What is Inactivity Leak?

Hackers can exploit the Inactivity Leak vulnerability by sending crypto deposits to dormant wallets, awaiting withdrawals, and then absconding with the remaining funds.

Feb 25, 2025 at 09:55 pm

Key Points

• Inactivity Leak is a vulnerability that allows hackers to steal funds from inactive cryptocurrency wallets.
• Hackers exploit this vulnerability by sending small amounts of cryptocurrency to inactive wallets and then waiting for the owners to withdraw their funds.
• Once the owners withdraw their funds, the hackers are able to steal the remaining balance in the wallet.
• There are a number of ways to protect against Inactivity Leak, including using a hardware wallet, keeping your software wallet up-to-date, and not reusing addresses.
• If you believe your wallet has been compromised by Inactivity Leak, you should immediately transfer your funds to a new wallet.

What is Inactivity Leak?

Inactivity Leak is a vulnerability that allows hackers to steal funds from inactive cryptocurrency wallets. This vulnerability is caused by the way that many cryptocurrency wallets handle unspent transaction outputs (UTXOs).

UTXOs are the individual units of cryptocurrency that are used to make transactions. When you send a cryptocurrency transaction, the sender's wallet selects UTXOs from the sender's wallet that are equal to or greater than the amount of the transaction. The difference between the amount of the transaction and the value of the selected UTXOs is returned to the sender as change.

If a wallet does not properly handle change, it can create an Inactivity Leak vulnerability. This can happen if the wallet does not store the change in a new UTXO, or if it stores the change in a UTXO that is too small to be used for a future transaction.

How Hackers Exploit Inactivity Leak

Hackers exploit Inactivity Leak by sending small amounts of cryptocurrency to inactive wallets. They then wait for the owners of the wallets to withdraw their funds. Once the owners withdraw their funds, the hackers are able to steal the remaining balance in the wallet.

This is because when the owner of the wallet withdraws their funds, the wallet will select the UTXO that contains the hacker's small deposit as one of the inputs for the transaction. This will give the hacker control of the change from the transaction, which will include the remaining balance in the wallet.

How to Protect Against Inactivity Leak

There are a number of ways to protect against Inactivity Leak, including:

• Use a hardware wallet. Hardware wallets are physical devices that store your private keys offline. This makes it much more difficult for hackers to steal your funds, even if your computer is compromised.
• Keep your software wallet up-to-date. Software wallets are constantly being updated to fix security vulnerabilities. It is important to keep your software wallet up-to-date to protect against the latest threats.
• Do not reuse addresses. When you receive cryptocurrency, it is important to use a new address for each transaction. This makes it more difficult for hackers to track your transactions and identify your inactive wallets.

What to Do If Your Wallet Has Been Compromised

If you believe your wallet has been compromised by Inactivity Leak, you should immediately transfer your funds to a new wallet. You should also change your password and enable two-factor authentication on your new wallet.

FAQs

• What is the difference between Inactivity Leak and Dusting?

Dusting is a technique that hackers use to identify inactive wallets. Hackers do this by sending small amounts of cryptocurrency to a large number of addresses. If the owner of an address withdraws the dusting amount, the hacker knows that the wallet is active and may be worth targeting for Inactivity Leak.

Inactivity Leak is a more sophisticated attack that allows hackers to steal funds from inactive wallets. Hackers do this by exploiting a vulnerability in the way that some wallets handle unspent transaction outputs (UTXOs).

• Can Inactivity Leak be used to steal funds from hardware wallets?

No. Hardware wallets are not vulnerable to Inactivity Leak because they store private keys offline. This makes it much more difficult for hackers to steal funds from hardware wallets, even if the computer is compromised.

• Is there a way to recover funds that have been stolen through Inactivity Leak?

No. Once funds have been stolen through Inactivity Leak, they are unrecoverable. This is because the hacker has control of the private keys to the wallet.