SECURITY REPORT
We were investigating issues where users reported the wrong signing address on our website. All of this users reported that they were on our website and their connection was secured by the fake SSL-certificate. All incidents were grouped by dates March 16-17 and April 19-20. The Letters of Guarantee of this users had the same fake signing addresses listed below:
1CrypMixUKiXduy6J42nEzm4Z9CpJuXptS (March 16-17)1CrypMix3194qKbmZBeM2TRxgBu1gorrB4 (April 19-20)
While the original signing address was generated back in 2016 and has never changed:
- 1CrypMixXWtTjYGCM5ZJmyQYP1Y39P7aLM (bookmark this very address if you are reading this)
To make it clear:
- our servers were not hacked or compromised;
- the operations of our customers did not fall into third hands;
- this attack affected only those users who have got the fake signing address.
To understand what have happen to this users and how to avoid it for yourself, kindly read further.
BackgroundThe Internet is a global network in enabling any connected host, identified by its unique IP address, to talk to any other, anywhere in the world. This is achieved by passing data from one router to another, repeatedly moving each packet closer to its destination. To do this, each router must be regularly supplied with up-to-date routing tables. At the global level, individual IP addresses are grouped together into "prefixes".
These prefixes are originated, or owned by an autonomous systems (AS) - groups of networks that operate under a single external routing policy. For example, Sprint, Verizon, and AT&T each are an AS. Border Gateway Protocol (BGP) is the standard routing protocol used to exchange information about IP routing between autonomous systems.
Each AS uses BGP to advertise prefixes that it can deliver traffic to. For example, if the network prefix 192.0.2.0/24 , then that AS will advertise to its provider(s) and/or peer(s) that it can deliver any traffic destined for 192.0.2.0/24.
The problem is, by default the BGP protocol is designed to trust all route announcements sent by peers, and only few ISPs rigorously enforce checks on BGP sessions through security extensions available for BGP, and third-party route DB resources.
What is BGP hijacking?BGP hijacking can occur deliberately or by accident in one of several ways:
- An AS announces that it originates a prefix that it does not actually originate.
- An AS announces a more specific prefix than what may be announced by the true originating AS.
- An AS announces that it can route traffic to the hijacked AS through a shorter route than is already available, regardless of whether or not the route actually exists.
Common to these ways is their disruption of the normal routing of the network: packets end up being forwarded towards the wrong part of the network and then are found at the mercy of the offending AS. When an AS announces a route to IP prefixes that it does not actually control, this announcement, can spread and be added to routing tables in BGP routers across the Internet. It would be like claiming territory if there were no local government to verify and enforce property deeds.
Typically ISPs filter BGP traffic, allowing BGP advertisements from their downstream networks to contain only valid IP space. However, a history of hijacking incidents shows this is not always the case. There have been many examples of deliberate BGP hijacking:
What happened to our users?During our investigation, we have found out that on the dates corresponding to the incidents one of the AS was broadcasting to BGP the fake route for our servers network and that route was used by some of ISPs (you can click diagrams for details).
This way attackers rerouted HTTP-traffic to their servers, deceived the verification system of the global Certification Authority (CA) lettercrypt.org and issued a fake Domain Validation (DV) certificate, and were able to send the victims HTTPS-traffic to their servers either.
It may seem surprising that the operator of a large network or group of networks, many of which are ISPs, would brazenly undertake such malicious activity. But considering that by some counts there are now over 80,000 autonomous systems globally, it is not surprising that some would be untrustworthy.
How to defend yourself?Because BGP is built on the assumption that interconnected networks are telling the truth about which IP addresses they own, BGP hijacking is nearly impossible to stop at one moment. Though security extensions such as
Resource Public Key Infrastructure (RPKI) are available for BGP, are still not widely deployed and adoption will takes time. It is very important to understand that the clear Internet infrastructure is dramatically insecure. You can face it both in
cryptocurrency and the
fiat worlds.
What you can do to make sure that the Letter of Guarantee has been generated not by third side, besides bookmarking our signing address and checking the signature, is to check the signing address provided in the Letter of Guarantee on the blockchain explorer. Our original signing address has been generated back in 2016 and has 32 pages of donation transactions on about 40 BTC in total and has never changed:
You will easily see if it is the freshly new generated address of scammers, like this one:
What will happen to victims of this incident?We value our customers and their trust very high and do not want to leave them as victims in this situation. During coming days we will contact affected users and offer them an option to compensate the lost funds. We are aimed to provide the compensation till the end of this month. If you haven't contacted me or support@[banned mixer] yet, get in touch and provide the LOG on your operation.
More infoFurther update on this issue.
. This process was complicated by the fact that different people applied for refunds with the same Letters of Guarantee, some of them were falsified, while others did not have letters - in all such cases, we had to make compensation only to the original source of the transaction. Kindly note, this payments are not a refund of the funds that we have received - but our voluntary compensation to the victims of this incident, so we ask you to understand the precautions that we apply with understanding.
