Today a new active BP (HashFin) didn't update his EOS account blacklist on the mainnet. In this way it was possible for the frozen account "craigspys211" to transfer 199,999 EOS to another account "eosusswallet", in order to bypass the BPs blacklist.
The blacklist is a list of EOS accounts that every active block producer must have updated. It is used to freeze some hacked accounts from making transactions and in such a way as to protect the token holders.
After this transaction, some of the active block producers had already blacklisted the receiving account as well. However, the hacker promptly distributed the funds to various EOS accounts to prevent the BPs from freezing all accounts. Currently, the funds seem to have already been withdrawn on an exchange.
A similar incident occurred also on February 22, 2019, when the block producer game.eos had not updated its blacklist, thus allowing a frozen account to transfer 2.09 million EOS.
Already at that time BPs had made a proposal to replace the blacklist with a MULTISIG system that does not require a separate configuration for each BP and which is already used on BOS.
Message from HashFin:
*"HashFin entered EOS Top today. Due to our negligence in work, craigspys211, a frozen account, successfully transferred 199990.0000 EOS to the eosusswallet account when we went out of a package deal. Https://eosflare.io/account/craigspys211
We have urgently updated the blacklist, and monitored that the money transferred from the account has only been transferred to the eosusswallet. At present, the eosusswallet has been added to the blacklist of our nodes. According to the detection, the EOS of the eosusswallet account has not been transferred. I hope you can cooperate with the freezing of the eosusswallet account urgently.
Next, we will monitor in real time and apologize for HashFin's negligence."*
Account blacklisted: https://www.eosx.io/account/craigspys211