Free money: how a hacker was able to earn millions of dollars finding the weak private keys

Last week the consulting firm Independent Security Evaluators (ISE) published a study of the private keys on the blockchain of Ethereum. In the course of its work, analysts were able to detect the “blockchain cheater”, who managed to steal more than 45 thousand ETH enumeration of simple combinations. Read more about the issue to journalists has told Cointelegraph chief analyst at ISE Adrian Bednarek.

How it all began?

Bednarek found the hacker accidentally. Previously, he was engaged in research work commissioned by one of its corporate clients who wanted to develop their own wallet with integrated key generation algorithm.

In the Ethereum, Bitcoin or any other blockchain that supports Protocol Elliptic Curve Digital Signature Algorithm (ECDSA) private keys are represented in the form of 256-bit integers. During the study, analysts ISE shared this combination of eight 32-bit “sub-regions”, as the whole brute force a private key is nearly impossible.

In the eight subregions were found 34 billion of weak keys. According to Bednarek, the scan took all day. It should be noted that the keys were generated for the untrusted code.

The private key is your ID and passport. Here all not how in the banking system, where each user is issued a username and password.

Another interesting fact — the private key “1” is already used in the Ethereum blockchain. Moreover, it appears in several thousand transactions.

256-bit code key is as follows: 0x0000000000000000000000000000000000000000000000000000000000000001.

Bednarek says that this fact is a big problem.

Why do people use this key? It’s impossible.

Source: Wired

Team ISE began to explore the blockchain in more detail to find even more weak keys. They were able to detect at least 735 combinations that can be associated with 49 060 transactions.

The scammer on the blockchain

It is noteworthy that the purses with most of these weak privatei have certain transactions that lead to a narrow range of addresses.

Someone just sucked the money from the keys that we managed to discover. Of the 735 private keys that we found, he had access to 12. The scammer couldn’t just guess the combination, he was doing the same things we are. He pulled out money from the wallets once they are enrolled.

The experts found that the hacker (or hacker group) has established a node, which is “extorted money” in automatic mode. To test this, analysts have even sent one dollar using the weak private key. Coins from a specific wallet disappeared in seconds.

According Etherscan, on the rogue’s wallet is stored about 45 000 ETH, or about $ 7.3 million at today’s exchange rate. At the time of historic high prices Ethereum hacker could have more than 50 million dollars.

By the way, the address of the scammer has a lot of comments from victims. Apparently, the criminal with impunity, engaged in the business for several years now. In one of the comments found a link to the old thread with Reddita for the year 2016. The Creator of the discussion talked about how he “robbed” just a few minutes after launching its own node.

Ethereum nodes with insecure RPC settings are actively exploited from ethereum

More analysts have studied the methods of the hacker.

First, it seeks a weak private keys. Second, he’s looking for purses with untrusted code words and misconfigured RPC.

The problem, as always, is hidden in the human factor. Even the most expert ISE was the “moral difficulties” during the study.

Before starting work we had an ethical dilemma — what if we find the key to the wallet with millions of dollars? We’ll just leave it as is? But if you do so, hackers certainly sooner or later get to the money.

But who can we get to warn of danger? Find the owner of the private key is difficult. Perhaps we could take the money for safekeeping, until someone proves the fact of possession? Such a scenario could cause a lot of problems with the law.

Security measures

So, Bednarek identifies two reasons for which private keys can be unreliable. The first error in the software that generates the key itself. Second — some users may get the identical key due to the use of weak code phrases (e.g. “abc123” or something like that).

According to the analyst, while neither team wallets not contacted them.

This is interesting, as it is difficult to find the responsible makers of purses. Maybe it’s just the fault of the users that are lenient to the safety of their own money.

Those who are not much versed in the technology and just wants to save their money, Bednarek recommends to use hardware wallets. Especially if we are talking about storing large amounts of cryptocurrency.

Even more interesting can be found in our cryptodata.


Leave a Reply

Your email address will not be published. Required fields are marked *