It’s been an expensive week for users of the Ethereum blockchain. In the last two days one user managed to spend $5.2 million in fees to make just two transactions—and one of them was only for $130! And now, a third transaction has taken place by another user, albeit for a fee of just $500,000, which seems small in comparison.
And these absurd transactions are prompting far-fetched theories.
“The 3rd abnormal tx on ethereum with over 2000 ETH fee went [through]. Someone believes it could be a hacker's blackmail to some exchange,” tweeted NEO co-founder Da Hongfei.
“A [wild] guess [is] certain exchange/wallet/ETH services is being “kidnapped” by hacker,” speculated Primitive Crypto founding partner Dovey Wan.
But, according to China-based blockchain analytics company PeckShield, reported by Chainews, these theories aren’t so wild after all. PeckShield’s analysis explains that the million-dollar snafus were probably “gas price ransomware attacks.”
Analysis done by PeckShield on the recent two major ETH transfers. This may be a GasPrice ransomware attack launched by hackers targeting the exchange. @thomasheller_ @celiawan2 @bitentrepreneur @sallywang666 @tzhen https://t.co/ve16ImVQsl
— Minion@TokenInsight (@minionabct) June 12, 2020
In short, the researchers claim that the hackers have gained access to an exchange’s funds. They are able to send money to certain whitelisted accounts that are marked as reliable in the exchange’s database to—but not to their own. So, they are sending the funds with excessively high transaction fees to sap the exchange’s accounts, and they’re demanding a ransom if it’s going to stop.
The research is aimed at the first two transactions, that spent $5.2 million in total on fees, but it may apply to the third one too. (Since publishing the article, it appears that the third transaction may have been unrelated and caused by a separate direct hack on another exchange).
Hackers blackmail the exchange
The hackers started by using a phishing attack (where they fake a website or an email to try to gain credentials) to gain some kind of access to the exchange, according to the report. It worked, they had part of the permissions to send a transaction. But there was a problem.
The exchange had a multi-signature security setting. This means that multiple keys (like passwords) are required to send the money. So, it seemed like there was nothing they could do.
But then they realised they could circumvent this multi-signature security with a trick: they could send to whitelisted address, because these addresses only require a single authorization to send a transaction.
Only the hackers were unable to send the money to their own accounts in this way. Instead they figured they would send a small amount of Ethereum to one of the whitelisted addresses but tack on an excessively large transaction fee. While they weren’t getting any of the money, they were costing the exchange dearly. And that gave them room to demand a ransom.
And that’s the whole gambit: the hackers will keep sending ETH from this exchange until its operators cave to their demands, PeckShield’s analysis claims.
Decrypt could not immediately reach PeckShield for comment, nor could it verify which exchange (which is undisclosed in PeckShield’s report) has been affected.
This article has been updated with a comment on the third transaction.