
SlowMist: Beware of mnemonic phrase leaks caused by using Replit platform to register wallets
TechFlow Selected TechFlow Selected

SlowMist: Beware of mnemonic phrase leaks caused by using Replit platform to register wallets
Such attacks are extremely low-cost, requiring attackers only basic search and scanning skills to launch.
Author: Yao
Background
Recently, a victim contacted the SlowMist security team after losing 90,000 ATOM tokens due to using the online coding platform Replit to create a wallet for the Atomicals protocol and depositing ATOM (ARC20 tokens minted on the Atomicals protocol) in batches. According to the victim, the private key or recovery phrase was leaked through copy-pasting operations on the web interface.
Analysis of Wallet Creation via Replit
atomicals-js (https://github.com/atomicals/atomicals-js) is a command-line interface and JavaScript library officially developed and published by Atomicals on GitHub, enabling users to interact with the Atomicals protocol using JavaScript.

Replit is a well-known online programming platform whose web-based IDE supports multiple programming languages such as Python and JavaScript, allowing users to write code directly in the browser, quickly launch projects, and share code.

There are numerous wallet registration tutorials for ARC20 available on platforms like Weibo, Twitter, and YouTube:

Some of these tutorials specifically demonstrate how to deploy the atomicals-js project on Replit to generate wallets and deposit ATOM ARC20 tokens.

(https://weibo.com/ttarticle/p/show?id=2309404950524427632902)

Although such tutorials are not limited solely to ARC20 presale guides, they commonly recommend using the Replit platform.

Due to Replit's public nature, all code deployed on the platform is publicly accessible. Once the atomicals-js project is deployed and executed, it generates a wallet.json file within the project directory, which contains sensitive information such as the generated recovery phrase, private keys, and addresses.

Notably, using simple search techniques or tools like Google Hacking, one can easily discover projects running atomicals-js on Replit and locate examples containing the wallet.json file.

Therefore, creating wallets based on these so-called tutorials poses significant risks. Users should avoid running code that handles sensitive data on publicly accessible platforms—especially when dealing with cryptocurrency wallets or private keys—and instead use more secure and trusted environments for generating and managing crypto wallets.
Malicious Address Analysis
Using MistTrack for analysis, we found that the victim transferred multiple batches of ATOM tokens (approximately 98,000 according to the victim) into the newly created ARC20 wallet address bc1pt046u0mew4yq83ftwrp3eqfalvf8d6g6lncnmnf3l4zaaalpl54qwvxuqp on September 23. These funds were then transferred to the attacker’s address bc1psanyvngxqgwxcssfwryl8mva7em4pmp37jcck2m67xtux8l887js7ezvev on September 24.


Querying https://satsx.io/, we observe that approximately 68,000 ATOM ARC20 tokens stolen by the hacker remain untransferred.

Summary
The attack described in this article requires extremely low cost; attackers only need basic search and scanning skills to carry out such attacks. The SlowMist security team reminds users that if you have accidentally used Replit to generate a wallet, transfer your funds immediately and delete any sensitive files. Exercise extreme caution when using generated wallets or recovery phrases on unfamiliar web platforms. SlowMist recommends using reputable wallet services that have undergone security audits to minimize the risk of exposure.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










