Cybercrime

Hackers blackmail exchange with $5 million of Ethereum fees – Decrypt.co

By Tim Copeland and Colin Harper

 

In the last two days, three bizarre Ethereum transactions have spent $5.7 million on fees. But a report claims it’s not a bug—an exchange is being blackmailed.

In brief

  • In the last few days, three Ethereum transactions have paid $5.7 million in fees.
  • A new report explains that it might be a blackmail attempt on an exchange.
  • It details how the hackers may have got access to the funds, and why they can’t steal them.

It’s been an expensive week for users of the Ethereum blockchain. In the last two days one user managed to spend $5.2 million in fees to make just two transactions—and one of them was only for $130! And now, a third transaction has taken place by another user, albeit for a fee of just $500,000, which seems small in comparison.

And these absurd transactions are prompting far-fetched theories.

While initially thought to be a bug, it appears an exchange is being blackmailed. Image: Shutterstock.

“The 3rd abnormal tx on ethereum with over 2000 ETH fee went [through]. Someone believes it could be a hacker’s blackmail to some exchange,” tweeted NEO co-founder Da Hongfei.

“A [wild] guess [is] certain exchange/wallet/ETH services is being “kidnapped” by hacker,” speculated Primitive Crypto founding partner Dovey Wan.

But, according to China-based blockchain analytics company PeckShield, reported by Chainews, these theories aren’t so wild after all. PeckShield’s analysis explains that the million-dollar snafus were probably “gas price ransomware attacks.”

In short, the researchers claim that the hackers have gained access to an exchange’s funds. They are able to send money to certain whitelisted accounts that are marked as reliable in the exchange’s database to—but not to their own. So, they are sending the funds with excessively high transaction fees to sap the exchange’s accounts, and they’re demanding a ransom if it’s going to stop.

The research is aimed at the first two transactions, that spent $5.2 million in total on fees, but it may apply to the third one too. (Since publishing the article, it appears that the third transaction may have been unrelated and caused by a separate direct hack on another exchange).

Hackers blackmail the exchange

The hackers started by using a phishing attack (where they fake a website or an email to try to gain credentials) to gain some kind of access to the exchange, according to the report. It worked, they had part of the permissions to send a transaction. But there was a problem.

The exchange had a multi-signature security setting. This means that multiple keys (like passwords) are required to send the money. So, it seemed like there was nothing they could do.

But then they realised they could circumvent this multi-signature security with a trick: they could send to whitelisted address, because these addresses only require a single authorization to send a transaction.

Only the hackers were unable to send the money to their own accounts in this way. Instead they figured they would send a small amount of Ethereum to one of the whitelisted addresses but tack on an excessively large transaction fee. While they weren’t getting any of the money, they were costing the exchange dearly. And that gave them room to demand a ransom.

And that’s the whole gambit: the hackers will keep sending ETH from this exchange until its operators cave to their demands, PeckShield’s analysis claims.

Decrypt could not immediately reach PeckShield for comment, nor could it verify which exchange (which is undisclosed in PeckShield’s report) has been affected.

This article has been updated with a comment on the third transaction.

Originally published on, and syndicated from Decrypt.co.

Security Report News

Security Report News and guest post account. Opinions and views expressed by guest authors are their own and not necessarily endorsed by Security Report Ltd. or our affiliates.

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.