Beware of the Blockchain Bandit

What are the odds of guessing an Ethereum private key? According to a recent article, it is 1 in 115 quattuorvigintillion (1 in 2^256), which makes the odds of winning the lottery (1 in 292 million) seem like a safe bet. 

This ridiculously large number ensures the security of individual‚Äôs cryptocurrencies, right? Wrong…According to research conducted by Adrian Bednarek and his colleagues at ISE, an individual Ethereum account dubbed the ‚ÄúBlockchain Bandit,‚ÄĚ is seemingly responsible for stealing over 45,000 ether.¬†

So, what allowed the user(s) known as the ‚ÄúBlockchain Bandit‚ÄĚ to steal such a large quantity of ether from a seemingly secure mechanism? By creating user wallets with identical private keys, the ‚ÄúBlockchain Bandit‚ÄĚ was able to misappropriate victim funds. It appears fraudsters, such as the ‚ÄúBlockchain Bandit,‚ÄĚ could generate lists of weak private keys by breaking¬†the 256-bit private key into eight separate 32-bit subsections.¬†Then, one could¬†scan and run them in parallel¬†to increase the speed.¬†By breaking the key into smaller bits¬†and running them in parallel,¬†Bednarek and his colleagues were able to generate roughly 34.3 billion keys in an 8-hour period.¬†¬†A bad actor, such as the ‚ÄúBlockchain Bandit,‚Ä̬†could then use automated processing to scan the blockchain and steal cryptocurrencies from these weak keys within milliseconds of the generation of accounts¬†with the same, weak private key. According to the ISE report,¬†the amount of computing power required to mastermind such a feat is¬†approximately 128 CPU hours per region or 1,024 hours total.¬†¬†

¬†The cause of such weak keys could be as simple as coding errors by wallet developers or allowing novice users to generate their own keys. The ‚ÄúBlockchain Bandit‚ÄĚ illustrates the importance for developers to audit their code and correct issues. Additionally, it reinforces the importance of investor‚Äôs conducting due-diligence prior to participating in the cryptocurrency market¬†and serves as a cautionary tale for newcomers who may want to create their own private keys.¬†

‚ÄúNew technologies offer fraudsters new opportunities to steal. While securities regulators are still determining the framework for cryptocurrency regulation, technology continues to advance and market participants should proceed with caution.‚ÄĚ Said Amanda Senn, Deputy Director of Enforcement with the Alabama Securities Commission.

Unfortunately,¬†with schemes such as the one perpetrated by the ‚ÄúBlockchain Bandit,‚ÄĚ investors are unable to reclaim stolen funds after they are gone.¬†Investors are encouraged to¬†conduct¬†thorough due diligence prior to participating in the cryptocurrency market,¬†and if they are victims of such a scheme, they are encouraged to contact their regulator.¬†

For more information, contact

James McDowell, Alabama Securities Commission


Related Articles