Remilia Treasury Breach: How a Password Manager Compromise Drained $3 Million in Ethereum and NFTs

The cryptocurrency community woke up to alarming news on March 17, 2024, as the Remilia Treasury — the organization behind the popular Milady NFT collection — confirmed a devastating security breach. The attacker siphoned approximately 850 ETH, valued at nearly $3 million at the time, along with multiple high-value NFTs from wallets controlled by founder Charlotte Fang. The incident highlights a growing and often underappreciated attack vector in the crypto space: the compromise of personal operational security rather than smart contract vulnerabilities.

The Exploit Mechanics

According to Fang’s public statement, the breach originated from unknown malware that infiltrated a password manager storing seed phrases for all connected wallets. This gave the attacker access to the private keys necessary to authorize transactions from the Remilia treasury multisig wallet and other linked accounts. The attacker then systematically moved assets to a drainer wallet — identified as 0x778Be423ef77A20A4493f846BdbcDDfc30252cE9 — where liquidation began immediately. The stolen NFTs and tokens were sold for approximately 850 ETH, equivalent to roughly $3 million given Ethereum’s price of $3,642 at the time.

Security firm PeckShield was among the first to analyze the on-chain activity, flagging suspicious transfers that preceded the public disclosure. The attack did not exploit a smart contract vulnerability or a protocol-level flaw. Instead, it was a textbook operational security failure — the digital equivalent of leaving the keys to the vault in an unlocked desk drawer.

Affected Systems

The breach impacted multiple wallets connected to the Remilia organization, including the multisig wallet designated for treasury funds. Among the assets drained were Milady NFTs — a collection of 10,000 generative anime-style artworks on the Ethereum blockchain that had become a cultural phenomenon in crypto circles. Fang confirmed, however, that the NFT contract ownership and metadata had been transferred to a hardware wallet prior to the attack and were not compromised. Additionally, the operating treasury had been moved off-chain, which limited the overall financial damage to the organization’s operational capacity.

This distinction is critical: the hack primarily affected Fang’s personal wallets and those directly connected to them, rather than the core smart contract infrastructure of the Milady ecosystem. Nevertheless, the reputational damage and community concern were immediate and significant.

The Mitigation Strategy

In the aftermath, Fang issued a public warning to Milady NFT holders, advising heightened vigilance against suspicious communications that might attempt to exploit the confusion. The response highlights several key mitigation principles that apply broadly across the crypto industry:

First, never store seed phrases in password managers or any internet-connected software. Seed phrases should be written on physical media and stored in secure locations — ideally across multiple geographic sites. Second, multisig wallets should use hardware wallet signers exclusively, ensuring that even if one signer’s credentials are compromised, the attacker cannot unilaterally authorize transactions. Third, organizations should implement strict separation between personal and treasury wallets, with independent key management for each.

Lessons Learned

The Remilia hack underscores a sobering reality: as the crypto ecosystem matures and smart contract security improves through rigorous auditing and formal verification, attackers are increasingly pivoting to social engineering and operational security exploits. The attack surface is not limited to code — it extends to the human operators who control that code.

With Bitcoin trading at $68,390 and the broader crypto market capitalization exceeding $2.7 trillion in mid-March 2024, the financial incentives for attackers have never been greater. A single compromised seed phrase can unlock millions of dollars in seconds, and the pseudonymous nature of blockchain transactions makes recovery exceedingly difficult.

This incident also follows a pattern of controversy surrounding the Milady project, including a September 2023 disclosure by Fang that a rogue developer misappropriated $1 million from the treasury, followed by a lawsuit from co-founders alleging misuse of $1.7 million in project funds. These prior incidents raise questions about internal controls and governance that extend beyond the immediate technical vulnerability.

User Action Required

If you hold significant cryptocurrency or NFT assets, take immediate stock of your operational security posture. Move seed phrases out of any digital storage. Ensure that multisig wallets use hardware signers. Consider implementing a geographic key distribution strategy where recovery materials are stored in separate physical locations. And remain skeptical of any unsolicited communications claiming to be from projects you’re invested in — especially in the wake of a publicized breach.

The Remilia Treasury hack is a stark reminder that in crypto, you are your own bank. And that means you are also your own security department.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals before making decisions about digital asset protection.