain design problem. It is presumed that security issues may occur in tools or apps that existed before the fork of Steem and Hive, and unfortunately, it seems impossible to determine the exact cause at this time.

I hope you can still determine the cause. It could be only such tools or apps in question, which you also use. Or would libraries like dsteem or steem-python also be critical here?

Damn. Crazy shit.

It depends on where you store the keys.

Yes, but I expect that upvu has stored its keys safely

That is exactly what crossed my mind.
If users as experienced as people behind @upvu could become a victim, then safety of our keys on steem is a real question ...

Yes, and I think we will see more attacks going forward

I also assume that. But if that is the case, I find it even more worrying!
Because then the key must be determinable from other sources...

La gente es abusadora de verdad, amigo una pregunta como me puedo unir y que tengo que hacer para recibir votos de @upvu tengo que delegar steem o que debo hacer espero su respuesta por favor


Delegate to upvu!!
That's all!!!

A le delego SP cuanto le puedo delegar amigo? Amigo este es mi número de WhatsApp soy de Venezuela 04248439785, quiero tener más contacto con usted si se puede por favor y muchas gracias por la información 😊

모바일에서 예약 포스팅 기능이 작동하지 않습니다. jwt expired 라는 문구가 뜨네요.

계정을 삭제하시고 재로그인 하시면 될 듯 합니다.
서버를 재부팅해서 인증정보가 손실되서 그럴 겁니다.

I want to believe that you can in any case decide the reason. It very well may be just such apparatuses or applications being referred to, which you likewise use. Or then again could libraries like dsteem or steem-python additionally be basic here?

This is so unfortunate and sad, we pray it doesn’t happen again. By the way, I didn’t receive any upvote for my post yesterday (five hours ago as at the time of this post).

Please check it for me thank you

My account also hacked and also my friend account. His hive account also hacked . Which was associated with Steem. Is it possible to recover? if you answer to my question its help me a lot.

Coin Marketplace

STEEM 0.19
TRX 0.08
JST 0.023
BTC 27912.07
ETH 1900.84
USDT 1.00
SBD 2.26