The American company Independent Security Evaluators (ISE) has published a report on private keys for the Ethereum blockchain. A hacker has managed to guess a lot of weak private keys, which steals 45.000 ether (ETH).
Cointelegraph contacted Adrian Bednarek, senior analyst security in the ISE, to learn more about this case.
Bednarek said in his interview that he accidentally discovered the activity of the hacker. At that time he was engaged in another research.
"Creating a private key was one of the components we had to research. I was trying to figure out the basics of the private key in Ethereum: How big is it? How is it created? And how it is used to extract the public key and the public address ".
All the big ones blockchain (eg Ethereum, bitcoin) that support the ECDSA (Elliptic Digital Signature Algorithm) protocol, have private 256-bit keys. Predicting such a large key is extremely difficult. For this reason, researchers at ISE divided them into eight 32-bit "sub-domains".
These 8 parts contained a total of 34 billion weak keys, which were scanned by the researchers. This process lasted for a whole day.
These weak keys were created due to a defective code.
The private key works both as a username and as a password. They are not separate. So if two people use the same password to create a Brainwallet (that is, a wallet containing passwords for private key creation), then both will have exactly the same wallet. Somehow it's like having two people the same bank account.
Researchers found 732 weak private keys, which were linked to 49.060 transactions.
Bednarek says there are approximately 50 million keys in the Ethereum blockchain. His team managed to discover only 732.
Researchers observed how wallets are attached to private keys, and they noticed that many transactions were made to a particular address, but that money was never returned from that address.
The hacker was taking 12 money from the keys that the research team had access to. Apparently the hacker did the same thing with them researchers, because the prediction of the keys is statistically impossible. So he stole the funds of the users as soon as they were in their wallets.
The investigator found that the hacker had created a node so money from addresses with weak keys would be automatically transferred to his address. To make sure the researchers do, they used a honeypot. They used a weak key and sent a dollar. Researchers knew the hacker knew this key. In fact, they wanted to see how long they would take until the money was transferred to his address. It took only a few seconds, which means the process is done automatically. Once money is entered into an address, which the hacker knows is protected by a weak key, he immediately sends a money transfer request.
According to the data, the hacker has about 45.000 ETH, corresponding to 7.3 million dollars.
This particular hacker steals money for several years now. Many have complained and have reported cases of theft, which seem to be related to him.
The researcher admits that actor's techniques are always successful.
"This guy has taken a multi-level approach to stealing money."
The hacker is looking with great care to find purses that have weak private keys or RPCs that are not properly configured. Thus, he can exploit these elements and steal the money from the victim's wallet.
Such thefts are not only made in the Ethereum blockchain. The problem faced by the researchers is that they wanted to inform the address owners so they would be more careful. However, this is not feasible, because it is not easy to find the owner's identity.
So Bednarek contacted IFS for legal advice. They replied: "If you find something, leave it there. Do not make any transfers. That way you will not get yourself in trouble. "
Bednarek says there are two main reasons that private keys are vulnerable. The first reason is that there are bugs in the software that creates them. The second reason is that many users use easy and predictable phrases for their keys.
Bednarek advises users to use well-known and reliable wallets or prefer hardware and paper wallets, especially if they have large amounts cryptocurrency. The hardware wallet ensures that the key will not be revealed, while the paper wallet allows for a random code stored on paper to have no connection with the computer and therefore not to be attacked.
However, the most popular software is not absolutely safe. For example, lota wallet was broken by a developer, who was arrested after being charged with 10 theft of millions of dollars.
ISE will continue to monitor blockchains and weak private keys. Bednarek said they are planning to use GPUs that will allow them to scan 38 billion key in a matter of seconds.
With the most effective scanning, they can be expanded into more areas.
Finally, researchers are planning to publish some information that will help cryptocurrency users to be aware of possible attacks and to do their own research. Perhaps the cooperation of users and experts may be more effective in dealing with the situation.