Trusted

How Hackers Attacked Telegram Trading Bot to Steal $500,000

3 mins
Updated by Geraint Price
Join our Trading Community on Telegram

In Brief

  • Hackers exploited a vulnerability in the Maestro Router 2 smart contract, stealing 280 ETH ($500,000) from Telegram trading bot Maestro.
  • The Maestro attack resulted in a 30% drop in JOE tokens' price due to lack of liquidity. The stolen ETH was transferred to Railgun, a crypto privacy tool.
  • Despite the hack, Maestro refunded all affected users by purchasing and returning the lost tokens. The bot has earned over $20 million in fees in 2023.
  • promo

Hackers have stolen over 280 Ethereum (ETH) due to the exploit on the smart contract of the telegram trading bot Maestro

Telegram trading bots automate on-chain trading and farming, but some wallets require users to share their private keys. While Telegram trading bots gained popularity, many community members shared concerns about security measures. 

Maestro Router 2 Contract Attacked Due to External Call Vulnerability

Blockchain security firm Beosin posted on X (Twitter) that attackers stole around 280 ETH $500,000)  due to an external call vulnerability in the Maestro Router 2 smart contract. Beosin further explained:

“Attackers can pass in a token address, fill in the called function as transferfrom, with parameters as the victim’s address and their own address, so they can transfer the victim’s tokens to their own address through transferfrom.”

Furthermore, another blockchain analysis firm, PeckShield, has informed X users that a phishing wallet stole 37 million JOE tokens due to the exploit. Eventually, the price of JOE dropped by more than 30%. Due to the lack of liquidity, Maestro cannot buy JOE tokens and refund users.

Read more: Who Is ZachXBT, the Crypto Sleuth Exposing Scams?

Maestro attack, Maestro exploit
Lack of JOE liquidity. Source: X (Twitter)

The Maestro attacker has transferred the 280 ETH to Railgun, which is a crypto privacy tool that hides transaction details.

Maestro attack, Railgun
Attacker moves funds to Railgun. Source: X (Twitter)

Shortly after the attack, the Maestro team took prompt action and updated that it had identified the exploit and dealt with it. The team wrote:

“Our router has been updated to a safe, exploit-free implementation. Trading can resume as normal, but tokens with pools on SushiSwap, ShibaSwap, and ETH PancakeSwap will be temporarily unavailable.”

Finally, Maestro refunded all the affected users by buying the tokens and sending them to the victim’s wallet. Maestro wrote on X:

Every wallet that lost tokens in the router exploit has now received the full amount they lost.

Some of you ended up with even bigger bags. For 9 out of the 11 exploited tokens, we chose to buy and refund tokens instead of simply sending ETH because it’s the most equitable and complete refund we can offer for the incident.

Maestro Earned Over $20 Million in 2023

In May 2023, BeInCrypto reported that the Maestro trading bot earned $5 million in monthly commission. While May was the peak for monthly collection, the screenshot below shows that in 2023, it has collected over $20 million in fees.

Maestro, Telegram trading bot
Maestro monthly fee collection. Source: DefiLama

Indeed, the telegram trading bot can help traders earn handsome profits, but at the cost of revealing their private keys to the bot to sign the transactions. The ethos of the decentralized ecosystem is “not your keys, not your coins.” 

Hence, giving away private keys may not be the best idea. Regarding the Maestro attack, an X (Twitter) user wrote:

“Maestro bot just got EXPLOITED 🚨 I never read did trust all the stupid bots popping out left and right. Stay away from these bots. Be safe”

While giving away the private keys is not the best practice, the Maestro team clarified that the exploit targeted the router, and wallet credentials were not compromised.

Read more: Unibot: A Comprehensive Guide to the Telegram Bot

Do you have anything to say about the Maestro attack or anything else? Write to us or join the discussion on our Telegram channel. You can also catch us on TikTok, Facebook, or X (Twitter).

For BeInCrypto’s latest Bitcoin (BTC) analysis, click here.

Top crypto projects in the US | November 2024
Coinbase Coinbase Explore
Coinrule Coinrule Explore
Uphold Uphold Explore
3Commas 3Commas Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | November 2024
Coinbase Coinbase Explore
Coinrule Coinrule Explore
Uphold Uphold Explore
3Commas 3Commas Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | November 2024

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

Harsh.png
Harsh Notariya
Harsh Notariya is an Editorial Standards Lead at BeInCrypto, who also writes about various topics, including decentralized physical infrastructure networks (DePIN), tokenization, crypto airdrops, decentralized finance (DeFi), meme coins, and altcoins. Before joining BeInCrypto, he was a community consultant at Totality Corp, specializing in the metaverse and non-fungible tokens (NFTs). Additionally, Harsh was a blockchain content writer and researcher at Financial Funda, where he created...
READ FULL BIO
Sponsored
Sponsored