
A 'Blockchain Bandit' Is Guessing Private Keys and Scoring Millions - qzrt
https://www.wired.com/story/blockchain-bandit-ethereum-weak-private-keys/
======
glandium
> the bandit's account held 38,000 ether, worth more than $54 million at the
> time. In the year since then, Ethereum's value has plummeted, reducing the
> value of the blockchain bandit's haul by about 85 percent.

> "Don't you feel bad for him?" Bednarek asks with a laugh. "You have a thief
> here that amassed this fortune and then lost it all when the market
> crashed."

Well, 15% of $54M is still $8M.

~~~
ShamelessC
I don't know much about bitcoin, but how hard would it be to actually exchange
that money for US dollars?

~~~
jerguismi
Small amounts are somewhat easy to exchange, if you want to exchange millions
it gets much, much more difficult since you have to explain the source of
funds to the exchanges and banks involved. If you have hacked them they will
use blockchain analysis etc.

~~~
diffset
_they will use blockchain analysis_

Tumbling the coins would help with this, right?

~~~
swinglock
If you have to explain where it's from it may be more suspicious if it looks
like you took steps to hide the origin, calling for even more detailed proofs.

~~~
aeternus
Does any currently operating exchange actually care about the origin of coins?

~~~
ar4s
Most of them [exchanges]]will have tagged stolen coins from known hacks so
when they are deposited the account is flagged/locked.

Tumblers/mixers are the most likely place to pick these up.

------
lgeorget
> Despite tracking those transfers, Bednarek has no real idea of who the
> blockchain bandit might be. "I wouldn’t be surprised if it’s a state actor,
> like North Korea, but that's all just speculation,"

Given how "easy" the attack actually is, I see no reason to suspect a state
actor. This is a genuine question: why don't people start by suspecting some
kind of criminal organizations like the mafia instead?

~~~
Arnt
Or more generally, why do so many people attribute particular competence to,
uh, state actors?

While he was at the NSA, Edward Snowden complained that it stores more
information on Americans than on Russians. He complained that that's illegal,
but there's another remarkable facet to it: How good is the NSA at collecting
information from Russia, then? I can hardly believe that the NSA _tries_ to
collect more data on Americans than on its actual mission, so how good is the
NSA at its mission?

There are many other examples, like the German service that's supposed to
monitor the nazis and missed the a group that made and sold a DVD about its
killings.

It seems so strange to assume higher-than-average competence in organisations
like that.

~~~
notahacker
In general, it makes sense to assume that stuff which irrespective of
competence would require large amounts of resources, access to intercepts or
the ability to flagrantly breach local laws without anyone stepping in might
have state involvement, especially if there's an obvious motive for the state
to target that person/organization.

Not convinced that guessing private keys of anonymous randoms for a few
million in assets of limited fungibility falls into that category. I'm not
sure it's a question of _competence_ in this case so much as why would a state
be the ones tackling these accounts, when a lone criminal with relevant
knowledge of cryptography would have the ability and a lot more motivation to
do it?

~~~
eridius
Why would a criminal leave the coins to sit in the final wallet undisturbed?
The article said the wallet only had incoming transactions and never sent any
coins anywhere. Surely if you're a criminal organization stealing
cryptocurrency you'd want to actually use it.

~~~
notahacker
It's not necessarily the only wallet a criminal has access to, and most people
don't draw on their savings account all the time. Can't fathom why a
government would want to write algorithms that quietly steal tokens from
thousands of random individuals unfortunate enough to have particularly
crackable private keys and send them to a particular dormant account either.
It's not like there's a lack of other crypto-heist stories out there.

~~~
eridius
A government has a much more plausible reason to be willing to siphon off and
stockpile large amounts of cryptocurrency without using it, just in case they
ever do need to have a bunch of coins on hand for something.

------
andrewla
At one point a couple of years ago, for testing purposes, I created a brain
wallet (that is, a short phrase that when hashed would yield a key pair) in
Bitcoin testnet so that a group of people could each have access to them for
testing purposes. It was just a simple substitution -- a common enough word
with 3's and !'s mixed in. For testnet coins, which are worthless, it seemed
harmless enough.

It was "stolen" literally minutes after first depositing the coins at the
address; we assumed by someone running a monitoring daemon looking for a large
rainbow table of bitcoin addresses, and testing out there efforts on the
testnet. I wonder how many bitcoins they managed to extract once they put
their system into production.

~~~
im3w1l
Or they were a whitehat wanting your problems to be caught in testing.

~~~
13of40
If he screwed up their project without permission, that's not totally "white
hat".

~~~
andrewla
It was testnet, though, so worthless, and easily obtained (in small amounts)
from a testnet faucet (like [1], [2], or [3]). We considered continuing to
share, but in the end it was just easier for individual developers to obtain
their own and use them for testing rather than managing a central pool.

[1] [https://testnet-faucet.mempool.co/](https://testnet-faucet.mempool.co/)

[2] [https://bitcoinfaucet.uo1.net/](https://bitcoinfaucet.uo1.net/)

[3]
[https://kuttler.eu/en/bitcoin/btc/faucet/](https://kuttler.eu/en/bitcoin/btc/faucet/)

~~~
duxup
Is testnet just for ... testing?

------
tlrobinson
To clarify the title: they’re guessing _insecure_ private keys, not keys
generated by normal (and not buggy) wallet software.

This isn’t surprising. “Brain wallets” have been been discouraged for a long
time now. Unless you really know what you’re doing it’s easy to accidentally
pick an insecure phrase. Even a paragraph of text from, say, an obscure book
will probably eventually be found, if that book ever ends up digitized on the
Internet.

The safest way is to generate a truly random key, then map that to a wordlist
like BIP39 does.

------
rawoke083600
Can anyone read the article on mobile ? Half the page is covered by a stupid
overlay telling me i got two articles left to read. If only i can read the
first one !

~~~
larkeith
Disable Javascript for wired, it removes everything but a small nav header.

~~~
akkartik
Can you even disable js on mobile?

~~~
larkeith
Yes (for both Chrome and Firefox), and it _massively_ improves browsing
experience, IMO. At least for Chrome you can even do site-specific exclusions.

~~~
akkartik
I see it now: [https://support.mozilla.org/en-
US/questions/934492](https://support.mozilla.org/en-US/questions/934492)

I had no idea _about:config_ worked in the Android app as well.

------
caprese
People used to do this to bitcoin addresses all the time back in 2013, the
same servers are probably still running

I always thought about all the opportunities to do it on other blockchains,
but the challenge of picking which blockchain would be so taxing

Now that this season there are several high values one like Ethereum you can
easily choose

The concepts are the same for all of the chains

Also lol at state actor. Guessing a private key of “1”? Come on. People were
doing this with entire phrases from obscure songs and poems 6 years ago. No
brainwallet is safe. Deflecting is a great way to get away with hacking

------
sbhn
Probably used the technique described here,
[https://bitcoin.stackexchange.com/questions/25814/ecdsa-
sign...](https://bitcoin.stackexchange.com/questions/25814/ecdsa-signature-
and-the-z-value)

~~~
thwd
It's much easier! Just call ethereum's `crypto.ToECDSA` [1] with a big-endian
encoded 256-bit unsigned integer of interest, e.g. 0x1 or 0x100, as described
in the article. Try the resulting private key.

[1] [https://godoc.org/github.com/ethereum/go-
ethereum/crypto#ToE...](https://godoc.org/github.com/ethereum/go-
ethereum/crypto#ToECDSA)

~~~
jakecraige
Y'all are talking about two different things.

Secret key recovery via nonce reuse(linked SO post) is a different than simply
trying a range of integers which is mostly what these researchers did.

~~~
sbhn
There are many addresses created from integers under 1000000. This is nothing
special. There are also many addresses created from basic words converted to
sha256 and the used as the primary key hex. Eg, ‘Satoshi Nakamoto’ .

------
rahilb
So this was a heist performed on a number guessing game by guessing numbers?
Poetry in motion.

------
nailer
Any idea why the keygen failed so badly? Debian's openssl patches generated
predictable private keys for a while but they wouldn't be a single digit. It's
Wired so I don't expect technical details but some info woukld be nice.

~~~
tyingq
The idea mentioned in the article of either unintentional or intentionally
badly coded wallets seems likely.

~~~
nailer
Yeah but I'd like to know how the unintentional mistake was made. Eg

\- Debian OpenSSL was a Debian dev trying to prevent use of uninitialised
memory (because Valgrind complained), without realising that uninitialised
memory is used for randomness.

\- Years ago a bunch of PHP stuff (I forget what) was seeded with the string
value of a randomness function, rather than it's output.

What happened here?

~~~
cesarb
> without realising that uninitialised memory is used for randomness

It was more subtle than that: there were two identical calls, one of which
added uninitialized memory, while the other added real entropy. The developer
mistakenly removed both, thinking both were equally useless, instead of only
removing the one with undefined behavior. To make things worse, another call
added the current PID, so the results weren't identical every time. See more
detail at
[https://research.swtch.com/openssl](https://research.swtch.com/openssl)

------
JoblessWonder
This part was interesting: "Bednarek then tried putting a dollar into a new,
previously unused weak key address. It, too, was emptied in seconds, this time
transferred into an account that held just a few thousand dollars worth of
ether. But _Bednarek could see in the pending transactions on the Ethereum
blockchain that the more successful ether bandit had attempted to grab it as
well. Someone had beaten him to it by mere milliseconds._ " [emphasis mine]

It seems like there is an arms race of Blockchain Bandits leading to HFC-like
systems aiming to try out as many generic private keys as possible as quickly
as possible.

------
oarsinsync
High frequency crypto 'theft', amazing.

------
sbhn
There's a hundred private keys on this page [https://2coin.org/keys-
btc.html](https://2coin.org/keys-btc.html)

------
lordnacho
I discovered this personally when writing some bitcoin code.

I got to a stage where I wanted to test my code all the way to the BTC
blockchain. I figured I'd stick in the randomizing seed later, and just make
sure I could talk to the blockchain. To my surprise, every time I made a
transaction I'd see another one on the explorer sites, emptying my new
address. I did it a couple of times thinking I'd coded something wrong or
something like that.

~~~
kirbypineapple
How did you generate your seed? Not trying to insult you, but the number of
people generating seeds online or using very poor seeds is mind boggling.

~~~
lordnacho
Just a crappy simple word. I thought I'd just make sure the whole process
worked first, then replace the string with something more sensible.

You'd think they'd put a minimum in there before grabbing the coins.

------
1024core
As the stream of transactions goes up, how difficult is it to keep up with
them to pull this kind of heist off? Actually, I don't even know how many
transactions/sec are happening in the Ethereum/Bitcoin world right now. Is
there some sort of a stream one can subscribe to, to see what transactions are
happening, and try to compromise them?

~~~
duskwuff
> As the stream of transactions goes up

It doesn't. Bitcoin is architecturally limited to ~7 transactions per second,
and typical rates are about half that.

~~~
1024core
At only 7tps, how could Bitcoin ever be used as cash?

~~~
duskwuff
It can't. At least, not without systems for off-chain transaction settlement,
like the Lightning Network -- which brings a bunch of new complexity and new
problems with it.

------
ElCapitanMarkla
I spent a few weeks last year running a server on the head of the ethereum
chain looking for any up coming transactions with notes containing something
in a private key format. I was shocked at the number of notes which mapped to
real wallets

------
legohead
Hypothetical..

Ethereum is the world currency. Everyone is using it. Criminals and script
kiddies are running scripts that guess completely random private keys.
Occasionally they make hits and steal people's wealth.

What's the next step in securing your wallet? Making sure your wealth is
stored across a million wallets?

~~~
legionof7
These occasional hits are basically mathematically impossible. It wouldn't
make sense for anyone to run a script to do this.

If you were really concerned, you could make a multisig wallet.

~~~
thinkmassive
That’s proved a little more perilous with Ethereum compared to Bitcoin, heh

[https://github.com/ethereum/EIPs/blob/master/EIPS/eip-999.md](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-999.md)

------
ttoinou
He's not a bandit nor a thief. This is how crypto-property works : if you have
knowledge of the keys, it's yours.

~~~
chrismeller
Same with anything really. If you know my password everything in my bank
account is yours too. A private key is simply a very complex password.

Unfortunately crypto’s greatest strength (that it’s akin to cash) is also it’s
greatest weakness. There’s no way to set up 2FA like I can with my bank and
there’s no fraud protection, etc.

Edit: doesn’t mean he’s not a thief, btw.

~~~
simonw
"If you know my password everything in my bank account is yours too."

That's not true. Bank transactions are reversible. The legal system has your
back.

[https://www.consumerfinance.gov/ask-cfpb/how-do-i-get-my-
mon...](https://www.consumerfinance.gov/ask-cfpb/how-do-i-get-my-money-back-
after-i-discovered-an-unauthorized-transaction-or-money-missing-from-my-bank-
account-en-1017/)

~~~
chrismeller
And... I addressed that?

------
foobartsimposon
Yawn, just another case of poor password selection.

------
waste_monk
I built a house with no walls, and then someone stole my TV!

~~~
ramblerman
This analogy falls completely flat. It is more like you live in the most
secure fortress but set your door code to 1234.

~~~
arcticbull
But also because crypto is totally unregulated -- and by the rules of the
game, if you have the keys, you have the coins -- you have zero recourse. Not
that it could be reversed anyways. In both these real-world cases, you've got
the police.

~~~
patrickaljord
> But also because crypto is totally unregulated -- and by the rules of the
> game, if you have the keys, you have the coins

Nothing could stop you from opening a business that would offer insurance in
case of key theft. Most banks offer around $100k (depends on the country) in
case they go bankrupt or robbed which is very little if you have life time
savings in them that are way more than $100k. Big banks have an advantage
though in that if they ever go bankrupt they tend to be bailed out by the
government which is hard to replicate as a business (you still end up paying
for it through inflation so you don't technically get your money back when
your bank goes bankrupt as the total value of your money goes down).

~~~
Ensorceled
> Nothing could stop you from opening a business that would offer insurance in
> case of key theft.

There is no way to prove a key was stolen and no way to prove the theft was
not a fraud. Insurance is backed up with jail time for insurance fraud and is
STILL rife with fraud (especially automotive insurance).

Blockchain theft insurance is not a business that would survive long.

~~~
couchand
One aspect that would be interesting is: I would expect that after an
insurance payout the stolen coin would be legally the property of the
insurance company. The stolen coin would accumulate on the books of the
insurance company, which could then pay a premium to a recovery agency to get
it back.

Of course the anonymity factor would make it all difficult, but on the other
hand you can't ever truly abscond with the cash. If they could trace the
movement through the ledger to a legitimate business entity that respects the
same country's laws, they might be partially recoverable.

At a small scale it would be a waste of time, but on a large enough scale it
might work.

