Risk Warning: Beware of illegal fundraising in the name of 'virtual currency' and 'blockchain'. — Five departments including the Banking and Insurance Regulatory Commission
Information
Discover
Search
Login
简中
繁中
English
日本語
한국어
ภาษาไทย
Tiếng Việt
BTC
ETH
HTX
SOL
BNB
View Market
Behind Ethereum's sky-high fee transfer: a GasPrice extortion attack initiated by hackers?
PeckShield
特邀专栏作者
2020-06-12 02:51
This article is about 2269 words, reading the full article takes about 4 minutes
It sounds like an anecdote, but it sounds like a joke.

It sounds like an anecdote, but it sounds like a joke.

As you can see, there are always gossip and anecdotes in the blockchain industry we are in, especially when the current market is sideways and the market sentiment is low. However, there are some gossips, everyone is watching the excitement, but the doorway behind it is clear, such as various grievances and hatreds between a famous exchange and a mining machine manufacturer.

However, there is another kind of anecdote in the circle that everyone talks about. It looks simple on the surface, but the truth behind it is difficult to understand.

On February 19, 2019, a transaction of only 0.1 ETH appeared on the Ethereum chain, but the trader gave a handling fee of up to 2,100 ETH. Calculated at the time of ETH 969 yuan, this unexpected operation, The miners who packaged this transaction received an unexpected harvest of about 2 million RMB.

Coincidentally, in the past two days, a similar plot was staged again, and it was even more crazy and magical than the last time:

At 17:47 on June 10th, the address starting with 0xcdd6a2b transferred 0.55 ETH to the address starting with 0x12d8012, but the transfer transaction fee was as high as 10,668.73185 ETH;

image description

(Two abnormal transfers, source Etherscan)

secondary title

3 routine possibilities for accidental money transfers

This can't help but make the audience confused.

We might as well first briefly analyze from the perspective of people who eat melons, several possibilities for such an accident to occur:

Extra theme 1) - "Local rich people have a lot of stupid money": When the wayward local tyrants transfer money, their hands shake, oh, twice, only tens of millions, not worth mentioning;

Extra theme 2) - "Big Brother Purdue All Beings": The mysterious ashes of the currency circle, who distributed appeasement subsidies to everyone when the market was in a downturn, randomly distributed red envelopes to miners who silently made outstanding contributions to the blockchain community excitation;

Extra Topic 3) - "Institutional Dark Money Laundering": A secret money laundering group recruited and "bought" several mining pools to carry out illegal money laundering operations;

image description

(Ethereum mining pool computing power distribution, source: Etherscan)

secondary title

A GasPrice ransom attack initiated by hackers?

Putting aside the three conjectures at the melon-eating level, we might as well sort out from a professional point of view, what tricks are hidden behind these two consecutive abnormal transfers?

Based on the in-depth analysis of the existing over 70 million address tags and professional traceability and tracking tools, CoinHolmes, a visual asset tracking platform under the PeckShield security team, found that:

1. We have to figure out who is the address starting with 0xcdd6a2b? After analysis, there are a lot of incoming and outgoing accounts at this address, and it is found that there are some small addresses that have been cleared after interacting with this address. The initial analysis of the CoinHolmes team believes that this address is very likely to be The hot wallet address of a certain exchange, its behavior characteristics on the chain are highly matched with the hot wallet address characteristics of the exchange identified by us. This means that what is hidden behind this funny incident is not the willful smile of the mysterious local tyrant, but the helpless wailing of the innocent leeks.

2. Since the target address is an exchange, why would a huge amount of assets be squandered for no reason? Especially in the current situation where small and medium-sized exchanges are struggling to survive, it is really paradoxical that this kind of suicide show behavior occurs. There is only one possibility, unless the main body of the exchange is hijacked by hackers.

After thinking about this possibility, we found that the abnormal transfer story seems to have a more highly rationalized plot:

1) A subject whose address is an exchange is attacked by hackers by means of phishing, etc., and some of its permissions are captured by hackers, such as: server management permissions, etc.;

2) Due to the possibility of multi-signature verification of the private key of the exchange, although the hacker has mastered the authority of the server account, he cannot completely control the private key to transfer huge assets to himself.

3) However, the hacker found that he already had the authority to transfer funds to the white list authorized by the address, so the hacker could realize two transfers under the condition of incomplete authority;

4) Not only that, the hacker also found that he could control the GasPrice authority, so he could not take this asset away but he could find a way to squander it;

5) So the hacker sent two abnormal transfers and initiated a blackmail to the exchange. The subtext is that if the exchange does not give the hacker a certain ransom through other means, the hacker will further squander the money (the address currently has 21,000 ETH left);

6) Since the server authority of the exchange is controlled, it cannot use the private key authority normally, so the account money is passive, but there is no way to transfer the remaining money out in time to stop the loss.

So far, we can speculate that the truth behind these two abnormal transfers is: a GasPrice extortion attack launched by a hacker to the exchange.

What needs to be reminded is that victims do not have to fall into the blackmail trap designed by hackers.

epilogue

epilogue

The above is just a possible result based on the data on the chain and the existing address tag library. We are still conducting further analysis, tracking and investigation on the relevant addresses, and at the same time, we are also exploring the reason behind the matter in cooperation with the mining pool. the truth. Finally, we need to make a special statement that we cannot guarantee that the deduction is 100% accurate, but if there is a slight possibility, the extortion incident is taking place, and there may be further harm. Hereby, victims are kindly requested to contact us in time. Get in touch so that the truth of the matter can come to light as quickly as possible. We believe in the power of Hezhong ecological partners, and things can have a relatively optimistic result.

安全
Welcome to Join Odaily Official Community
Subscription Group
https://t.me/Odaily_News
Chat Group
https://t.me/Odaily_CryptoPunk
Official Account
https://twitter.com/OdailyChina
Chat Group
https://t.me/Odaily_CryptoPunk
Recommended Articles
Leading mining pools and computing power ecosystems join the Psy Protocol testnet to jointly build a next-generation PoW smart contract platform.
Profit traps faced by crypto internet banks
Mining companies struggle to survive under squeezed profits: Marathon sells coins to stay afloat, an industry-wide sell-off is brewing.
AI Summary
Back to Top
It sounds like an anecdote, but it sounds like a joke.
Author Library
PeckShield
Article Ranking
Daily
Weekly
Why do we still need Bitcoin 17 years later?
Why do we still need Bitcoin 17 years later?
Hardcore teardown: The X402 wanted to fix the "payment gap" in the internet, but fell into the same old pitfall again.
Weekly Editor's Picks (October 25-31)
Was buying ZEC a ploy to dump BTC? 4 industry truths behind the surge in privacy coins.
Game of Thrones: From Trump to CZ, why are billionaires betting on "prediction markets"?
Download Odaily App
Let Some People Understand Web3.0 First
IOS
Android