Bitaigen Research In this report we compile the in‑depth investigation conducted by the imToken security team into recent anomalies observed with the LCS wallet, uncover the critical risk points where mnemonic phrases may be exposed, and provide practical recommendations for loss mitigation and asset migration. After reading, users should be able to quickly determine whether they are affected and take the necessary steps to prevent further loss of funds.
imToken Official Notice: Users of the LCS wallet must cease using the wallet immediately, generate a new address in imToken, and transfer their assets as soon as possible to prevent further theft.
Today the imToken security team received a user report indicating that ETH held in a wallet had been maliciously stolen. We promptly analyzed the compromised wallet addresses and found that every stolen address had been created by the LCS wallet.
To further confirm the theft method, the security team retrieved information related to the LCS wallet and contacted the affected users. The findings are as follows:
- Users downloaded the LCS wallet and generated a mnemonic phrase, or imported an existing mnemonic into the LCS wallet;
- During the generation or import process, the mnemonic was stored in plaintext on the LCS wallet’s servers, indicating that the LCS wallet operates as a centralized service;
- Users later imported the addresses that had been used with the LCS wallet into imToken or other decentralized wallets, but the mnemonic remained on the LCS server and could be stolen at any time;
- All stolen assets were systematically transferred to the same destination address.
Based on these observations, the imToken security team strongly recommends that LCS wallet users immediately stop using any addresses managed by that wallet, create a brand‑new wallet inside imToken, and migrate their assets. Victims who have already suffered theft should file a police report with the appropriate local authorities as soon as possible.
Below is the key information that the security team has uncovered:
| Item | Details |
|---|---|
| Theft address | `0xeba337eeedf030f88a7b0066ec137638f9355189` (each ETH transaction is small, but a large number of transactions remain unconfirmed) |
| Transaction activity | The address completed more than **12,000** transactions within 17 hours and still has many pending transactions; it is believed the thief controls tens of thousands of private keys and is using automated scripts to drain funds |
| Outbound records | A total of **4** outgoing transactions, allowing the final destination of the assets to be traced (click to view transaction details) |
| LCS contract address | `0xe62e6e6c3b808faad3a54b226379466544d76ea4` |
| Wallet nature | LCS is a centralized wallet that stores users’ mnemonic phrases, contrary to its marketing as a decentralized solution |
LCS Wallet Collects Users’ Private‑Key Mnemonics 【Packet‑Capture Analysis】
If you want to verify whether a wallet collects users’ mnemonic phrases or private keys, you can capture network traffic and see whether the data is uploaded to the server in plaintext or encrypted form.
Using the LCS wallet as an example:
- Download and open the LCS wallet; the home screen shows “Import Wallet”. Import a test mnemonic and confirm.
- After capturing the traffic, it can be seen that the wallet uploads the mnemonic to the endpoint `portal‑api‑v3.lcs.world/user/importWallet`.
- Both the mnemonic and the password are sent to the server in plaintext. Although the server responds with “upgrading”, the data has already been transmitted. Never use real private keys or mnemonic phrases when performing such tests.
From this evidence it can be concluded that a user’s private key and mnemonic are fully exposed the moment the LCS wallet is used for the first time.
The above constitutes the entirety of the imToken Official Notice. For further information about the LCS wallet, please follow additional articles on Bitaigen (比特根).
---
Additional notes for a global audience
- When converting any fiat values mentioned elsewhere in the ecosystem, use USD as the reference currency. Transfers across borders should be carried out via SEPA (for Euro‑zone users) or SWIFT for other regions.
- Users residing in the United States must use Binance.US rather than the global Binance platform, in accordance with local regulatory requirements.
- Cryptocurrency gains may be subject to taxation in many jurisdictions. Users should consult local tax professionals to ensure compliance with their country's tax laws.
Related Reading
- 2024 Secure Crypto Wallets: imToken, HyperPay, Ledger, Cobo
- BIP‑39 Mnemonic Security: Why Brute‑Force Is Impossible
- Bitauth Wallet vs imToken: Security & Feature Comparison
💡 Register on Binance with referral code B2345 for the maximum trading fee discount. See Binance complete guide.
⚠️ Risk Disclaimer: Crypto prices are highly volatile. This is not investment advice.
