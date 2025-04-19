from the no-one-noticed-anything-missing? dept.
Last summer, Adrian Bednarek was mulling over ways to steal the cryptocurrency Ethereum. He's a security consultant; at the time, he was working for a client in the theft-plagued cryptocurrency industry. Bednarek had been drawn to Ethereum, in particular, because of its notorious complexity and the potential security vulnerabilities those moving parts might create. But he started instead with the simplest of questions: What if an Ethereum owner stored their digital money with a private key—the unguessable, 78-digit string of numbers that protects the currency stashed at a certain address—that had a value of 1?
To Bednarek's surprise, he found that dead-simple key had in fact once held currency, according to the blockchain that records all Ethereum transactions. But the cash had already been taken out of the Ethereum wallet that used it—almost certainly by a thief who had thought to guess a private key of 1 long before Bednarek had. After all, as with Bitcoin and other cryptocurrencies, if anyone knows an Ethereum private key, they can use it to derive the associated public address that the key unlocks. The private key then allows them to transfer the money at that address as though they were its rightful owner.
That initial discovery piqued Bednarek's curiosity. So he tried a few more consecutive keys: 2, 3, 4, and then a couple dozen more, all of which had been similarly emptied. So he and his colleagues at the security consultancy Independent Security Evaluators wrote some code, fired up some cloud servers, and tried a few dozen billion more.
"You have a thief here that amassed this fortune and then lost it all when the market crashed.
In the process, and as detailed in a paper they published Tuesday, the researchers not only found that cryptocurrency users have in the last few years stored their crypto treasure with hundreds of easily guessable private keys, but also uncovered what they call a "blockchain bandit." A single Ethereum account seems to have siphoned off a fortune of 45,000 ether—worth at one point more than $50 million—using those same key-guessing tricks.
"He was doing the same things we were doing, but he went above and beyond," Bednarek says. "Whoever this guy or these guys are, they're spending a lot of computing time sniffing for new wallets, watching every transaction, and seeing if they have the key to them."
(Score: 2, Insightful) by Anonymous Coward on Thursday April 25, @11:16AM (2 children)
Clearly blockchain is the answer to everything, including poor security and anonymous theft.
The competing thieves were a pretty nice touch. Who knows what other weaknesses there are in all of these super duper solutions?
(Score: 0) by Anonymous Coward on Thursday April 25, @11:33AM (1 child)
To be fair, your physical wallet and back pocket are pretty insecure, but there's no easy way to access or exploit them remotely, yet...
Point being: People have not been conditioned to secure, well, basically fucking anything, since even govs run on MS windoze. My PWs are generated per site / platform by a salted hash algorithm I wrote myself. The NSA and a few other agencies know my passwords, but using it would reveal themselves... and they typically value secrecy above affect. [schneier.com] This leaves the system vulnerable to "paranoids" who (autonomously) try to detect if they've been exploited, such as the mafia, and such.
(Score: 0) by Anonymous Coward on Thursday April 25, @12:28PM
That's what I thought about my rental agent's systems which have my real name, bank account, address, and other details. Then I found that they moved their software to The Cloud.
Now I am waiting for the day when some script kiddie steals a few thousand or identity hacks me.
(Score: 1, Insightful) by Anonymous Coward on Thursday April 25, @11:34AM (3 children)
When you put your money in a block chain, you do it saying
"Here's a riddle, if you solve it,the money is your's."
Crypto may make the riddle hard to solve, but a user putting in money appears to be able to fix this.
So if some third party solves the riddle, who's money should it be?
If someone leaves cash lying around unattended, it doesn't give one the right to just pick it up and keep it.
One is expected to try to get the cash back to the rightful owner and that failing, perhaps keep it.
On the other hand, an important property of block chain is that the first valid transaction gets the cash period.
To preserve that property, the transaction has to stand, but that doesn't preclude going after the bandit.
Blockchain morals are still new. They need to evolve, but it's not clear to me what direction they should go?
(Score: 2) by GreatAuntAnesthesia on Thursday April 25, @12:00PM
> When you put your money in a block chain, you do it saying
> "Here's a riddle, if you solve it,the money is your's."
No, not really. If I lock my house do I say "Here is a lock. If you can pick it, my stuff is yours"?
Even if you pick the lock, it's still my stuff, and taking it is still stealing.
(Score: 1) by khallow on Thursday April 25, @12:02PM
There's not enough money in the world to solve those riddles when the password is made hard. Just get that $5 wrench instead.
(Score: 3, Insightful) by driverless on Thursday April 25, @12:11PM
No, you're saying "here's a bunch of buggy software hacked together by random people you've never met who sometimes know a bit of what they're trying to do, which is really, really complex and easy to get wrong, and who are motivated by getting things done quickly and shipped with minimal effort. If there are any holes anywhere in any of that, your money is someone else's".
(Score: 2) by Fnord666 on Thursday April 25, @12:18PM
Just to be clear, this is neither a blockchain issue not is it a password issue. This is a software issue in the Etherium software. When you create a "wallet" in the various cryptocoin systems, you are really creating a public/private RSA key pair. The public key becomes your wallet address and is used to transfer coins into your wallet. Your private key is used to sign transactions moving coins out of that wallet. Apparently at some point the Etherium client implementation created wallets that had simple, easy to guess private keys. It's unlikely that it is happening today. My guess is that this occurred early on in the development of Etherium when it was in testing/beta to make things simple for testing and at that time there was no real money involved. Either that version of the client software went live in which case these were real people's wallets, or the blockchain with those wallets in them and funded went live with the rollout. Either way it's real money now if the coins ever got cashed out. If they did then like all cryptocoins, this is the point at which the money gets de-anonymized.