Wednesday , November 25 2020

"Blockchain Bandit" knows private keys and steals millions in Ethereum

A team of researchers found that in this form of crime criminals have stolen more than $ 50 million from easy-to-guess passwords. It is estimated that at least 750 bills have been emptied by the attackers this way.


Last summer, security consultant Adrian Bednarek speculated about the ways in which criminals are stealing balances ethereum, Bednarek was attracted to this cryptoLight, in particular due to the sophisticated complexity and potential vulnerabilities in security.

Bednarek began with the simplest questions: What if the owner of the ethereum will you store your digital money with a private key – the undetected series of 78-digit numbers that protect the hidden currency at a particular address – whose value is 1?

To the surprise of Bednarek, he found that this key "simple– Actually, I've ever had money. This information was confirmed by a block browser in which he checked the transactions executed on the ethereum, where he found that the money had already been removed from the relevant portfolio.

At that time, the researcher assumed he was a thief who – long before him – had thought to know this simple private key just as he did. After all, just like what happens with Bitcoin and other cryptoLooks if someone knows a personal key on ethereum, you can use it to retrieve the associated public address that the password unlocks. The private key allows them to transfer the money to another address as if they were legitimate owners.

The beginning of the experiment

This initial discovery caused Bednarek's curiosity. So he tried several keys in succession: 2, 3, 4 … and a few more dozen, all of which were emptied in a similar way. So he and his colleagues from the security company Internet Security Assessors (ISE) wrote code, switched on some cloud servers, and tried a few more billion.

In the course of this process, the team registers several findings, which describe in detail in a recently published document. Research has not only discovered that CryptoLog users in recent years have retained their crypto-balances with hundreds of easy-to-understand private keys but also discovered what they call "Bandit Bloccain.""An account ethereum seems to have diverged a total of 45,000 people ETH – currently estimated at more than $ 7.8 million – using the same trick to identify private keys.

In that connection, Bednarek states:

"He did the same things we did, but he went beyond, Whoever that guy or these guys spends a lot of time in the computer, sniffing new wallets, seeing each transaction and seeing if they have the key to them."

Needle in a haystack

To explain how "Bandit Blockchain" It is important to keep in mind that the probability of knowing a private key on a ethereum Accidentally generated 1 in 2256This denominator is very close to the number of atoms in the universe. Bednarek compares the fact of knowing a random key ethereum to pick a grain of sand on the beach, then ask a friend to find the same grain among an infinite number of beaches.

But while I was watching Blockchain from ethereumBednarek found evidence that some people have preserved ether with much simpler and easier to guess keys. The error is probably the result, he explains. Wallet wallets ethereum They reduce passwords with only a fraction of their expected length due to coding errors. Or allow inexperienced users to choose their own keys or even include some malicious code. In this way, they damaged the randomization process to make the keys easy to guess about the wallet developer.

Bednarek and his colleagues from ISE they finally scanned a total of 34,000 million addresses Blockchain in search of such weak keys. They called the process "ethercombingAcronym that refers to the search and combination of sand beaches on the beach but is applied ethereum,

Finally, the team found that 732 easy-to-guess keys they had ever contained ether but since then they have been emptied. Although some of these transfers are undoubtedly legitimate, Bednarek estimates that these 732 represent only a small fraction of the total number of simple codes they have been subtracted from. ETH from the release of the coin in 2015.

An interesting fact that Bednarek stressed was that 12 of these addresses seemed to have been emptied by the same person. Funds were transferred to an account that already had 45,000 people Ether (About $ 7.7 million at the current exchange.

Bandit Racing

Because of the findings, Bednarek tried to test the thief. First try to put a dollar on balance ETH in the direction of a weak key that the thief had previously emptied. In seconds the money was stolen and transferred to the criminal's account. Then Bednarek tried to put a second dollar in a new weak direction that had not been used before. It is also emptied in seconds. But this time the amount was transferred to an account that contained only a few thousand dollars Ether.

Thus, Bednarek can check – see in the upcoming deals at Blockchain from Ethereum – that another more successful bandit has defeated the first only for milliseconds. The thieves seemed to have a huge list of pre-generated keys, and they scanned them at a non-human speed in a fully automated manner.

In fact, when scientists analyzed history Blockchain account of the criminal on the ethereumthey checked that she had taken ether of thousands of addresses over the past three years without even moving their jumps. Bednarek suspects that it was probably an automated robbery ethercombing, For January 2018, when the price of ethereum reached its highest value, the band's bill contained 38,000 people ETH. An amount of more than $ 54 million at that time. Over time, the value of ethereum fell, reducing the value of the bandits Blockchain approximately 85%.

In this respect, Bednarek said ironically:

"Do not you feel bad about him? Here you have a thief who has accumulated all this wealth and then lost it when the market collapses".

Despite the tracking of these transfers, Bednarek has no real idea of ​​who can be Bandit Blockchain, "I would not be surprised if he was a state actor like North Korea, but all this is speculation"He says, referring to reports that point to the North Korean government as responsible for stealing more than $ 500 million in cryptobultures in recent years.

Weakness in the keys

Bednarek can not identify defective or changed portfolios that make keys easy to break. Instead, I can only see evidence of weak passwords and thefts.

"We can see stolen people, but we can not say which portfolios are responsible".

It is not clear, though Bandit Blockchain, in particular, simple weak key thefts make up most of their attacks. The bandit could show other tricks, such as guessing passwords for "brain wallets"(Addresses that are secure with memorable words that are easier to force than wholly random keys).

A team of cyber security researchers found evidence in 2017 of a total of 2,846 BTC stolen from brain wallets. Amount worth over $ 17 million at the current exchange rate. At the end of 2015, the only theft of a brain wallet ethereum led to a loss of 40,000 ETH, a prey nearly as great as the bandit Blockchain,

Safety advice for the equipment

The team ISE has not yet succeeded in repeating his experiment in Blockchain from Bitcoin, Bednarek, however, made some random checks of about 100 keys Bitcoin weak. The experiment showed that the contents of the respective portfolios were also stolen. Though no theft was as big and obvious as that of the bandit ethereum which they have found. However, this may mean that – unlike Bandit Eterium – Maybe competition is more fierce and more widespread among thieves Bitcoin,

Bednarek argues that the lesson of ethercombing from ISE offers valuable advice to portfolio developers. They need to check their code carefully to find errors that can shorten the keys and leave them vulnerable. And for consumers, you need to be careful with the portfolio they choose.

In this regard, Bednarek commented:

"You can not call support and ask them to cancel a transaction. When it was over, the funds were lost forever, people need to use secure wallets and download them from a reliable source. "

source: Wired

Translation by Hanna Estefania Perez / DiarioBitcoin

A basic image taken by Unsplash

Source link