An individual or group of hackers steal over $54m in digital currency
An alarming new report has revealed that a hacker or group of hackers known as the “Blockchainbandit” have successfully stolen over $54m in digital currency by exploiting poorly secured digital wallets. The hackers targeted wallets that were improperly secured with private keys, allowing them to transfer nearly 38,000 Ethereum (ETH) to their own wallet.
How did the hackers manage to steal the funds?
According to consultancy Independent Security Evaluators (ISE), the hackers were able to exploit weak private keys in order to gain access to the targeted wallets. In a test operation, ISE placed a small amount of ETH in a wallet with a weak private key and witnessed it being transferred to the attacker’s wallet within seconds. In total, ISE was able to guess or duplicate 732 weak private keys on the Ethereum blockchain, highlighting a significant flaw in key generation by developers.
What are the potential causes of the security breach?
ISE suggested that programming errors in the software generating these keys may have made them easy to brute force. They hypothesized that a 256-bit private key may have been truncated due to coding mistakes, resulting in a key that is not sufficiently complex. Other potential errors identified by the researchers included the use of error codes as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors. It is even possible that users were allowed to choose their own keys, further exacerbating the security vulnerabilities.
How can developers prevent such attacks in the future?
ISE recommended several measures that developers can take to enhance the security of private keys and prevent similar attacks in the future. These include using well-known libraries or platform-specific modules for random number generation, employing a cryptographically secure pseudo-random number generator, auditing code for truncated keys, and using multiple sources of entropy. Developers were also advised to review NIST guidelines on cryptographic random number generation to ensure best practices are followed.
“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” emphasized ISE executive Partner, Ted Harrington. By implementing these recommendations, developers can strengthen the security of private keys and protect against unauthorized access to digital wallets.