Last summer, Adrian Bednarek was mulling over ways to steal the cryptocurrency Ethereum. He's a security consultant; at the time, he was working for a client in the theft-plagued cryptocurrency industry. Bednarek had been drawn to Ethereum, in particular, because of its notorious complexity and the potential security vulnerabilities those moving parts might create. But he started instead with the simplest of questions: What if an Ethereum owner stored their digital money with a private key—the unguessable, 78-digit string of numbers that protects the currency stashed at a certain address—that had a value of 1?
To Bednarek's surprise, he found that dead-simple key had in fact once held currency, according to the blockchain that records all Ethereum transactions. But the cash had already been taken out of the Ethereum wallet that used it—almost certainly by a thief who had thought to guess a private key of 1 long before Bednarek had. After all, as with Bitcoin and other cryptocurrencies, if anyone knows an Ethereum private key, they can use it to derive the associated public address that the key unlocks. The private key then allows them to transfer the money at that address as though they were its rightful owner.
That initial discovery piqued Bednarek's curiosity. So he tried a few more consecutive keys: 2, 3, 4, and then a couple dozen more, all of which had been similarly emptied. So he and his colleagues at the security consultancy Independent Security Evaluators wrote some code, fired up some cloud servers, and tried a few dozen billion more.
In the process, and as detailed in a paper they published Tuesday, the researchers not only found that cryptocurrency users have in the last few years stored their crypto treasure with hundreds of easily guessable private keys, but also uncovered what they call a "blockchain bandit." A single Ethereum account seems to have siphoned off a fortune of 45,000 ether—worth at one point more than $50 million—using those same key-guessing tricks.
"He was doing the same things we were doing, but he went above and beyond," Bednarek says. "Whoever this guy or these guys are, they're spending a lot of computing time sniffing for new wallets, watching every transaction, and seeing if they have the key to them."
Combing a Gazillion Beaches
To explain how that blockchain banditry works, it helps to understand that the the odds of guessing a randomly generated Ethereum private key is 1 in 115 quattuorvigintillion. (Or, as a fraction: 1/2256.) That denominator is very roughly around the number of atoms in the universe. Bednarek compares the task of identifying a random Ethereum key to choosing a grain of sand on a beach, and later asking a friend to find that same grain among a "billion gazillion" beaches.
But as he looked at the Ethereum blockchain, Bednarek could see evidence that some people had stored ether at vastly simpler, more easily guessable keys. The mistake was probably the result, he says, of Ethereum wallets that cut off keys at just a fraction of their intended length due to coding errors, or let inexperienced users choose their own keys, or even that included malicious code, corrupting the randomization process to make keys easy to guess for the wallet's developer.
Bednarek and his ISE colleagues eventually scanned 34 billion blockchain addresses for those sorts of weak keys. They called the process ethercombing, like beachcombing but for more guessable grains of sand among Ethereum's vast entropy. They ultimately found 732 guessable keys that at one point held ether but had since been emptied. Though some of those transfers were no doubt legitimate, Bednarek guesses that 732 is still only a small fraction of the total number of weak keys from which ether has been stolen since the currency launched in 2015.
Amidst those emptied addresses, meanwhile, Bednarek was intrigued to see 12 that seemed to have been emptied by the same bandit. They had been transferred into an account that now held a remarkable horde of 45,000 ether. At today's exchange rates, that's worth $7.7 million.
Ether Comb, Ether Go
Bednarek tried putting a dollar's worth of ether into a weak key address that the thief had previously emptied. Within seconds, it was snatched up and transferred to the bandit's account. Bednarek then tried putting a dollar into a new, previously unused weak key address. It, too, was emptied in seconds, this time transferred into an account that held just a few thousand dollars worth of ether. But Bednarek could see in the pending transactions on the Ethereum blockchain that the more successful ether bandit had attempted to grab it as well. Someone had beaten him to it by mere milliseconds. The thieves seemed to have a vast, pre-generated list of keys, and were scanning them with inhuman, automated speed.
In fact, when the researchers looked at the history of the blockchain bandit's account on the Ethereum ledger, it had pulled in ether from thousands of addresses over the last three years without ever moving any out—money movements Bednarek believes were likely automated ethercombing thefts. At the peak of Ethereum's exchange rate in January 2018, the bandit's account held 38,000 ether, worth more than $54 million at the time. In the year since then, Ethereum's value has plummeted, reducing the value of the blockchain bandit's haul by about 85 percent.
"Don't you feel bad for him?" Bednarek asks with a laugh. "You have a thief here that amassed this fortune and then lost it all when the market crashed."
Despite tracking those transfers, Bednarek has no real idea of who the blockchain bandit might be. "I wouldn’t be surprised if it’s a state actor, like North Korea, but that's all just speculation," he says, referencing the North Korean government's targeting of cryptocurrency exchanges and other victims to steal more than half a billion dollars worth of cryptocurrency in recent years.
Weak in the Keys
Bednarek also can't identify the faulty or corrupted wallets that produced the weak keys. Instead, he can only see the evidence of the weak keys' creation and the resulting thefts. "We can see people getting robbed, but we can’t say which wallets are responsible," he says. For the blockchain bandit in particular, it's not clear if simple weak key thefts comprise the majority of their stolen wealth. The bandit could have deployed other tricks, such as guessing the pass-phrases for "brain wallets"—addresses that are secured with memorizable words, which are more easily brute-forced than fully random keys. One team of security researchers found evidence in 2017 of 2,846 bitcoins stolen with brain-wallet thefts, worth more than $17 million at current exchange rates. One single Ethereum brain-wallet theft in late 2015 made off with 40,000 ether, nearly as big a haul as the blockchain bandit's.
ISE hasn't yet managed to replicate its experiment on the original Bitcoin blockchain. But Bednarek did perform some spot checks of about 100 weak Bitcoin keys and found that the contents of the corresponding wallets had all been stolen, too, though none had been taken by an obvious big fish like the Ethereum bandit they'd identified—perhaps evidence of fiercer, more distributed competition among thieves targeting Bitcoin compared with Ethereum.
Bednarek argues the lesson of ISE's ethercombing is, for wallet developers, to audit their code carefully to find any bug that might truncate keys and leave them vulnerable. And users should take care with what wallet they choose. "You can’t call the help desk and ask them to reverse a transaction. When it's gone, it’s gone forever," Bednarek says. "People should use trusted wallets and download them from a trusted source." Ethereum exchange rate fluctuations aside, the blockchain bandit doesn't need any more donations.