Security researchers at Chinese cyber-security company Qihoo’s 360 netlab have noticed what appears to be a massive theft of Ether – worth over $20m at the time of writing.

As reported in thehackernews, researchers from the lab in March pointed out a very small theft of just under 4 ETH by a group of cybercriminals who were scanning the internet to find insecure Ethereum nodes running the Geth client.

Yesterday, however, 360 netlab tweeted that a far more substantial theft seems to have taken place – with the criminals responsible exploiting the same flaw to steal 38,642 ETH – worth $20,480,000 according to CryptoCompare.

Geth is a client for running an Ethereum node on the network – similar to the way in which an internet browser such as Chrome gives you access to the internet.

Victims of the theft were those that insecurely enabled an interface called JSON-RPC on Geth – an interface which allows users to remotely access the Ethereum blockchain, and send transactions from any account which has been unlocked before sending a transaction.

The security vulnerability, however – was highlighted nearly three years ago by the Ethereum project themselves:

“It’s come to our attention that some individuals have been bypassing the built-in security that has been placed on the JSON-RPC interface. The RPC interface allows you to send transactions from any account which has been unlocked prior to sending a transaction and will stay unlocked for the entirety of the the session.

By default, RPC is disabled, and by enabling it it is only accessible from the same host on which your Ethereum client is running. By opening the RPC to be accessed by anyone on the internet and not including a firewall rules, you open up your wallet to theft by anybody who knows your address in combination with your IP.”

Ethereum Blog

As Netlab 360 reported in March, those exploiting the flaw were searching the internet for users who (presumably unaware of the warning) had left their JSON-RPC port 8545 open to anyone on the internet.

HackerNews also reported that by searching the internet for the attackers’ Ethereum address, they had found multiple reports of attacks against ETH nodes that were left vulnerable in this way.

With Netlab advising users that there are others actively scanning for insecurely configured nodes, this latest attack again underscores the problems arising when some users are unaware of a network’s proper security procedures.