Apr 24, 2019 12:00 UTC
Apr 24, 2019 at 12:26 UTC
Thief Made Off Millions in Ethereum Just by Guessing People’s Passwords
Have a weak password? You’ve got a problem, then!
One cryptocurrency thief recently stole millions in Ethereum, only later discovered accidentally by security experts at Independent Security Evaluators. He did not even need to hack into an exchange or anything like that. All he had to do was guess a bunch of weak passwords and then walk away with the robbery.
The cybersecurity firm found out the theft while performing an assessment for a digital currency client. They examined various weakest private in order, starting with the ridiculously simple 0x01. In the process, they also found out the wallet associated with this key, and hundreds of other weak ones like it had been wiped out.
It turns out the ‘blockchain bandit’ had been guessing their approach into all these wallets and then funnelling Ethereum from then into their own wallet.
However, that wasn’t enough, the company then attempted to see how quickly the thief was able to work. They sent the equivalent of a dollar’s worth of digital currency to address linked to one of these weak keys and discovered that the bandit was able to syphon the money almost instantly.
They wrote in a paper –
“We discovered that funds from these weak-key addresses are being pilfered and sent to a destination address belonging to an individual or group that is running active campaigns to compromise/gather private keys and obtain these funds. On January 13, 2018, this ‘blockchain bandit’ held a balance of 37,926 ETH valued at $54,343,407, which is approx Rs. 279 crore.”
The security experts assess one of two things happened to compromise these users. Either they had longer keys which were truncated by a coding glitch, or the wallet let them pick their particular keys and they got lazy.