When it comes to private keys, they’re often considered safer than passwords. Their complicated structure makes them less prone to brute force and other guesswork based attacks, but what if we tell you that one hacker managed to break this notion for stealing cryptocurrencies worth thousands of dollars?
That’s right. What seems impossible and a herculean task has actually been performed very well by a blockchain bandit. A sophisticated hacker has recently been discovered by senior security analyst Adrian Bednarek, and according to him, this hacker has so far guessed as many as 732 weak private keys to steal as much as 45,000 ether tokens. The value of these tokens as per current market price is $7.8 million, but at the peak of Ethereum’s price it might have been around $50 million.
This would certainly have required extensive research on the part of that hacker, and it seems that he invested his time and efforts into that research for uncovering some potential loopholes in the key generation algorithms. And now he is reaping the rewards. The hacker was discovered after he stole from 12 keys that were also accessible to Adrian Bednarek. According to his report:
“There was a guy who had an address who was going around and siphoning money from some of the keys we had access to. We found 735 private keys, he happened to take money from 12 of those keys we also had access to. It’s statistically improbable he would guess those keys by chance, so he was probably doing the same thing […] he was basically stealing funds as soon as they came into people’s wallets.”
Adrian’s report also notes that the hacker has not relied on Brute forcing to discover those keys. Instead, he has relied on a combination of faulty code and faulty random number generators. Another theory around how can it be possible is that users who get their keys from passphrases might have used weak and common passphrases, or no passphrase at all in some worst case scenarios.
Now, although the identity of this great sophisticated hacker is not known yet, Bednarek suggests that it may be a state actor (i.e. North Korea). Last month a UNSC report had also claimed that North Korea might have amassed more than $670 million in stolen fiat and cryptocurrencies through hacking attacks to bypass the economic sanctions.