‘Blockchain Bandit’: How a Hacker Has Been Stealing Millions Worth of ETH by Guessing Weak Private Keys
An interview with a senior analyst at ISE.
Despite establishing around 700 weak private keys that are being regularly used by multiple people, the researchers found a “blockchain bandit” who has managed to collect almost 45,000 ether (ETH) by successfully guessing those frail private keys. Cointelegraph interviewed Adrian Bednarek, a senior security analyst at ISE, to find out more about what they describe as “ethercombing.”
Research background and chief findings
Bednarek says he discovered the hacker by accident. At the time, he was doing research for a corporate client that planned to implement their own wallet with an integrated key generating algorithm.
“As a security analyst, before you start any assessment, you have to understand the underlying technologies very clearly — basically as if you’re creating them yourself,” he told Cointelegraph.
“Private key generation was one of the components we had to research, and I was going through the basics of what is a private key on Ethereum: How large is it? How is it generated? And how is it used to derive the public key and public address?”
On Ethereum, bitcoin (BTC) or any other major blockchain that supports the ECDSA (Elliptic Curve Digital Signature Algorithm) protocol, private keys are represented by 256-bit numbers. The ISE narrowed it down to eight 32-bit “sub-regions” in the 256-bit key space during their research, because brute forcing a private key within a larger region is meant to be a statistical improbability.
Those eight sub-regions contained an overall amount of 34 billion weaker keys, which the ISE subsequently scanned. “It took an entire day,” Bednarek says.
It is worth stressing that those keys were generated due to a faulty code and faulty random number generators, and the researchers were specifically targeting suboptimal keys.
“Private key is your user ID and your password at the same time,” the security analyst explained while breaking down the basic mechanics. “It’s different than your banking login, where you have your username and a password […] Therefore, when two individual people use the same password for creating a Brainwallet [i.e., wallets that entail passphrases as part of generating private keys] — like ‘password123′ — they will both own the same exact wallet.” As Bednarek puts it, “it’s like linking two people to the same bank account.”
Initially, the ISE specialist found that the private key of “1” *, which was picked because it is the lower bound of a possible private key, was actually being used on the blockchain. Furthermore, it had been involved in several thousand transactions.
* – (0x0000000000000000000000000000000000000000000000000000000000000001, if written using the 256-bit code)
“That was a red flag,” Bednarek recalled. “Why are people using the private key of 1? That shouldn’t be possible.” His team started to scan more keys to see how widespread the problem was. Although the ISE researchers had established that this issue is not particularly omnipresent, they had found as many as 732 weak private keys associated with a total of 49,060 transactions.
“Roughly, there’s about 50 million keys that have been used on [the] Ethereum [blockchain], and we’ve only discovered 732 of those.”
The blockchain bandit
As mentioned above, during their research, the ISE team noticed how some of the wallets associated with the private keys — found with their suboptimal methods — had a lot of transactions going to a specific address, and no money was coming back out. As Bednarek said in an explanatory video posted on the ISE website:
“There was a guy who had an address who was going around and siphoning money from some of the keys we had access to. We found 735 private keys, he happened to take money from 12 of those keys we also had access to. It’s statistically improbable he would guess those keys by chance, so he was probably doing the same thing. […] He was basically stealing funds as soon as they came into people’s wallets.”
In a conversation with Cointelegraph, Bednarek explained that the hacker (or a group of hackers) had set up a node to automatically swipe funds from addresses with weak keys. To verify that, the researchers used a honeypot: They sent a dollar using a weak private key, which they knew the hacker was aware of, to see how fast it would be taken. The money was gone in a matter of seconds, the ISE employee said:
“If it was a manual thing, maybe it would have been taken within a day or whatever. But as soon as we sent it we went on the blockchain explorer, we saw that there was a transfer going out immediately, within seconds. So basically what he [the hacker] has is a blockchain node that is part of the transaction network set up somewhere. As soon as it sees transactions come in with a private key of which he has knowledge of, it immediately sends a request to transfer the money out.”
As per the data obtained from Etherscan, the hacker’s wallet contains around 45,000 ETH (worth more than $7.3 million, as of the time of writing). At the height of ether’s value, it is estimated that the bandit’s loot could have been sold for more than $50 million.
According to the comment section for the fraudster’s wallet address, it had been stealing funds for several years. One of the comments, purportedly submitted by major ETH wallet provider MyEtherWallet (MEW) features a link to a 2016 Reddit thread titled “Ethereum nodes with insecure RPC settings are actively exploited.” In it, a redditor described setting up an Ethereum node “with its HTTP RPC API exposed to the internet” and getting attacked within a few minutes after going live.
“If you google the [hacker’s] address there’s a lot of people complaining about him,” Bednarek confirms, admitting that the fraudster’s tacts have proven to be quite successful:
“This guy has taken a multi-prong approach to stealing money.”
The security analyst then described the fraudster’s method in greater detail: “One — he is looking at bad private keys. Two — he is looking at weak passphrase-based wallets and misconfigured RPCs. You are not really supposed to expose the RPC of your Ethereum node but sometimes people do, and if you don’t have the password set somebody can basically empty out the default wallet associated with your node.”
But such asset-grabbing is not a problem that is exclusive to the Ethereum blockchain, the ISE security researcher warns. “It [the blockchain] is working as intended, it’s just the way people are using it,” he said, describing an ethics-related problem his team faced while doing their research:
“Before we started on this [the research], we had an ethical dilemma — what if we find the wallet with a key that has a million dollar in it? Do we just leave it there? But if we leave it there, we know it’s behind a bad private key and it is likely to get stolen, therefore we would be somewhat responsible this money getting stolen because we could have notified somebody. But then the second problem is who do we notify? There is no easy way to identify the owner of a private key. Maybe we could take the money temporarily until somebody could prove that it was theirs? But then it creates a lot of legal issues. So the CEO of the company [that they were doing the research for] contacted the IFS for legal advice and they basically said: ‘if you find anything, leave it there. Don’t do any transfers. That way you won’t get yourself into any legal hot water.’”
Security advice and further research
Therefore, according to Bednarek, private keys tend to be vulnerable due to two main factors. The first is coding errors in the software responsible for generating them. Secondly, some crypto owners have a tendency to obtain identical private keys through weak passphrases such as “abc123,” or even leaving them blank.
For instance, the ISE report established that one of the most popular weak private keys is the one generated from an empty recovery phrase — i.e., “ ” — using the Parity wallet. There have reportedly been 8,772 transactions on this address with a total of 5,215,586 ETH transferred.
“For a while Parity let you use a default password of nothing and it would generate the private key based on that,” Bednarek explains, adding that the wallet developer allegedly fixed the issue at some point. “I think they have introduced a minimum password requirements [since then]. It might be just a single character, but you can’t use blank passwords on Parity right now if you’re using the latest version of their software.”
No wallet creators have contacted the ISE yet, according to Bednarek:
“That is an interesting issue because it’s hard to say which wallet was responsible, if there was a wallet at all — it could be just people entering the wrong private keys, it could be early debug versions of wallets, it could be developers themselves. It’s a bit hard to say why this exists and which wallet is at fault. It’s something I don’t think we’ll ever know.”
Bednarek’s main advice for those who are not computer-savvy is to use well-known and trusted wallets, possibly moving to hardware or paper-based wallets if large amounts of cryptocurrency are involved. He said:
“If there’s going to be trading or holding of a lot of currency then use a hardware wallet where the private key will never be revealed. A lot of my friends that are long term holders use paper wallets where they generate a random key and store it on paper so it never touches the computer at all.”
Nevertheless, there’s always some risk involved even when it comes to popular software, Bednarek warned, bringing up the example of the Iota wallet being compromised by a developer from Oxford who was arrested and accused of stealing around 10 million euros last month.
Given that the Iota wallet is open-sourced, its code was publicly posted on Github. At some point, the fraudster modified the random number generator by submitting a change to the code.
“That was done in a very obfuscated way,” Bednarek said. “Even though lots of people could review the code,” they just assumed it should work, according to him.
That way, the hacker was able to see how private keys were generated and reproduce them using his injected code, the ISE specialist explained.
“After lots of people lost lots of money, somebody finally reversed-engineered his modifications to the random number generator and they were able to see that he was creating sequential numbers within the specific range of the key space.”
As for the future, the ISE plans to continue monitoring blockchains and weak private keys at a larger scale. “We will move our scanning method to use GPUs where we will be able to scan 38 billion keys within a matter of seconds,” Bednarek told Cointelegraph.
“As we make the scanning more efficient, we’ll be able to do some crazy things like go after brainwallets or other key generation algorithms that might be faulty. So we’ll expand into different areas to identify more keys.”
Moreover, the security research group is going to publish more information — including faulty public keys — for people to do their own research and stay warned of possible security breaches. “Maybe this will turn into a collaborative effort to help finding some of the causes for this,” Bednarek suggested.