Lottie Player hit with a supply chain attack, stealing 10 wrapped BTC from Avalanche wallet

Lottie Player was hit with a supply chain attack, affecting one wallet with 10 Bitcoin (BTC). The Wordpress tool has been abused to send malicious links to Web3 users, effectively draining wallets. 

Lottie Player, the Wordpress animation library, has been used as a vector of attack for Web3 users. Through malicious links, at least one wallet has been drained of 10 Bitcoin (BTC). 

The Lottie Player attack has affected widely used projects like 1inch and Mover. The 1inch attack may be especially harmful, as the DEX trading service is among the most widely used ones on Ethereum. 

Blockaid has also reported it has been spreading malicious wallet connections through its website. Bubble was another front-facing website affected by the malicious popups, and became one of the first to be reported. Bubble is also the source for building third-party apps, which could have been affected in the hours when the old versions were active. 

Researchers from Blockaid have identified Ace Drainer as the most probable source of the attack. The malicious version of Lottie Player has been removed, but not before spreading fake links for signing with widely used Web3 wallets. The attack has been active for at least 12 hours, increasing the balances in several identified attack wallets.

The attack was first noted when a wallet got drained of 10 BTC, leading to the source of fake links. The risk was in quickly signing all requests, including permanent access to wallets. This allowed the attackers to even drain Avalanche C-Chain addresses, stealing a form of wrapped BTC. The attack itself did not ask for a self-custodial Bitcoin wallet, but relied on the need for Web3 connectivity.

⚠️ 3 hours ago, a victim lost 10 BTC ($723,436) due to signing a phishing transaction.

This theft is likely related to the supply chain attack on Lottie Player earlier today. https://t.co/Puq5zUnKO9 pic.twitter.com/STYgRGgyK9

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) October 31, 2024

Users also noted the Lottie Player would populate a Web3 route with a malicious transaction when used for websites in the usual way. Analysts noted the attack targeted Ethereum and EVM-compatible chains. 

The attackers’ addresses continue to show activity, affecting small holdings of various Web3 tokens. For now, the entire size of the attack has not been accounted, and may have affected other tokens. The attackers are swapping the tokens quickly through Uniswap, or even through MetaMask swap.

Lottie Player attack spread to multiple sites

The Lottie Player attack displayed a very familiar screen for Web3 users, urging them to connect some of the top wallets, including MetaMask, WalletConnect, and others.

Even the TryHackMe platform experienced the popup, but moved to an older version. The issue has been reported by other users of popular websites. 

The attack affected two versions of Lottie Player, first noticed late on October 30. The attacks originated from versions 2.0.5 or higher. Website owners had to clear the attack themselves in the initial hours, by reverting to other tools or older versions of Lottie Player. Some have chosen to delete the scripts as a precaution. 

Wallet owners may still have to revoke permissions, if they have connected to any of the injected links. Sites like 1inch draw in more than 590K monthly users, and may have affected multiple undetected wallets.

Lottie Player team publishes safe version

The Lottie Player team reacted by uploading a legitimate new version 2.0.8, while unpublishing the contaminated scripts. The team noted the faulty versions were three in total, published directly to NPM using a compromised access token from a developer with the required publishing privileges. The team notes no other repositories or libraries have been affected. 

Lottie Player is widely used for animations and minor features on websites, but has been added to the list of distributors for malicious links. Those types of attacks target individual wallets, adding to the risk of poisoned addresses, direct targeting in email and messages, and fake website versions. 

The attack happens during the next stage of a crypto bull market, accelerating attempts to steal more valuable tokens. Connecting a wallet is best done for a specific purpose, avoiding full-time permissions for signing transactions. Launching a wallet connection immediately after entering a website may be a red flag.