What are the odds of guessing an Ethereum private key? According to a recent Wired.com article, it is 1 in 115 quattuorvigintillion (1 in 2^256), which makes the odds of winning the lottery (1 in 292 million) seem like a safe bet.
This ridiculously large number ensures the security of individual’s cryptocurrencies, right? Wrong…According to research conducted by Adrian Bednarek and his colleagues at ISE, an individual Ethereum account dubbed the “Blockchain Bandit,” is seemingly responsible for stealing over 45,000 ether.
So, what allowed the user(s) known as the “Blockchain Bandit” to steal such a large quantity of ether from a seemingly secure mechanism? By creating user wallets with identical private keys, the “Blockchain Bandit” was able to misappropriate victim funds. It appears fraudsters, such as the “Blockchain Bandit,” could generate lists of weak private keys by breaking the 256-bit private key into eight separate 32-bit subsections. Then, one could scan and run them in parallel to increase the speed. By breaking the key into smaller bits and running them in parallel, Bednarek and his colleagues were able to generate roughly 34.3 billion keys in an 8-hour period. A bad actor, such as the “Blockchain Bandit,” could then use automated processing to scan the blockchain and steal cryptocurrencies from these weak keys within milliseconds of the generation of accounts with the same, weak private key. According to the ISE report, the amount of computing power required to mastermind such a feat is approximately 128 CPU hours per region or 1,024 hours total.
The cause of such weak keys could be as simple as coding errors by wallet developers or allowing novice users to generate their own keys. The “Blockchain Bandit” illustrates the importance for developers to audit their code and correct issues. Additionally, it reinforces the importance of investor’s conducting due-diligence prior to participating in the cryptocurrency market and serves as a cautionary tale for newcomers who may want to create their own private keys.
“New technologies offer fraudsters new opportunities to steal. While securities regulators are still determining the framework for cryptocurrency regulation, technology continues to advance and market participants should proceed with caution.” Said Amanda Senn, Deputy Director of Enforcement with the Alabama Securities Commission.
Unfortunately, with schemes such as the one perpetrated by the “Blockchain Bandit,” investors are unable to reclaim stolen funds after they are gone. Investors are encouraged to conduct thorough due diligence prior to participating in the cryptocurrency market, and if they are victims of such a scheme, they are encouraged to contact their regulator.
For more information, contact
James McDowell, Alabama Securities Commission