A 'BLOCKCHAIN BANDIT' IS GUESSING PRIVATE KEYS AND SCORING MILLIONS

Image of A 'BLOCKCHAIN BANDIT' IS GUESSING PRIVATE KEYS AND SCORING MILLIONS
1


Bednarek was mulling over ways to steal the cryptocurrency Ethereum. He's a security consultant; at the time, he was working for a client in the theft-plagued cryptocurrency industry. Bednarek had been drawn to Ethereum in particular because of its notorious complexity, and the potential security vulnerabilities those moving parts might create. But he started instead with the simplest of questions: What if an Ethereum owner stored their digital money with a private key—the unguessable, 78-digit string of numbers that protects the currency stashed at a certain address—that had a value of 1?



To Bednarek's surprise, he found that dead-simple key had in fact once held currency, according to the blockchain that records all Ethereum transactions. But the cash had already been taken out of the Ethereum wallet that used it—almost certainly by a thief who had thought to guess a private key of 1 long before Bednarek had. After all, as with Bitcoin and other cryptocurrencies, if anyone knows an Ethereum private key, they can use it to derive the associated public address that the key unlocks. The private key then allows them to transfer the money at that address as though they were its rightful owner.



That initial discovery piqued Bednarek's curiosity. So he tried a few more consecutive keys: 2, 3, 4, and then a couple dozen more, all of which had been similarly emptied. So he and his colleagues at the security consultancy Independent Security Evaluators wrote some code, fired up some cloud servers, and tried a few dozen billion more.

Posted by topo 115 days ago in Computer  |  wired.com
 

Who Voted

topo  

Leave a comment