There’s no denying that blockchain is the future of online privacy. While the implementation of this technology varies from the medical field to online tools such as VPNs, cryptocurrency has been the most controversial. More and more people are turning to the Bitcoin phenomenon and relying on cryptography and blockchain’s decentralized technology to store their virtual money in digital wallets protected by the latest encryption standards.
But when it comes to money, there’s no such thing as caring too much; since technology evolves at a fast rate, so do the skills of attackers. The latest menace is the so-called ‘blockchain bandit’, an attacker who has been stealing private Ethereum keys and making millions out of emptying people’s accounts.
Guessing the Unguessable
In an interview to Cointelegraph, Adrian Bednarek, a senior security analyst at the American consulting firm Independent Security Evaluators (ISE), described what he called ethercombing. The technique – which is accurately explained in his report – consists of suboptimal scanning of weaker keys contained in ‘narrowed’ sub-regions of 256-bit keys. He applied this method when investigating the basics of Ethereum private keys such as their length, how they’re generated, and how they’re used to derive the public key and public address, which allowed him to stumble upon the hacker.
What makes an Ethereum private key impossible to guess is, essentially, the random combination of 256-bit numbers. But what if someone used the most basic of all private keys to store their digital money? It sounds silly and astonishingly unsecure but, surprisingly, Bednarek found out that the key composed by the number one after a long string of zeroes was not only being used on the blockchain, but was also involved in thousands of transactions. Just like Bednarek, the hacker had previously guessed and emptied this and other following keys: 02, 03, 04 and so on.
Everything can be hacked nowadays and cryptocurrency wallets are not an exception – which admittedly can sometimes actually be quite beneficial. Given that anyone can know an Ethereum private key, it’s possible to use it and derive the associated public address that it unlocks. In just the same way that the rightful owner can transfer money normally, an attacker who guesses someone else’s key can easily move the funds, too.
ISE then tried a larger scale approach and found 735 other private keys. For security researchers that may be a negligible number compared to the approximately 50 million keys used on the Ethereum blockchain, but in the hands of hackers that already makes for an absurd amount of profit, depending on varying exchange rates and how much digital money each account holds.
In his report, Badnarek explains that the blockchain bandit had taken money from ‘only’ 12 of the 735 keys that the researchers were able to compromise. Nonetheless, a single account held 45,000 ETH alone, worth more than $7.3 million at the time of the theft. The team also concluded that the hacker was using the same ethercombing method since “it’s statistically improbable he would guess those keys by chance”. Moreover, Badnarek performed a series of tests and discovered that the attacker had setup a “blockchain node that is part of the transaction network” to automatically wipe all the money transferred to the compromised keys.
Despite the fact that cryptocurrency safety standards are really high, this unfortunate event is just another example of how nothing is truly safe nowadays. While not a whole lot of people were victims to the blockchain bandit, it’s just a matter of time until something else comes up, possibly with an even worse outcome. It’s important to take preventive rather than combative measures, therefore, not only when it comes to cryptocurrency but in the online world in general. Opting for strong, unguessable passwords should be the first step, while investing in software such as a VPN, password manager, or complete security suites is also advisable.
Best VPN Services of 2020
|Editor's Choice 2020|