Best Reviews logo
Best Reviews may receive compensation for its content through paid collaborations. See how we sustain our work & review products.
There’s a ‘Blockchain Bandit’ on the Loose

There’s a ‘Blockchain Bandit’ on the Loose

By Leo S.Leo S. Verified by Richard C.Richard C. Last updated: July 14, 2024 (0)

There’s no denying that blockchain is the future of online privacy. While the implementation of this technology varies from the medical field to online tools such as VPNs, cryptocurrency has been the most controversial. More and more people are turning to the Bitcoin phenomenon and relying on cryptography and blockchain’s decentralized technology to store their virtual money in digital wallets protected by the latest encryption standards.

But when it comes to money, there’s no such thing as caring too much; since technology evolves at a fast rate, so do the skills of attackers. The latest menace is the so-called ‘blockchain bandit’, an attacker who has been stealing private Ethereum keys and making millions out of emptying people’s accounts.

Guessing the unguessable

In an interview to Cointelegraph, Adrian Bednarek, a senior security analyst at the American consulting firm Independent Security Evaluators (ISE), described what he called ethercombing. The technique – which is accurately explained in his report – consists of suboptimal scanning of weaker keys contained in ‘narrowed’ sub-regions of 256-bit keys. He applied this method when investigating the basics of Ethereum private keys such as their length, how they’re generated, and how they’re used to derive the public key and public address, which allowed him to stumble upon the hacker.

What makes an Ethereum private key impossible to guess is, essentially, the random combination of 256-bit numbers. But what if someone used the most basic of all private keys to store their digital money? It sounds silly and astonishingly unsecure but, surprisingly, Bednarek found out that the key composed by the number one after a long string of zeroes was not only being used on the blockchain, but was also involved in thousands of transactions. Just like Bednarek, the hacker had previously guessed and emptied this and other following keys: 02, 03, 04 and so on.

Everything can be hacked nowadays and cryptocurrency wallets are not an exception – which admittedly can sometimes actually be quite beneficial. Given that anyone can know an Ethereum private key, it’s possible to use it and derive the associated public address that it unlocks. In just the same way that the rightful owner can transfer money normally, an attacker who guesses someone else’s key can easily move the funds, too.

ISE then tried a larger scale approach and found 735 other private keys. For security researchers that may be a negligible number compared to the approximately 50 million keys used on the Ethereum blockchain, but in the hands of hackers that already makes for an absurd amount of profit, depending on varying exchange rates and how much digital money each account holds.

Finders keepers

In his report, Badnarek explains that the blockchain bandit had taken money from ‘only’ 12 of the 735 keys that the researchers were able to compromise. Nonetheless, a single account held 45,000 ETH alone, worth more than $7.3 million at the time of the theft. The team also concluded that the hacker was using the same ethercombing method since “it’s statistically improbable he would guess those keys by chance”. Moreover, Badnarek performed a series of tests and discovered that the attacker had setup a “blockchain node that is part of the transaction network” to automatically wipe all the money transferred to the compromised keys.

Up to 74% off NordVPN and 3 months extra
NordVPN logo
Subscribe to NordVPN during Black Friday to save up to 74% on your subscription and get three months extra – translating into the low monthly fee of $2.99. Offer is valid until December 10th.
Save Up to 74% on NordVPN

Despite the fact that cryptocurrency safety standards are really high, this unfortunate event is just another example of how nothing is truly safe nowadays. While not a whole lot of people were victims to the blockchain bandit, it’s just a matter of time until something else comes up, possibly with an even worse outcome. It’s important to take preventive rather than combative measures, therefore, not only when it comes to cryptocurrency but in the online world in general. Opting for strong, unguessable passwords should be the first step, while investing in software such as a VPNpassword manager, or complete security suites is also advisable.


Best VPN services of 2024

Editor's choice 2024
NordVPN logo
Editor's rating:
(4.5)
Intuitive multiplatform apps
Double VPN and P2P support
Plenty of security features
Large VPN network with consistent speeds
Security
Surfshark logo
Editor's rating:
(4)
Intuitive multiplatform apps
Double VPN
WireGuard protocol
Outstanding device support
Multi-device users
IPVanish logo
Editor's rating:
(4.5)
Unlimited devices
No-log policy
24/7 support
Reliable security tools
Gaming
ExpressVPN logo
Editor's rating:
(4)
Extensive device support
Exceptional speed
Intuitive apps
Convenient extras
Traveling
CyberGhost VPN logo
Editor's rating:
(4.5)
Suitable for all VPN users
Great security features
Seven simultaneous connections
24/7 customer support
Streaming
ZoogVPN logo
Editor's rating:
(4.5)
24/7 customer service
Competitive price
Good connection speed
Based in Greece
Torrenting
Private Internet Access logo
Editor's rating:
(4.5)
Unlimited devices
DNS leak protection
Suitable for all users
Completely customizable
Beginners
TunnelBear logo
Editor's rating:
(4)
Very easy and fun to use
Kill switch and traffic obfuscato
Browser extensions and Chrome blocker
Good speeds
User Feedback

 Leave a reply

Your email address will not be published. Required fields are marked *


Best Reviews

Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.

©2012-2024 Best Reviews, a clovio brand – All rights reserved
Privacy policy · Cookie policy · Terms of use · Partnerships · Contact us