Hacker Gets Millions Of ETH By Guessing Weak Private Keys
Just recently, the Independent Security Evaluators (ISE), which is a security consulting company based in the U.S., released a report concerning private keys for the ETH blockchain. Apparently, a hacker was successful in obtaining millions of the token by simply guessing weak private keys. Here is everything about it in a nutshell.
A Deluge of Weak Private Keys
According to the official report, multiple people have managed to establish around 700 weak private keys, all of which are being used in a regular basis. Unfortunately, a so-called “blockchain bandit” was able to obtain at least 45,000 Ether (ETH) by guessing weaker private keys.
In an interview, a senior security analyst at the firm named Adrian Bednarek said that they are still trying to find out more about the case. He added that they have coined it as “ethercombing.” Interestingly, the discovery of the hacker was done by accident. At that time, he said that he was performing research meant for a corporate client that wanted to deploy their own wallet in what is believed to be an integrated key generating algorithm.
Being a security analyst, Bednarek understood that there was a need to understand all underlying technologies to a certain extent. It is a process that must be done before an assessment begins. He added that, by essence, it is as if he is creating these technologies himself.
Explaining A Private Key
According to Bednarek, one of the components the company had to do research with is none other than private key generation. At that time, he was reportedly trying to go over the primary basics of what a private key should look like on Ethereum. This includes, but not limited to, the generating process, size, and how the usage in an attempt to derive public key and/or address.
On Ethereum, private keys are basically represented by 256-bit numbers. The company decided to narrow it down to at least eight 32-bit “sub-regions.” The decision to do so, however, had a reason. That is because if a private key is brute forced within a larger area, a statistical improbability can exist.
Bednarket confirmed that all aforementioned eight sub-regions managed to feature a total amount of 34 billion private keys – all of which are deemed weak. Considering the number involved, the firm reportedly needed an entire day to process everything. It is also worth noting that these keys were generated because of a faulty code, including faulty random number generators.