[NEWS] Hackers blackmail exchange with $5 million of Ethereum fees

[bbc.reporter]

I speculate that this might be one of the exchanges with the highest volumes for Ethereum if the theory is proven. The hacker would not pay a fee of $5 million if the exchange does not have $500 million of ETH in storage, I reckon.



It’s been an expensive week for users of the Ethereum blockchain. In the last two days one user managed to spend $5.2 million in fees to make just two transactions—and one of them was only for $130! And now, a third transaction has taken place by another user, albeit for a fee of just $500,000, which seems small in comparison.

And these absurd transactions are prompting far-fetched theories.

While initially thought to be a bug, it appears an exchange is being blackmailed. Image: Shutterstock.
“The 3rd abnormal tx on ethereum with over 2000 ETH fee went [through]. Someone believes it could be a hacker's blackmail to some exchange,” tweeted NEO co-founder Da Hongfei.

“A [wild] guess [is] certain exchange/wallet/ETH services is being “kidnapped” by hacker,” speculated Primitive Crypto founding partner Dovey Wan.

But, according to China-based blockchain analytics company PeckShield, reported by Chainews, these theories aren’t so wild after all. PeckShield’s analysis explains that the million-dollar snafus were probably “gas price ransomware attacks.”

In short, the researchers claim that the hackers have gained access to an exchange’s funds. They are able to send money to certain whitelisted accounts that are marked as reliable in the exchange’s database to—but not to their own. So, they are sending the funds with excessively high transaction fees to sap the exchange’s accounts, and they’re demanding a ransom if it’s going to stop.

Read in full https://decrypt.co/32145/hackers-blackmail-exchange-with-5-million-of-ethereum-fees-report

[1714839509]

1714839509

[1714839509]

1714839509

[1714839509]

1714839509

[JeromeTash]

I can't recall the thread but last year this very kind of abnormal transactions happened. There were so many theories but no one really knew what was the rationale behind the weird transaction fees.

More details o what happened last year; https://coinidol.com/ethereum-fees-charged/


Tweet: https://twitter.com/MatiGreenspan/status/1097929198004588544

Most people are pointing to money laundering or something like that.

[stompix]

The hackers started by using a phishing attack (where they fake a website or an email to try to gain credentials) to gain some kind of access to the exchange, according to the report. It worked, they had part of the permissions to send a transaction. But there was a problem.

The exchange had a multi-signature security setting. This means that multiple keys (like passwords) are required to send the money. So, it seemed like there was nothing they could do.

I also see a problem with this scenario as I seriously doubt that an exchange whose operators are stupid to fail for fake emails phishing attacks is using multi-signatures 

Also, another problem:

Instead they figured they would send a small amount of Ethereum to one of the whitelisted addresses but tack on an excessively large transaction fee. While they weren’t getting any of the money, they were costing the exchange dearly. And that gave them room to demand a ransom.

So, rather than simply proving with a series of small 1$ tx than they are in some kind of control they decide to trash 2 million worth of coins, and then...demand a ransom. Man, it's like kidnapping somebody for a reward and burning their family house and assets to the ground and  THEN asking for money! Good luck getting money after bankrupting them.
Besides, if they would have done small transactions they could have defended themselves if ever caught with some sort of vulnerability reward testing, trashing two million to make a point it's a lost cause from the start.

[suchmoon]

I might be missing something here but why wouldn't the exchange move its funds somewhere else at the first sign of trouble? Or perhaps just shut down whatever shitty piece of code is sending those transactions because it doesn't look like the "hackers" have access to private keys... just to some database table maybe.

[bbc.reporter]

The hackers started by using a phishing attack (where they fake a website or an email to try to gain credentials) to gain some kind of access to the exchange, according to the report. It worked, they had part of the permissions to send a transaction. But there was a problem.

The exchange had a multi-signature security setting. This means that multiple keys (like passwords) are required to send the money. So, it seemed like there was nothing they could do.

I also see a problem with this scenario as I seriously doubt that an exchange whose operators are stupid to fail for fake emails phishing attacks is using multi-signatures  

Also, another problem:

Instead they figured they would send a small amount of Ethereum to one of the whitelisted addresses but tack on an excessively large transaction fee. While they weren’t getting any of the money, they were costing the exchange dearly. And that gave them room to demand a ransom.

So, rather than simply proving with a series of small 1$ tx than they are in some kind of control they decide to trash 2 million worth of coins, and then...demand a ransom. Man, it's like kidnapping somebody for a reward and burning their family house and assets to the ground and  THEN asking for money! Good luck getting money after bankrupting them.
Besides, if they would have done small transactions they could have defended themselves if ever caught with some sort of vulnerability reward testing, trashing two million to make a point it's a lost cause from the start.

The hackers are assumed to be doing it because they do not have full access to the exchange and they do not have the time. The exchange might fix the security issues quickly.

[NeuroticFish]

I think that the scenarios described on the other thread make more sense than what was described in OP.
I'll quote one such scenario, but the other thread is more than only this.

Doesn't look like this was an accident.

Looking through his transaction history he's used 60 gwei for every transaction, except this one.... That indicates the wallet was previously controlled by a smart contract or some automated service, but then this guy took over and manually cranked to gas price up to 500 million.

What's more likely is that he is working in cahoots with the mining pool to forcibly move money from one place to another, potentially converting illegitimate gains into legal proceeds (mining revenue). He'd then split the difference with the pool owner and get away with essentially laundering money.

This isn't the first time Sparkpool has received suspiciously high fee transactions before. And they often seem to agree to split it back with the sender.... Why would they do that when it's rightfully theirs to keep?

TL;DR: Laundering stolen/grey ETH makes more sense than the blackmail story.

[gentlemand]

TL;DR: Laundering stolen/grey ETH makes more sense than the blackmail story.

You'd better have an absolute stranglehold over mining if you attempt this or some other pool will scoop it up instead. And if these coins are red hot then no sensible pool will hand it back either. None of it makes sense but money laundering via fees doesn't either.

[estenity]

pools reactions to that are mixed:

https://twitter.com/DoveyWan/status/1272827245871034368

[bbc.reporter]

TL;DR: Laundering stolen/grey ETH makes more sense than the blackmail story.

You'd better have an absolute stranglehold over mining if you attempt this or some other pool will scoop it up instead. And if these coins are red hot then no sensible pool will hand it back either. None of it makes sense but money laundering via fees doesn't either.

Agreed.

It also appears that mining pools can also freeze the fee payment and wait for someone to contact them if this was a mistake. The real sender never said anything, however. The coins have been distributed.



A mining pool has called time on the wait for an ether whale to reach out after making a transaction with an unusually high fee worth in the millions of dollars last week.

Bitfly, the company behind the Ethermine pool, announced Monday it had opted to distribute a total of 10,668 ETH (now worth just under $2.4 million) in transaction fee to miners that were active at the time the transaction went through last Thursday.

Source https://www.coindesk.com/mining-pool-distributes-fee-mysterious-ethereum-crypto-transaction

[bbc.reporter]

News update.

The owner of the wallet that paid $5 million in transaction fees might be a ponzi scheme called Good Cycle. This might be the reason why they never tried to contact the mining pool hehehe.

Another wallet researcher has said that it might only be a bug, however.



Researchers at blockchain analytics platform PeckShield have found out who owns the Ethereum address that, for some reason, paid $5.2 million in fees to send just two transactions last week. They have identified the owner as a small, peer-to-peer crypto exchange in Korea, called Good Cycle, and suggest that it could be operating a Ponzi scheme.

“So the million-dollar txfees may actually be blackmail. The theory: hackers captured partial access to exchange key; they can't withdraw but can send no-effect txs with any gas price. So they threaten to "burn" all funds via tx fees unless compensated,” Ethereum co-founder Vitalik Buterin tweeted about the research.

Source https://decrypt.co/32604/heres-who-paid-5-2-million-in-ethereum-fees-last-week

[hugeblack]

The owner of the wallet that paid $5 million in transaction fees might be a ponzi scheme called Good Cycle. This might be the reason why they never tried to contact the mining pool hehe.

I did not follow this story in more detail, but if this part is true, then I think that it is more difficult than to be believed that it is a mistake, but rather an attempt to make the money laundering process legal.

It is simple, communicate with any Mining pool, direct all the mining hash power to make sure that they are going to discover the next block, get tex reward, pay taxes and everything becomes legal.

They can also include tx after exploring the block without having to wait in mempool, so the process becomes legal and foolproof.