Hacker Steals $30 Million Worth of Ethereum From Parity Multi-Sig Wallets (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Hacker Steals $30 Million Worth of Ethereum From Parity Multi-Sig Wallets (bleepingcomputer.com)

Posted by BeauHD on Wednesday July 19, 2017 @11:20AM from the bank-heists dept.

An anonymous reader quotes a report from Bleeping Computer: An unknown hacker has used a vulnerability in an Ethereum wallet client to steal over 153,000 Ether, worth over $30 million dollars. The hack was possible due to a flaw in the Parity Ethereum client. The vulnerability allowed the hacker to exfiltrate funds from multi-sig wallets created with Parity clients 1.5 and later. Parity 1.5 was released on January 19, 2017. The attack took place around 19:00-20:00 UTC and was immediately spotted by Parity, a company founded by Gavin Wood, Ethereum's founder. The company issued a security alert on its blog. The Ether stolen from Parity multi-sig accounts was transferred into this Ethereum wallet, currently holding 153,017.021336727 Ether. Because Parity spotted the attack in time, a group named "The White Hat Group" used the same vulnerability to drain the rest of Ether stored in other Parity wallets that have not yet been stolen by the hacker. This money now resides in this Ethereum wallet. According to messages posted on Reddit and in a Gitter chat, The White Hat Group appears to be formed of security researchers and members of the Ethereum Project that have taken it into their own hands to secure funds in vulnerable wallets. Based on a message the group posted online, they plan to return the funds they took. Their wallet currently holds 377,116.819319439311671493 Ether, which is over $76 million.

67 comments

Min score:

Reason:

Sort:

Value of crypto currency by OrangeTide · 2017-07-19 11:27 · Score: 1

Is all crypto currency over-valued when it is so frequently anonymously stolen?

--
“Common sense is not so common.” — Voltaire
1. Re:Value of crypto currency by Anonymous Coward · 2017-07-19 11:51 · Score: 1
  
  Read this like Abraham Lincoln for best effect
2. Re:Value of crypto currency by Anonymous Coward · 2017-07-19 11:55 · Score: 0
  
  Literally, criminals control most of the value of crypto-coins including bitcoin itself. In the case of bitcoin it hasn't been hacked directly but incomprehensible amounts of them have been stolen from weak players (eg. brokers and online wallets).
  So criminals control most of the coins and somehow the value is at an all time high? Think about it.
3. Re:Value of crypto currency by ShanghaiBill · 2017-07-19 12:09 · Score: 3, Insightful
  
  Is all crypto currency over-valued when it is so frequently anonymously stolen?
  It was not "stolen". Crypto-currencies are based on the implementing code, and the only "rules" are in the code. So if the code allowed someone to transfer ownership, then that transfer followed the "rules" and is just as legitimate as any other transfer. Just because some people misunderstood the rules, that doesn't make it "wrong" for someone else to follow them to their own advantage.
4. Re: Value of crypto currency by Anonymous Coward · 2017-07-19 12:49 · Score: 1, Insightful
  
  It was not "stolen". Crypto-currencies are based on the implementing code, and the only "rules" are in the code. So if the code allowed someone to transfer ownership, then that transfer followed the "rules" and is just as legitimate as any other transfer. Just because some people misunderstood the rules, that doesn't make it "wrong" for someone else to follow them to their own advantage.
  Yes it was stolen. That is the legal and usual definition, taking without the owners' consent.
  Your made up redefinition is complete bullshit.
5. Re:Value of crypto currency by epine · 2017-07-19 13:10 · Score: 1
  
  Crypto-currencies are based on the implementing code, and the only "rules" are in the code.
  A criteria which classifies 99.99% of the people presently involved with crytocurrency as amateur speculators.
  Because in code—which resembles logic, which resembles a peanut brittle bar left outside overnight halfway up Vinson Massif (well, your father's Vinson Massif)—a single thing you don't fully understand can drain your entire wallet.
6. Re: Value of crypto currency by ShanghaiBill · 2017-07-19 15:17 · Score: 1, Insightful
  
  taking without the owners' consent.
  The owner is whoever the code says the owner is. Just because you thought you owned it, doesn't mean you do.
7. Re: Value of crypto currency by Anonymous Coward · 2017-07-19 15:18 · Score: 0
  
  Yes it was stolen. That is the legal and usual definition, taking without the owners' consent.
  Your made up redefinition is complete bullshit.
  Rating that comment butthurt/10
8. Re:Value of crypto currency by Anonymous Coward · 2017-07-19 17:29 · Score: 0
  
  Well, and? Did you have a point?
9. Re: Value of crypto currency by war4peace · 2017-07-19 21:06 · Score: 1, Informative
  
  So... if I break into your bank account and transfer all the money into mine... it's all legal because the code allowed it?
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
10. Re: Value of crypto currency by Anonymous Coward · 2017-07-20 01:32 · Score: 0
  
  Who says it's frequent? I think what we are actually experiencing is more likely media bias in reporting.
11. Re: Value of crypto currency by Anonymous Coward · 2017-07-20 02:47 · Score: 0
  
  Never underestimate the power of self-justification. Poster probably steals and has justified it to themselves. You will never convince them because maintaining their good feeling about themselves depends on their broken logic.
12. Re: Value of crypto currency by Anonymous Coward · 2017-07-20 03:00 · Score: 0
  
  This is why I write my name on all my coins and bills. That way I can prove it was mine if it was stolen.
13. Re:Value of crypto currency by Khashishi · 2017-07-20 04:25 · Score: 1
  
  Err, that sounds a lot like stolen to me.
14. Re:Value of crypto currency by hoggoth · 2017-07-24 06:37 · Score: 1
  
  Word game fail.
  Cash also has similar rules: He who holds the cash owns it, in the sense that he can spend it.
  And yet, we still call it theft when someone takes your case without your permission.
  
  --
  - For the complete works of Shakespeare: cat /dev/random (may take some time)
Whew by JustAnotherOldGuy · 2017-07-19 11:33 · Score: 4, Funny

Thank goodness I put all my money into tulips.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Whew by whitlocktj · 2017-07-19 11:34 · Score: 2
  
  Tulips just got hacked
2. Re:Whew by Anonymous Coward · 2017-07-19 11:43 · Score: 1
  
  pruned
3. Re:Whew by Anonymous Coward · 2017-07-19 12:34 · Score: 0
  
  then you're the idiot because tulips are easily hacked with genetic shit and roses pay more...
4. Re:Whew by fredrated · 2017-07-19 14:18 · Score: 1
  
  Woosh!
5. Re:Whew by blindseer · 2017-07-19 18:24 · Score: 3, Informative
  
  For those that didn't get the joke I suggest reading a little history. This might help:
  https://en.wikipedia.org/wiki/...
  
  --
  I am armed because I am free. I am free because I am armed.
6. Re:Whew by JustAnotherOldGuy · 2017-07-20 16:34 · Score: 1
  
  then you're the idiot because tulips are easily hacked with genetic shit and roses pay more...
  Oh noes, you found the fatal flaw in my master financial plan.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
Is the hacker Russian? by Anonymous Coward · 2017-07-19 11:35 · Score: 0

I bet he is....ZOMG Russians!!!
I need some! by DogDude · 2017-07-19 11:38 · Score: 1

This fake currency stuff sounds great! So easy and hassle-free. Where do I get some?

--
I don't respond to AC's.
1. Re:I need some! by amicusNYCL · 2017-07-19 11:51 · Score: 1
  
  Well, apparently there were 530,133 "units of Ether" sitting out there for the taking, but they've all been stolen. Better luck next time.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Re:gay shit by Anonymous Coward · 2017-07-19 11:38 · Score: 0

And it just keeps getting funnier every time it happens!
disappeared in a puff of ether by Anonymous Coward · 2017-07-19 11:39 · Score: 0

Damn it, where has my money gone?
This sucks for the Ethereum miners by rsilvergun · 2017-07-19 11:39 · Score: 2

but it's good news for anyone looking to buy a new graphics card. The GTX 1060 6gb I bought on sale for $220 in February is pushing $450-$500. Not sure if that's miners or scalper's preying on them but it sucks either way.

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
1. Re:This sucks for the Ethereum miners by AmiMoJo · 2017-07-20 00:18 · Score: 1
  
  On the other hand, as soon as the prices crashes there will be a flood of cheap high end GPUs on the market. Trick will be getting one of the later ones that hasn't been run hard 24/7 for months.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Price going down by campuscodi · 2017-07-19 11:41 · Score: 1

Price going down >>> Time to buy
1. Re: Price going down by Anonymous Coward · 2017-07-19 15:27 · Score: 0
  
  Sucker.
  The only safe way to get into these currencies is to "mine" them early when it doesn't cost much for the electricity to run your equipment.
  If you're actually trading real money or goods for it, then you are the chump.
Not exactly by rsilvergun · 2017-07-19 11:42 · Score: 1

the value of crypto currencies is based almost entirely on the illicit goods you can buy with them. Mostly Drugs and Ransomware payments. Neither of those things have much in the way of actual costs, which is why you see these crazy valuations. You can afford to 'lose' thousands in crypto currency when all you're really doing with it is buying a few real dollars worth of pot or using it to launder money.

The sad thing is there's plenty of legitimate uses for the tech and the ideas but at the moment they're getting swamped by the illegitimate ones.

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
1. Re:Not exactly by OrangeTide · 2017-07-19 11:51 · Score: 1
  
  But if all my money is stolen, I can't buy any black market goods, so it doesn't have any value to me.
  
  --
  “Common sense is not so common.” — Voltaire
2. Re:Not exactly by Dunbal · 2017-07-19 11:57 · Score: 1
  
  Which is why instead of putting money into those like all the other nerds you might as well just take it to the casino and bet all that money on black. Or red. Either way you have a 47.4% of walking away with double your money, which is a lot better odds than you'll get by buying into these currencies and hoping you'll be able to get out with a profit. Sure - people have made money. A lot more people have lost money - which is how this works. Expect the "value" of these currencies to see-saw back and forth over time as new waves of suckers get taken to the cleaners.
  
  --
  Seven puppies were harmed during the making of this post.
3. Re:Not exactly by Tenebrousedge · 2017-07-19 17:16 · Score: 2
  
  The initial value of the cryptocurrency is its use in illegal transactions, yes. It will get legitimacy with volume. I'm resigned to the idea that BitCoin or some rival will eventually be real money in pretty much every sense of the word. Variances are dropping slowly but steadily. I'd give it five or ten more years just to be sure, but don't I think we can bottle this particular genie.
  
  --
  Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
Ethereal by Hognoxious · 2017-07-19 11:45 · Score: 1

Ether is ethereal? Whodathunkit?
2a : lacking material substance

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Yay by Anonymous Coward · 2017-07-19 11:51 · Score: 0

The usual bleepingcomputer "hacker hacker hacker" crap without actual content.
Thank you so much, BeauHD.
First suspect is Capital One by Dunbal · 2017-07-19 11:51 · Score: 1

After all, they're always asking on tv "what's in your wallet?"

--
Seven puppies were harmed during the making of this post.
1. Re:First suspect is Capital One by Hognoxious · 2017-07-19 11:54 · Score: 3, Funny
  
  String, or nothing!
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
2. Re:First suspect is Capital One by sheph · 2017-07-20 02:35 · Score: 1
  
  Not fair working in two answers at once.
  
  --
  I don't believe in karma, I just call it like I see it.
Not a client problem by Anonymous Coward · 2017-07-19 11:52 · Score: 0

If a compromised client can destabalize the whole system, that's not a problem with the client: it's a problem with the server which trusts the client way too much.
1. Re:Not a client problem by sexconker · 2017-07-19 11:58 · Score: 2
  
  If a compromised client can destabalize the whole system, that's not a problem with the client: it's a problem with the server which trusts the client way too much.
  This has to do with the wallets and how they're generated and set up for multiple people to access them.
  In the Bitcoin world, a wallet is little more than a private key. The network stores a record of how much Bitcoin your wallet has in it. If you want to spend money, you send a transaction signed with your wallet's private key. A miner mines a block containing your transaction, and then nodes on the network verify it, and the fact that you spent .0002 BTC on a 20-minute subscription to HD-Taints.com is recognized and you get your sweet, nasty porn.
  With Ethereum, you have a client created by some bozos that creates wallets in an absurd (and vulnerable) way, so you get FUKT.
LOL! by sexconker · 2017-07-19 11:52 · Score: 3, Interesting

Ethereum is a scam coin. The entire concept is absurd. But even if you want to buy into the hype, don't mind the IPO bullshit, and you think "proof of stake" and "smart contracts" are somehow magical things, why would you EVER use a "multi-sig wallet"?
Bitcoin has a few simple fucking rules. Chief among them is to treat your wallet with Bitcoin in it like your regular wallet with cash in it.
You keep it secure yourself and you encrypt it and you don't hand it over to anyone else.
A multi-sig wallet is a wallet with access set up for X people, where transfers out of the wallet require Y people's (among the X) approval.
1 < Y <= X
You may as well hand cash to Bernie Madoff and tell him to only spend it when you both agree.
Ethereum persists because of 2 reasons:
1 - People are fucking retarded and think the convoluted bullshit layered on top of a block chain somehow makes Ethereum more useful than Bitcoin (it doesn't), or more trustworthy (it doesn't).
2 - People want to make a profit using consumer GPUs and can't with Bitcoin, so they're grinding away on Ethereum. Once someone slaps together an ASIC with a bunch of memory to mine Ethereum, Ethereum will tank (even more so than it has recently) as all the small-time miners leave. All the big-time miners (those paying for ASICs and running on free power / the giant farms in China) will stay with Bitcoin.
From Parity's web page:

Tested from Day One
Making the most reliable and resilient software able to perform with excellence throughout deployments as diverse as teraflop financial servers and door handles is no task for the faint hearted. Our software is unit-tested from, quite literally, day one. From RLP and the Trie to the network subsystem, we aim for our unit tests to cover 100% of critical logic.
In Consensus
We pride ourselves on passing all 1,000+ consensus tests in the client consensus suite. Written according to the Yellow Paper specification and designed with the foreknowledge of the exact protocol we will need to implement, Parity achieves full consensus without pulling any punches on code design and clarity, enabling us to maintain an agile, fast-paced development cycle.
100% Reviewed
Every single line in our codebase is fully reviewed by at least one expert developer (and routinely two or more) before being placed in the main repository. We strive for excellence; static code checking is used on every compile to cut out bad idioms. Style is enforced before any alteration may be made to the main repository. Continuous integration guarantees our codebase always compiles and tests always pass.
HO HO HO!
I wonder if Ethereum will fork to revert the stolen Ether. If so, it ruins any glimmer of hope it had at becoming a legitimate decentralized currency. If not, a lot of people will be exiting the game.
Bitcoin has an upcoming potential fork coming soon, too. It's mildly contentious, fairly interesting, but ultimately it will have little to no impact on the viability or trust of Bitcoin.
1. Re:LOL! by Anonymous Coward · 2017-07-19 12:57 · Score: 0, Flamebait
  
  Gees, thanks oh sexy-one, I'm going to take the advice of a total douche dumbfuck over the actions (read: $$) of mastercard, scotiabank, amongst others:
  https://entethalliance.org/ent...
2. Re:LOL! by Zontar+The+Mindless · 2017-07-19 18:57 · Score: 2, Insightful
  
  That's a consortium of various entities exploring applications for blockchains. The astute will note that the word "currency" occurs exactly nowhere on that page.
  
  --
  Il n'y a pas de Planet B.
3. Re:LOL! by TeknoHog · 2017-07-19 23:47 · Score: 1
  
  I wonder if Ethereum will fork to revert the stolen Ether. If so, it ruins any glimmer of hope it had at becoming a legitimate decentralized currency.
  Ethereum has already forked due to similar circumstances in the past. Ethereum Classic (ETC) is the original unforked chain that continues to live on under a different management.
  
  --
  Escher was the first MC and Giger invented the HR department.
4. Re:LOL! by Anonymous Coward · 2017-07-20 02:20 · Score: 0
  
  Many organizations use real-world multi-party bank accounts. This allows you to do a transaction if sufficient people agree.
5. Re:LOL! by Wrath0fb0b · 2017-07-20 03:27 · Score: 1
  
  Bitcoin has a few simple fucking rules. Chief among them is to treat your wallet with Bitcoin in it like your regular wallet with cash in it.
  You keep it secure yourself and you encrypt it and you don't hand it over to anyone else.
  That's fine for the money in my wallet, but I don't expect it's fine for the money in my bank account. If I trip and fall in a river and lose my wallet, I expect to still be able to access my bank account. If my house burns down, I expect to still be able to access my bank account.
  Availability is a fundamental security requirement.
6. Re:LOL! by sexconker · 2017-07-20 06:00 · Score: 1
  
  You're an idiot. Blockchains are good. Ethereum, "smart contracts", and the people running that whole shit show are not.
7. Re:LOL! by sexconker · 2017-07-20 06:06 · Score: 1
  
  Yeah, the DAO fork. Even then it was controversial. From your own link:
  
  Since the hard fork, an additional 153 blocks have been successfully mined. However, as suggested earlier, the move may not be without continued controversy.
  The decision to hard fork was initially met with resistance by some members of the ethereum community who were concerned it might undermine the perception that the blockchain was immutable, and that contract agreements, once settled to the blockchain, would be final.
  With major banks and startups alike now building with ethereum, this is a concern that will likely be followed closely.
  And that was over a year ago. Look at the price and trade volume of Ethereum now compared to then.
  You don't fork due to theft and expect people to trust your currency or believe the bit about it being decentralized with no overriding authority. A fork means you either get on the winning team or you get fucked, and when the winning team is determined by a small handful of people (and corporations), what are you really gaining over fiat currency?
8. Re:LOL! by sexconker · 2017-07-20 06:10 · Score: 1
  
  Bitcoin has a few simple fucking rules. Chief among them is to treat your wallet with Bitcoin in it like your regular wallet with cash in it.
  You keep it secure yourself and you encrypt it and you don't hand it over to anyone else.
  That's fine for the money in my wallet, but I don't expect it's fine for the money in my bank account. If I trip and fall in a river and lose my wallet, I expect to still be able to access my bank account. If my house burns down, I expect to still be able to access my bank account.
  Availability is a fundamental security requirement.
  And you can have a bank store your wallet in a safety deposit box for you. You can have Dropbox or Google or a public FTP store a copy of your wallet for you.
  The concept is pretty much perfect. Treat it like cash and protect it like cash. The neat thing about it is that you're not beholden to anyone, even if they're protecting your wallet for you. Since you can duplicate your wallet, and the people holding your wallet can't access it (because you're encrypting it), then you're golden. All you need to secure is your password, and there are countless ways to do that. You can even have a bank store it in a safety deposit box for you! Or have a lawyer hold onto it. Whatever you want!
9. Re:LOL! by Hognoxious · 2017-07-20 10:30 · Score: 1
  
  Yeah, but they're usually people you know - half the directors if it's a business account, two of three siblings if it belongs to a senile parent.
  Not a Singaporean ladyboy and some random teenager from Lavaturia.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Insufficient... by dohzer · 2017-07-19 12:19 · Score: 1

Insufficient decimal points for accurate evaluation of worth.
Catch them! by Anonymous Coward · 2017-07-19 13:40 · Score: 0

Catch the thieves with an Ethernet!
Want security in your money, and elections? by fustakrakich · 2017-07-19 14:20 · Score: 1

Use paper. It's still the best, most reliable medium ever devised.
Computers are not ready for prime time. They are too frail.

--
“He’s not deformed, he’s just drunk!”
1. Re:Want security in your money, and elections? by The123king · 2017-07-19 19:43 · Score: 1
  
  Modern day computers can't be trusted. It's too easy nowadays to make shit up using them.
  
  --
  If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
Decayed, Not Stolen by Scarletdown · 2017-07-19 16:54 · Score: 2

The Etherium was not stolen. It just changed via radioactive decay. It turned into Felonium, the criminal element.

--
This space unintentionally left blank.
1. Re:Decayed, Not Stolen by wasteoid · 2017-07-20 03:57 · Score: 1
  
  +1 Funny
  
  Where are my mod points when i need them.
*sigh* by The123king · 2017-07-19 19:38 · Score: 1

If you invest your real money (that string of numbers that's backed by the government) on a cryptocurrency ( a string of numbers backed by... who?) you deserve to be robbed. I'll be sat here with the popcorn when the whole cryptocurrency bubble bursts.

--
If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
1. Re:*sigh* by Anonymous Coward · 2017-07-19 20:09 · Score: 0
  
  Be sure to shave your neck when it is over.
2. Re:*sigh* by Rockoon · 2017-07-19 22:02 · Score: 1
  
  The "backed by government" is an important facet of a currency.
  
  When Germany joined the Eurozone, few Germans switched to using the Euro. It wasn't until the German government began requiring that Euro be used to pay taxes that the population switched.
  
  --
  "His name was James Damore."
3. Re:*sigh* by The123king · 2017-07-20 21:43 · Score: 1
  
  Exactly my point
  
  --
  If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
Not a big deal by Anonymous Coward · 2017-07-19 21:11 · Score: 0

It's not a big deal. Even if some black hat hackers stole these millions, the problem is easily solved with a trivial blockchain fork. Ethereum classic might be more vulnerable to such hacks, though.
wtf Ethereum Parity Multi-Sig Wallets by Anonymous Coward · 2017-07-19 23:03 · Score: 0

wtf has the world come to when a headline has Ethereum Parity Multi-Sig Wallets in it?! that gibberish is worth $30m to someone?
Just fork it again... by Anonymous Coward · 2017-07-20 02:26 · Score: 0

Since integrity of a blockchain is no longer important, just fork it... again...
Ethereum Currency by Anonymous Coward · 2017-07-20 15:19 · Score: 0

Hackers have been ale to hack Ethereum due to a lack of security updates: http://ethereumcurrency.yolasite.com