In brief

  • ZenGo research refutes the theory that a recent spate of million-dollar Ethereum transaction fees were the result of blackmail.
  • Less than a ransom, the fees were snafus in the automated scripts the entity used to send transactions, the researcher claims.
  • A scenario that posits hackers to blame is "improbable," ZenGo research said.

Did a group of hackers really breach a cryptocurrency exchange’s hot wallets only to burn millions of dollars of Ethereum as ransom? If that scheme sounds far fetched, well, that’s because it just might be, according to analysis by the ZenGo cryptocurrency wallet.

According to a blog post authored by ZenGo researcher Alex Manuskin, a spate of transactions that included millions of dollars in Ethereum fees were not an attack at all but a bug, as many initially suspected


The blackmail theory put forth recently by China-based blockchain analytics firm PeckShield made the case that these fees were orchestrated via a complex “gas price ransomware attack.” The researchers claimed that the hackers gained access to an unnamed crypto exchange’s key management system for its wallets, but the hackers could only spend the wallet balances on transfers to so-called whitelisted addresses that only require a single authorization when sending a transaction to them.

The idea here is that the attackers will keep sending exorbitant fees in these transactions as a type of blackmailing technique; they don’t control the wallets they’re sending to, but it doesn’t matter because they’ll just keep sending Ethereum unless their demands are met.

This scenario is “improbable,” according to Manuskin, not least because whoever owned the funds did nothing to halt the series of outflows. If this were a blackmail attempt, then we can assume that the victims tried to do everything they could to stop it and retrieve their funds, but for whatever reason were unable to do so, the researcher argued.

“For this to happen, the process controlling the address could not be operated from the victim’s environment, because if this were the case, they could have just shut it down, even if it meant shutting down all operations,” Manuskin wrote.

The address sending the transactions was not a smart contract either, so it could not function without someone controlling it with the private key. So if the attacker took control of these keys outside of the victim’s environment, then they would have had full control over funds and not have to burn ETH as ransom bait in the first place.


Manuskin also pointed out that the two mining pools that received the transaction fees said they would return the funds to the owners if they stepped forwardbut so far, none have.

All of this evidence paints a dubious picture for the blackmail theory, Manuskin argued in the post. “Our assumption is that the transactions result from some sort of bug in an automated script that operates this account,” he wrote.

What’s more, we shouldn’t be surprised if this happens again, according to Manuskin: “The most important conclusion we can draw is that due to the automated characteristics of these transactions, the sender’s large remaining balance, and the continued operation of the sender, we may see a third transaction with $2.5M fees.”

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.