Security researchers at Chinese cyber-security company Qihoo’s 360 netlab have noticed what appears to be a massive theft of Ether – worth over $20m at the time of writing.
As reported in thehackernews, researchers from the lab in March pointed out a very small theft of just under 4 ETH by a group of cybercriminals who were scanning the internet to find insecure Ethereum nodes running the Geth client.
Someone tries to make quick money by scanning port 8545, looking for geth clients and stealing their cryptocurrency, good thing geth by default only listens on local 8545 port. So far it has only got 3.96234 Ether on its account, but hey it is free money! pic.twitter.com/YVSWlMtYGa
— 360 Netlab (@360Netlab) March 15, 2018
Yesterday, however, 360 netlab tweeted that a far more substantial theft seems to have taken place – with the criminals responsible exploiting the same flaw to steal 38,642 ETH – worth $20,480,000 according to CryptoCompare.
Remember this old twitter we posted? Guess how much these guys have in their wallets? Check out this wallet address https://t.co/t4qB17r97J $20,526,348.76, yes, you read it right, more then 20 Million US dollars https://t.co/SXHrdTcb6e
— 360 Netlab (@360Netlab) June 11, 2018
Geth is a client for running an Ethereum node on the network – similar to the way in which an internet browser such as Chrome gives you access to the internet.
Victims of the theft were those that insecurely enabled an interface called JSON-RPC on Geth – an interface which allows users to remotely access the Ethereum blockchain, and send transactions from any account which has been unlocked before sending a transaction.
The security vulnerability, however – was highlighted nearly three years ago by the Ethereum project themselves:
“It’s come to our attention that some individuals have been bypassing the built-in security that has been placed on the JSON-RPC interface. The RPC interface allows you to send transactions from any account which has been unlocked prior to sending a transaction and will stay unlocked for the entirety of the the session.
By default, RPC is disabled, and by enabling it it is only accessible from the same host on which your Ethereum client is running. By opening the RPC to be accessed by anyone on the internet and not including a firewall rules, you open up your wallet to theft by anybody who knows your address in combination with your IP.”
As Netlab 360 reported in March, those exploiting the flaw were searching the internet for users who (presumably unaware of the warning) had left their JSON-RPC port 8545 open to anyone on the internet.
HackerNews also reported that by searching the internet for the attackers’ Ethereum address, they had found multiple reports of attacks against ETH nodes that were left vulnerable in this way.
With Netlab advising users that there are others actively scanning for insecurely configured nodes, this latest attack again underscores the problems arising when some users are unaware of a network’s proper security procedures.