In brief

  • OKEx explains how the recent 51% attack on Ethereum Classic was used to steal $5.6 million in crypto.
  • The hacker allegedly confused the community into switching from ETC mainnet to a "shadow chain."
  • The alternative transaction history was modified to redirect over 800,000 ETC from OKEx to the hacker's addresses.

Crypto exchange OKEx published a new report on Saturday, detailing how the perpetrator of the recent 51% attacks on Ethereum Classic (ETC) managed to steal $5.6 million of cryptocurrency using its platform.

As Decrypt reported, Ethereum Classic’s blockchain was recently hit by two consecutive 51% attacks on August 1 and August 6. Gaining control over 51% or more of the network’s hash power, the hacker—or a group—snatched around $5.6 million worth of cryptocurrencies during the first strike. Here’s how it went down.

Preparing for the attack

According to OKEx, the hacker began preparing for the attacks as far back as June 26, creating five phony accounts on the platform. Notably, all of them also passed the second and third levels of know-your-customer (KYC) procedures and got their withdrawal limits increased.

Starting on July 30, these accounts deposited around 68,230 ZEC privacy coins on OKEx combined. Simultaneously, the hacker had been building a “shadow chain” of the ETC blockchain—an alternative record of transaction history hidden from other miners.

On July 31, the attacker’s accounts traded all of their ZEC for ETC, receiving a total of 807,260 coins that were worth around $5.6 million at the time. ETC were then transferred to the hacker’s external addresses.

The hacker starts the attack

Later that day, the hacker launched a 51% attack on Ethereum Classic, initiating his shadow chain. At this point, both the legit and malicious transaction histories contained the records of 807,260 ETC being transferred from OKEx to the hacker’s external addresses.

During the attack, the hacker sent all of the previously received Ethereum Classic coins back to OKEx and traded them for around 78,900 ZEC, which he immediately withdrew.

Because over 51% of the blockchain’s hash power was under the hacker’s control at this point, he was able to mine new blocks faster than other nodes, making the shadow chain longer than the original ETC history. Combined with inefficient communication between exchanges, wallets and miners, this confused the Ethereum community and prompted nodes to start mining the malicious shadow chain from now on.

However, the hacker had manipulated his version of the transaction history—which now became the main one. In it, the 807,260 ETC were recorded as being sent not to OKEx, but to the attacker’s other addresses, making it so that the coins were never sent back to the exchange.

The Ethereum Classic logo. Image: Shutterstock.

This way, the hacker had convinced OKEx that it had deposited funds—before making it so that the funds were never deposited in the first place. This is how OKEx lost its money.

OKEx blacklisted the addresses that were allegedly used by the hacker and suspended his five accounts. In the future, the platform also plans to increase confirmation times for ETC deposits and withdrawals. And, if the network can’t become more secure, the exchange might even delist it altogether.