Stealing Ethereum by Guessing Weak Private Keys

Someone is stealing millions of dollars worth of Ethereum by guessing users' private keys. Normally this should be impossible, but lots of keys seem to be very weak. Researchers are unsure how those weak keys are being generated and used.

Their paper is here.

Posted on April 29, 2019 at 6:39 AM • 15 Comments

Comments

Petre Peter April 29, 2019 8:57 AM

Nation-states acting like bandits-i am scared why this is even a speculation. They were supposed to be the ones protecting us from bandits.

HumdeeApril 29, 2019 9:47 AM

This is a longstanding conumdrum. Strong passwords provide improved security but also serve as a barrier to entry. Research the history of why your bank card has a four digit pin.

Bandits? or a lazy person's tax?

Leonardo HerreraApril 29, 2019 9:53 AM

I guess there is a tutorial around on how to generate keys with a flawed software. Perhaps the attack started at writing such software and tutorial in the first place.

SpaceLifeFormApril 29, 2019 12:57 PM

The weak keys may be intentional.

Money laundering. Though, it appears that the stolen coin was not spent in some cases, which is weird. Though, even if not spent, does not preclude laundering.

Otherwise, I would suspect crap hash, crap Random, or as noted, really crap code.

Sok PuppetteApril 29, 2019 2:01 PM

"Stealing"? The whole ethos of cryptocurrency is that whoever knows the key controls the cash.

Code is law, Baby.

JonApril 29, 2019 4:47 PM

I'm with SpaceLifeForm: Deliberately generated.

Note that this is a hypothesis, with no evidence whatsoever at this time.

Then one sells something online for Ethereum, claims the Ethereum was stolen (which it was, by the seller or their agent(s)), and refuses to ship the goods*. Straightforward and profitable. For awhile.

That some stolen coin wasn't spent shows poor organization - something you would expect from a large number of small-time operators. And guessing a key is not difficult at all - if you already know what the key is! Making the key simple provides plausible deniability.

J.

* Being a scam, there probably aren't any goods to start with, but faking up online ads is trivial... J.

ThunderbirdApril 29, 2019 6:00 PM

The notion the weak keys are for money laundering is interesting, but I don't see the advantage of exposing your money to theft. You get no cleaner laundry if you don't allow anyone to steal it (by generating a real key), and--as the authors note--if you post some coin to one of these weak keys, it is immediately hoovered up by thieves.

It seems more plausible that someone had the idea long ago that bad keys would be generated by buggy software (possibly software they were responsible for creating) and started collecting "contributions" from generous donors.

The flaw in this is the account that has millions of dollars of coin in it. Why in the world wouldn't you take the value out in case someone decides to do another fork to chisel you out of your hard-stolen millions?

DennisApril 30, 2019 4:07 AM

This is pretty much akin to the goold ol' robber barons days. Money is subject to be stolen if the perpetrators know their ways around the system. The only difference is you are protected up to a miniscule amount by your fellow risk bearers thru some form of public insurance policy.

Ergo SumApril 30, 2019 6:33 AM

This... from the Wired article:

Bednarek tried putting a dollar's worth of ether into a weak key address that the thief had previously emptied. Within seconds, it was snatched up and transferred to the bandit's account. Bednarek then tried putting a dollar into a new, previously unused weak key address. It, too, was emptied in seconds, this time transferred into an account that held just a few thousand dollars worth of ether. But Bednarek could see in the pending transactions on the Ethereum blockchain that the more successful ether bandit had attempted to grab it as well. Someone had beaten him to it by mere milliseconds. The thieves seemed to have a vast, pre-generated list of keys, and were scanning them with inhuman, automated speed.

Seemingly, some of the ether bandit do cash out, while the more successful one lost the private key and unable to cash out. That's possible, if the ether bandit in question has quite a few accounts that monitors weak key and transfer the funds.

Maybe there's a "Etherum Rainbow Table" for weak keys that had been identified by a number of ether bandits in previous scans of the existing keys. Any new keys are also checked against this "Etherum Rainbow Table" and the account is emptied, if and when match has been found.

My question is... Why these ether bandits are allowed to monitor Etherum accounts in real-time? Wouldn't that be detectable from the, for lack of better word, in the system logs? It would not be hard identifying the ether bandits' accounts and shut them down.

Certainly, there seems to be a flaw in the Etherum key generation and/or the software managing these keys, be that intentional or unintentional. If it's the former, the developer in question has retired and probably receiving a substantial "royalties" from the ether bandits...

ATNApril 30, 2019 7:52 AM

The problem might be more complex/hidden than simple random keys like the random number 4: https://xkcd.com/221/
The problem might be that multiple secret keys unlock the same wallet, so you can't see yourself you have a bad secret key - yours look fine.
Would be a very bad bug, or very engineered one.
Maybe Etherum wallet do not shows you your secret key? I would not know, I do not have such a wallet.

@Ergo Sum: My question is... Why these ether bandits are allowed to monitor Etherum accounts in real-time?

Obviously with crypto currencies every transaction can be monitored in real time, so that you know who can pay you with "coins" they really have and have still not spent. A wallet is the list of all transactions since the creation of the "currency", "coins" are only ever only created by "mining" (so that nobody can appear with millions of valid coins, unknown beforehand).
A new wallet with no transaction whatsoever is perfectly safe, but not really useful because they are created with zero coins.

So, once you have created a new wallet, you must check the full cryptocoin history to see if there are already transactions on this new wallet... And with bitcoin history at 270 Gigabytes it will take few days or even weeks with a good internet connection to validate your wallet - but that is not something you should bypass if you want to trust it to hold your hardly earned real money.

mozApril 30, 2019 11:07 AM

I am going with the theory that this is an organised crime / nation state / serious crypto expert (with large compute resources) attack based on malware. It's a really nice back channel that gets money back to somewhere without any real visible connection between origin and destination and no need for the centralised servers that gave away the Chinese hacking groups.

My guess on the address that collects, but doesn't spend money, is some large law enforcement or security team (NSA? GCHQ?) that can't spend the money due to their own laws, but is gathering it to stop the original attacker from getting it.

Why not use better pseudo-random private keys? Probably they do, but the original attacker was assuming that once the attack is discovered the counter-attackers get the key generation code extracted from the malware so no benefit in giving away more code.

1&1~=UmmApril 30, 2019 11:20 AM

@Leonardo Herrera:

"I guess there is a tutorial around on how to generate keys with a flawed software."

It might not be applicable to this particular attack. But have a look at the work of Adam Young and Moti Yung on kleptography (key stealing) in this overview,

https://scl.uconn.edu/courses/ece4451/yung.pdf

Also their book on cryptovirology which covers not just kleptography but a whole lot more,

Malicious Cryptography: Exposing Cryptovirology, ISBN-13 978-0764549755.

https://www.amazon.com/Malicious-Cryptography-Cryptovirology-Adam-Young/dp/0764549758

And their website,

https://www.cryptovirology.com/

Which has PDFs of chapters for a more advanced and uptodate book, and C source code.

ThunderbirdMay 2, 2019 2:58 PM


I see that "John"'s comment above is also link spam, though at least they went to the trouble to make a comment that appears tangentially related to the subject...

Dennis JamesJune 19, 2019 9:11 AM


Cyber investigators can use due diligence investigations,asset searches,surveillance,witness location, and computer investigations to uncover the sometimes complicated details of company management. These investigations can be a big help in the recovery of asset lost to this fraud,or to their lawsuit cases.

I lost about $100,000 to a woman I met online when trying to invest in HYIP platforms. I was so close to ending my life when I discovers it was all a scam.
I’m posting this here because I have been able to recover all the money that was stolen from me and more with the help of a

recovery agent. If you’ve ever been scammed by binary options or any other fake ICO then you can reach out to them:
Quickfundsrecovery at gmail com
Text: +1(262)872-0558

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.