Blochainbandit stole $54 million of Ethereum by guessing weak keys

Someone has been quietly pilfering (ETH) cryptocurrency worth millions of dollars without anyone noticing or, apparently, caring.

The discovery was made by researchers at Independent Security Evaluators (ISE) who decided to search Ethereum’s blockchain for evidence of a surprisingly simple weakness that might allow criminals to divert funds from user wallets.

Wallets should be protected by a randomly-generated 256-bit private key, which puts the probability of their discovery at around 1 in 2256 ­­- an unimaginably vast number.

Using a computer capable of generating 100 trillion keys per second, brute forcing such an address would take so long ISE researcher Adrian Bednarek compares it to tossing grain of sand on a beach and asking someone to find it.

That’s the theory of key generation. But the problem is how the principle appears to have been implemented by fallible software.

What if that key had accidentally been generated with a value of 1? It sounds highly unlikely, however, Bednarek’s hunch that this might have happened turned out to be correct. There had once been an incredibly Ethereum private key corresponding to this value, as well as many other trivial equivalents.

Querying this with Etherscan.io, which records transactions, Bednarek discovered that this key identified a wallet that had received 592 transactions, the currency from which had immediately been emptied as soon as it was received.

Expanding the same principle to look for other simple keys amidst 34 billion addresses, he discovered 732 responsible for 49,060 transactions dating back to 2015.

You might also like

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More