One of the rarest attack of the internet backbone has led to a theft by malicious actors that have stolen around $20 million worth of eth, with some of it from MyEtherWallet’s online front-end.
For how long this attack has been going on exactly is unclear at this stage, but in the case of MyEtherWallet (MEW) the attack lasted for two hours between 11am and 1pm UTC on the 24th of April when visitors received this warning:
The technical term for the attack that happened in this case is a BGP Hijack. We’ll greatly simplify here by explaining that the way the internet works is by computers basically “talking” to each other, but instead of doing so directly, it’s a hub and spokes system, so they “talk” to the ISP first, with ISPs being sort of a big computer.
BGP is a protocol that only ISPs use to “talk” between each other. The purpose of this specific “chat” is not to transfer data, but to decide what’s the best, fastest, most efficient way to transfer data. So ISPs tell each other that it is fastest to send it to this IP or that IP. Here, the attacker, which itself is an ISP, basically lies and says send it to “my hacking IP.”
Obviously other ISPs don’t know he is an attacker. They all trust each other, so then you get a legitimate website like MyEtherWallet.com going to the attackers’ IP address. On the surface, all can look fine, but in this case they did not get a valid certificate for some reason, which arguably they could have done.
The only way this attack could have happened is by a rogue element within an ISP. That could be a rogue employee, a hacker, or in some cases state complicity itself.
The ISP in this case was apparently eNet according to The Register. In some fine reporting of what happened, they say:
“In short, eNet was commandeered by miscreants to persuade its peers – potentially Hurricane Electric, Level 3, and others – to reroute the internet’s traffic from some Route 53 DNS servers to a malicious DNS server that then misdirected visitors to MyEtherWallet.com to a phishing website, all to steal approximately $150,000 in Ethereum.”
Initially this was mistakenly reported as being a problem with Google DNS because Route 53 is of Amazon, but even Amazon is not really to blame as this was an attack in the underlying infrastructure itself and if The Register is correct, an attack somewhere at eNet.
Although these attacks are rare as you need ISP access, thus are difficult to perform, they have happened in the past.
“Researchers documented 51 compromised networks from 19 different Internet service providers (ISPs). The hijacker redirected cryptocurrency miners’ connections to a hijacker-controlled mining pool and collected the miners’ profit, earning an estimated $83,000 [worth of bitcoin] in slightly more than four months.”
In that case “all malicious BGP announcements were traced to a single router at an ISP in Canada.” While in the MEW case, eNet is Ohio based. However, that does not necessarily mean it was an American who carried this attack. Kevin Beaumont, a British infosec researcher, says:
“This traffic was redirected to a server hosted in Russia, which served the website using a fake certificate.”
Again, that doesn’t necessarily mean it was a Russian, but it does mean that the relevant authorities to investigate this are FBI and KGB, or whatever is their cyber-unit equivalent, in order to question eNet and the Russian server owners accordingly.
Not least because it does appear going through all this just to steal $150,000 from MEW does sound far-fetched. That’s because considering the amount of eth flowing through the hacker’s address, one can easily suspect the hijacking of the internet backbone itself might have gone on for a lot longer. Perhaps around 70 days as that’s when they receive the first “deposit.”
One reasonable hypothesis might be that something went wrong in the MEW case, as presumably the hackers are not so stupid as to make it so obvious they are stealing when they could have presumably easily gotten a certificate.
Perhaps they forgot, that’s how these criminals get caught, they always slip somewhere, but we do not know what exactly happened.
However, considering how much has been stolen, both authorities do owe it to the taxpaying public and to this space to find the perpetrators.
And we are aware in the current climate the involvement of a Russian server might raise suspicions of state involvement, but we can not honestly hold such suspicion because it does seem quite petty for the Russian billionaires to be bothered with $20 million.
The Russian server could easily be a misdirection, just as the MEW focus could be a misdirection. We simply have far too little information at this stage to know who is ultimately to blame, but Putin should show goodwill to this space and open an investigation, just as should the American authorities.
However, it should have never gotten there to begin with and MEW itself is not without blame. We do give leeway, of course, for just how difficult this sort of attack is to prevent, but MEW itself says: “this redirecting of DNS servers is a decade-old hacking technique.”
Decade-old means known and known should mean mitigation and extra pre-caution to the point of paranoid when you are in the business of facilitating crypto access and/or storage.
MEW does provide an offline version and, of course, the online version should not really be used because a private key that interacts with the internet in any way means it’s a hot wallet, and hot wallet means it will be hacked sooner or later. Still, Nick Johnson of the Ethereum Name Service (ENS) says:
HSTS forces servers to tell websites they can only interact with https connections. This can potentially prevent cookie hijackings.
While DNSSEC is sort of like a certificate for Domain Name Services (DNS). That kind of gives them a private key of sorts with which they can sign to prove they have the key.
DNS-SEC could have potentially prevented this hijack and might now become a lot more relevant, especially for crypto handling companies.
The internet itself is an open space, so it can not easily be fully secure, if that’s possible at all. It therefore does necessarily bear part of the blame, but MEW was somewhat slow to react.
It was left to the MyCrypto team to do the “public support” bit during or shortly after the attack. Understandably MEW would have been busy with the matter at hand, but presumably some customer support guy would have been free to provide some crucial initial public advice and information to limit or mitigate the attack.
That raises the question of whether, and we might perhaps be a bit harsh here, but it does raise the question of whether it is really legitimate for them to have the MEW brand name.
That brand name of course implies certain things, security being one of them based on the past experience of running without problems. Those things it implies arose during the time when it was run by what is now largely the MyCrypto team.
Only 1 person of the original MEW team remained with MEW, while 19 others, effectively almost all, left to MyCrypto.
Yet despite the team leaving, the MEW brand impression remained pretty much intact. Something which now in hindsight might be considered a mistake because it isn’t the same MEW.
That doesn’t leave MyCrypto without blame for effectively building the MEW brand, leaving it in the hands of one guy, and then sort of starting from scratch with a different brand.
Nor does it leave “social media” without blame for instantly jumping to conclusions and then parroting every chance they get that only MEW is somehow legitimate when their entire team left.
We are implying nothing, but, there is a big problem with social media manipulation, whether such manipulation is intentional or mistaken, and unfortunately sometime that can lead to even losses.
This space therefore needs to mature a bit, especially when it comes to crypto custodians or access providers. That of course includes exchanges, because some of the stolen eth has been sent to Binance and Bittrex.
Just recently Japan warned Binance regarding their failure to require AML/KYC compliance. That failure can mean even known thieves are able to easily move their funds, although we do suspect that in this specific case all exchanges will now take the required action in regards to the stolen $20 million eth address.
There are thus many parties to blame with of course the perpetrator himself having the ultimate blame, but those who clicked ignore when visiting MEW during the attack, despite the very clear browser warning that can’t sound any more scary, do need to bear their share of responsibility.
The authorities, too, have previously neglected properly investigating these sort of hacks which can be considered as a failure to perform their duty not least because judging by just how robocop police officers now look they most probably have the resources to genuinely investigate.
The internet infrastructure itself does need to become more secure, and that includes education of both webdevs and the general public.
MEW should seriously consider whether their new team is up to the very difficult and unforgiving crypto-access task because that’s not something anyone can just do.
MyCrypto does need to explain why they left so as to be trusted to not pack their bags and leave again, which might mean they need some “adult” in the organizational side.
Social media does need to take more action in clear manipulation cases (multiple accounts, bots, impersonation) rather than being distracted in gray political lines.
And finally everyone does need to be more careful before forming opinions or jumping to conclusions, and yes that does include us here at trustnodes.