Comments

Petre Peter April 29, 2019 8:57 AM

Nation-states acting like bandits-i am scared why this is even a speculation. They were supposed to be the ones protecting us from bandits.

Humdee April 29, 2019 9:47 AM

This is a longstanding conumdrum. Strong passwords provide improved security but also serve as a barrier to entry. Research the history of why your bank card has a four digit pin.

Bandits? or a lazy person’s tax?

Leonardo Herrera April 29, 2019 9:53 AM

I guess there is a tutorial around on how to generate keys with a flawed software. Perhaps the attack started at writing such software and tutorial in the first place.

SpaceLifeForm April 29, 2019 12:57 PM

The weak keys may be intentional.

Money laundering. Though, it appears that the stolen coin was not spent in some cases, which is weird. Though, even if not spent, does not preclude laundering.

Otherwise, I would suspect crap hash, crap Random, or as noted, really crap code.

Sok Puppette April 29, 2019 2:01 PM

“Stealing”? The whole ethos of cryptocurrency is that whoever knows the key controls the cash.

Code is law, Baby.

Jon April 29, 2019 4:47 PM

I’m with SpaceLifeForm: Deliberately generated.

Note that this is a hypothesis, with no evidence whatsoever at this time.

Then one sells something online for Ethereum, claims the Ethereum was stolen (which it was, by the seller or their agent(s)), and refuses to ship the goods*. Straightforward and profitable. For awhile.

That some stolen coin wasn’t spent shows poor organization – something you would expect from a large number of small-time operators. And guessing a key is not difficult at all – if you already know what the key is! Making the key simple provides plausible deniability.

J.

  • Being a scam, there probably aren’t any goods to start with, but faking up online ads is trivial… J.

Thunderbird April 29, 2019 6:00 PM

The notion the weak keys are for money laundering is interesting, but I don’t see the advantage of exposing your money to theft. You get no cleaner laundry if you don’t allow anyone to steal it (by generating a real key), and–as the authors note–if you post some coin to one of these weak keys, it is immediately hoovered up by thieves.

It seems more plausible that someone had the idea long ago that bad keys would be generated by buggy software (possibly software they were responsible for creating) and started collecting “contributions” from generous donors.

The flaw in this is the account that has millions of dollars of coin in it. Why in the world wouldn’t you take the value out in case someone decides to do another fork to chisel you out of your hard-stolen millions?

Dennis April 30, 2019 4:07 AM

This is pretty much akin to the goold ol’ robber barons days. Money is subject to be stolen if the perpetrators know their ways around the system. The only difference is you are protected up to a miniscule amount by your fellow risk bearers thru some form of public insurance policy.

Ergo Sum April 30, 2019 6:33 AM

This… from the Wired article:

Bednarek tried putting a dollar’s worth of ether into a weak key address that the thief had previously emptied. Within seconds, it was snatched up and transferred to the bandit’s account. Bednarek then tried putting a dollar into a new, previously unused weak key address. It, too, was emptied in seconds, this time transferred into an account that held just a few thousand dollars worth of ether. But Bednarek could see in the pending transactions on the Ethereum blockchain that the more successful ether bandit had attempted to grab it as well. Someone had beaten him to it by mere milliseconds. The thieves seemed to have a vast, pre-generated list of keys, and were scanning them with inhuman, automated speed.

Seemingly, some of the ether bandit do cash out, while the more successful one lost the private key and unable to cash out. That’s possible, if the ether bandit in question has quite a few accounts that monitors weak key and transfer the funds.

Maybe there’s a “Etherum Rainbow Table” for weak keys that had been identified by a number of ether bandits in previous scans of the existing keys. Any new keys are also checked against this “Etherum Rainbow Table” and the account is emptied, if and when match has been found.

My question is… Why these ether bandits are allowed to monitor Etherum accounts in real-time? Wouldn’t that be detectable from the, for lack of better word, in the system logs? It would not be hard identifying the ether bandits’ accounts and shut them down.

Certainly, there seems to be a flaw in the Etherum key generation and/or the software managing these keys, be that intentional or unintentional. If it’s the former, the developer in question has retired and probably receiving a substantial “royalties” from the ether bandits…

ATN April 30, 2019 7:52 AM

The problem might be more complex/hidden than simple random keys like the random number 4: https://xkcd.com/221/
The problem might be that multiple secret keys unlock the same wallet, so you can’t see yourself you have a bad secret key – yours look fine.
Would be a very bad bug, or very engineered one.
Maybe Etherum wallet do not shows you your secret key? I would not know, I do not have such a wallet.

@Ergo Sum: My question is… Why these ether bandits are allowed to monitor Etherum accounts in real-time?

Obviously with crypto currencies every transaction can be monitored in real time, so that you know who can pay you with “coins” they really have and have still not spent. A wallet is the list of all transactions since the creation of the “currency”, “coins” are only ever only created by “mining” (so that nobody can appear with millions of valid coins, unknown beforehand).
A new wallet with no transaction whatsoever is perfectly safe, but not really useful because they are created with zero coins.

So, once you have created a new wallet, you must check the full cryptocoin history to see if there are already transactions on this new wallet… And with bitcoin history at 270 Gigabytes it will take few days or even weeks with a good internet connection to validate your wallet – but that is not something you should bypass if you want to trust it to hold your hardly earned real money.

moz April 30, 2019 11:07 AM

I am going with the theory that this is an organised crime / nation state / serious crypto expert (with large compute resources) attack based on malware. It’s a really nice back channel that gets money back to somewhere without any real visible connection between origin and destination and no need for the centralised servers that gave away the Chinese hacking groups.

My guess on the address that collects, but doesn’t spend money, is some large law enforcement or security team (NSA? GCHQ?) that can’t spend the money due to their own laws, but is gathering it to stop the original attacker from getting it.

Why not use better pseudo-random private keys? Probably they do, but the original attacker was assuming that once the attack is discovered the counter-attackers get the key generation code extracted from the malware so no benefit in giving away more code.

1&1~=Umm April 30, 2019 11:20 AM

@Leonardo Herrera:

“I guess there is a tutorial around on how to generate keys with a flawed software.”

It might not be applicable to this particular attack. But have a look at the work of Adam Young and Moti Yung on kleptography (key stealing) in this overview,

https://scl.uconn.edu/courses/ece4451/yung.pdf

Also their book on cryptovirology which covers not just kleptography but a whole lot more,

Malicious Cryptography: Exposing Cryptovirology, ISBN-13 978-0764549755.

https://www.amazon.com/Malicious-Cryptography-Cryptovirology-Adam-Young/dp/0764549758

And their website,

https://www.cryptovirology.com/

Which has PDFs of chapters for a more advanced and uptodate book, and C source code.

Thunderbird May 2, 2019 2:58 PM

I see that “John”‘s comment above is also link spam, though at least they went to the trouble to make a comment that appears tangentially related to the subject…

Dennis James June 19, 2019 9:11 AM

Cyber investigators can use due diligence investigations,asset searches,surveillance,witness location, and computer investigations to uncover the sometimes complicated details of company management. These investigations can be a big help in the recovery of asset lost to this fraud,or to their lawsuit cases.

I lost about $100,000 to a woman I met online when trying to invest in HYIP platforms. I was so close to ending my life when I discovers it was all a scam.
I’m posting this here because I have been able to recover all the money that was stolen from me and more with the help of a

recovery agent. If you’ve ever been scammed by binary options or any other fake ICO then you can reach out to them:
Quickfundsrecovery at gmail com
Text: +1(262)872-0558

David October 22, 2019 2:49 PM

This is a very informative post that got me thinking..
Do you guys think the CIA or the US government could possibly push forward the cryptocurrency initiative?
Since there’s no way to truly regulate this currency and the cap hitting what, 18k a few years ago, wouldn’t you think the government would want to get in on that?
I run a local towing company during the day but I’m always looking to expand my portfolio and bring in more money. However, I don’t see the long term viability of this cryptocurrency as the bubble will eventually pop..
What do you think?

Brad May 16, 2020 3:36 PM

I invested a massive chunk of my capital and savings into the care of this unregulated broker CryptoNXT who vividly convinced me into investing more over time. I was told pulling out of the investment is easy and I could make withdrawals. They kept asking for more funds, while using charges and taxes as an excuse. This kept going on for weeks, I couldn’t stop because I’d invested over $120,000.
Later I informed my spouse about what I did with all the money. Then, we started to research on how to recover the funds. We found ” r e c o v e r y e m p i  r e . c o m “, a wealth recovery firm that took up our the case. With no further hassle, we were able to recoup 95% of the funds. Thanks to the recoveryempire’s team

miiguelethan May 25, 2020 1:02 PM

Do not even think of investing your hard earned money with CRYPONXT & CRYPTEC. They have no empathy whilst perpetuating their evil acts and they will do all in their wherewithal to milk you asking for payment after payment to process your withdrawal requests and each time you make payment they come up with another reason to ask for more payment. Timothy Miller is a fraud and a dubious soul. I have a cumulative sum of one hundred and six thousand Euro equivalent to eight million Croatian kuna lost to these dingbats. I later found out from the international recovery firm that helped repatriate my lost capital and a significant portion of my ROI(contact recoverywealthnow360 at g mail d o t c o m ) that I was only shown simulated trades. Timothy Miller played me smooth and I feel really retarded for falling prey to these dubious elements. The FBI should be on them by now as I know for a fact that they have swindled hundreds of naive victims. Your end is near. Do well and refund all the monies you stolen from people who haven’t been able to repatriate their funds from you dishonest souls. I bet these evil perpetrators are somewhere popping bottles champagne with their illicitly gotten wealth right now. Stay circumspect and do not suffer in silence.

HenrySimmens September 3, 2020 11:52 AM

The myth about internet security has been debunked again. Anyway, as primexbt user and trader, I think that crypto is still the safest one. At least, I hope so.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.