So long as cryptocurrency exists, so too will the extraordinary lengths to which thieves will go to try to steal it. Unfortunately, that also includes preying on weak private keys, a method that has evidently made one crypto bandit filthy rich with millions in swiped Ethereum.
This was the accidental discovery made by security experts with the firm Independent Security Evaluators while performing an assessment for a cryptocurrency client. They examined a number of weak private keys—beginning with the stupidly simple key of 0x01—and discovered on the blockchain that its associated wallet had been emptied, as was the case with hundreds of similarly simple keys. A “blockchain bandit,” they found, had been funneling Ethereum from these keys.
In order to see how quickly their bandit was working, they sent the equivalent of a dollar’s worth of the cryptocurrency to the address associated with one of these weak private keys and found that the bandit instantly sent it to another account. By managing to swipe Ethereum using these guessable weak keys, the bandit—or, possibly, a group—managed to amass a fortune.
“We discovered that funds from these weak-key addresses are being pilfered and sent to a destination address belonging to an individual or group that is running active campaigns to compromise/gather private keys and obtain these funds,” they wrote in a paper about their findings published Tuesday. “On January 13, 2018, this ‘blockchainbandit’ held a balance of 37,926 ETH valued at $54,343,407.”
There are a couple of ways that these weak keys could have been generated. The ISE researchers wrote that it’s possible a coding error truncated what should have been a longer key, or as ISE senior security analyst Adrian Bednarek explained to Wired, possibly by a wallet that let users choose their own keys.
“While it is improbable that a weak key would ever be generated under legitimate circumstances using the appropriate code paths, we hypothesized that weak private keys may still be generated by coding mistakes, or operating system, device, and execution environment errors, and that these issues are common,” ISE researchers wrote in their paper.
Bednarek told Wired he has no idea as to the identity of the mastermind behind this Ethereum-looting operation, though he told Wired he “wouldn’t be surprised if it’s a state actor, like North Korea, but that’s all just speculation.” Likewise, the ISE team cannot identify which wallets are associated with the weak keys, only that they are being robbed—which, big yikes. But in the event that the culprit is based in a nation that follows international law, they could find themselves in big trouble if they decide to withdraw the funds in a traceable way. And let’s be honest, most cryptocurrencies are much more traceable than their reputation implies.
This should be a wake-up call for both wallet developers as well as their users, who Bednarek said should be ensuring they’re using a trusted wallet.