August 8th 2020 ETHEREUM CLASSIC 51% ATTACK INVESTIGATION

After attacking the Ethereum classic chain on July 31, 2020, the same Attacker attacked the ETC chain again yesterday. The massive reorganization of 4236 blocks happened in Ethereum Classic blockchain at 2020–08–06 02:54:27 UTC.

It affected blocks from 10935623 to 10939858. Attacker mined the first block at 2020–08–05 11:50:20 UTC, so this attack lasted 15 hours and 6 minutes.

Key Takeaway

This time attacker was trying to double-spend 465,444 ETC(approx $3.3 M). Based on our investigation, the attacker successfully double-spent 238,306 ETC ($1.68 M) through Bitfinex and another crypto service. In addition, the attacker also got 14.2K ETC as a block reward, which we are not included in our double-spent calculation.

Hash Power

The attacker probably used the same mining source, Nicehash daggerhashimoto, as observed on the following graph.

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
nicehash showing the price and TH/sec in UTC+3 timezone

Attacker, 0x3936968a445b723fdd0c0407efffcaecb07cab19 mined 4236 blocks consecutively, plus some extra blocks after the re-org. The block reward from this attack was, 14,234.30 ETC, which still resides on the attacker’s wallet.

The attack is clearly visible on the miner distribution chart on Bitquery.

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
miner distribution graph on Bitquery explorer

Double-Spent

Our analysis shows, it was the same Attacker, using exactly the scheme as we described in our recent investigation of the attack on July 31st.

This time Attacker included seven transfers in the mined blocks. The total amount of these transactions was 465,444 ETC (approx $3.3 M).

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
Download excel file

Where the money comes from?

This time the attacker used the money from the first attack, July 31. In our last analysis, we showed how the attacker double spent the money by sending it to Exchange and also his/her own wallet. This time, the attacker used the ETC left from the first attack.

For example the address 0x305292887ad1ffa867e8564c804575f3d7a19a1f is the source of money for the first transaction in the list. This address was used in the first attack. Similarly, other addresses mentioned in the above transaction list also got money from the first attack.

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
0xc39241a847c550bbef4489653b1006b980709e4b

Where the Attacker double-spent this time?

The blocks mined by the attacker included transactions in which the attacker sent his/her money to different wallets controlled by him/her. This activity was not visible to anyone as the attacker did not publish any transactions or the blocks, similar to the last attack.

On the other hand, the chain which was visible to everyone (now reorged and discarded), the attacker first collected the money on the address 0x38cd54fc7b1fe7994355fce1d75c9c4bd7335a46. After that, the attacker distributed money to different addresses.

All these transactions happened during the time of the attack when the attacker silently mined the forked blocks.

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
Money distributed to multiple addresses from 0x38cd54fc7b1fe7994355fce1d75c9c4bd7335a46

Apparently, the final target was some exchanges and other crypto services, and we can find some of them in the following image.

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
Money originated from 0x38cd54fc7b1fe7994355fce1d75c9c4bd7335a46, end up on exchanges

The “fireworks” on the right side of the graph are Exchanges, where Attacker sent the money. The attacker must have converted those ETC into fiat or other cryptocurrencies.

The following address which received money from the attacker belongs to Exchanges and other crypto services.

  1. 0x618f37d7ff7b140e604172466cd42d1ec35e0544, which we believe, belongs to Bitfinex exchange based on this post, received 143,000 ETC in several transactions. You can find the complete transaction details here.
  2. 0x9662a0648aa48592a63509c092ab05adf0a84cc9 received 95,650 ETC in multiple transactions. We were not able to identify the crypto service which owns this address. The two biggest transactions, which was received by this address are mentioned below.

Total money loss

Our investigation shows that Bitfinex lost 143K ETC (~$1M) and we were not able to identify the other service mention above who lost 95K ETC (~680K). In total, we were able to able to verify that the attacker profited $1.68M (At least) from this attack.

The mentioned crypto service can identify the attacker based on the above transactions. 

Wrapping up…

We believe the double-spent this time would have been caught. Our transaction monitoring technology, Coinpath®, built to trace blockchain money flow and would have flagged these transactions for further investigation. If you are looking for blockchain transaction monitoring technology, get in touch with us [email protected].

Note:  Special thanks to Yaz Khoury for reviewing the article.

JULY 31st ETHEREUM CLASSIC 51% ATTACK INVESTIGATION

In the last article, Ethereum Classic 51% Chain Attack Jul 31 2020, we have described the facts related to Ethereum classic attack, which took place between Jul 31 and Aug 1. In this article, we have analyzed the transactions during the attack in both forks of the chain.

Key Takeaway: Attacker double-spent 807,260 ETC ($5.6 million) during this attack and spent 17.5 BTC ($192K) to acquire the hash power for the attack. The attacker also got 13K ETC as a block mining reward, which we are not including in our double-spent calculation.

Data collection from reorged and non-reorged chain

We at Bitquery collected data from the Ethereum Classic node based on Open Ethereum software. As it appeared after the fork, this software had a bug that prevented chain-reorg past a certain block number. As a result, we had all data preserved, including a series of blocks that were mined by other miners on Open Ethereum software after the reorg happened.

It appeared that the only way to catch up with the reorged chain is to move to other node software, and we selected Geth. But before doing that, we stored all the data of the non-reorged chain, in a separate database for future analysis.

After the Geth node synced and we re-indexed the data starting from the block 10904146, where reorg started.

As a result, we now have two datasets, that we exposed in Bitquery explorer interface and GraphQL API:

  1. Non-reorged chain, from Open Ethereum node (On which every miner worked)
  2. Reorg’d chain from Geth node (On which attacked worked)

These datasets have precisely the same data until the block 10904146, and the difference starts from the next block. For example, compare the next block, 10904147:

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
10904147 for non-reorged chain
, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
10904147 for reorged chain

In general, you can use the URLs in the form:

https://explorer.bitquery.io/ethclassic to query reorged chain ( currently accepted chain, and the chain with attacker’s mined blocks )

https://explorer.bitquery.io/ethclassic_reorg to query non-reorged chain (Chain with blocks which are discarded)

There are a couple of differences in these blocks in the chain:

  1. Height is the same, but hashes are different, as these blocks have different content.
  2. The parent hashes are the same, as they were pointing to the same original block, from which the fork started (10904146)
  3. Miners are different. Miner for the reorg’ed chain is the attacker 0x75d1e5477f1fdaad6e0e3d433ab69b08c482f14e , who mined more than 3500 blocks during 12 hours to execute the reorg. Miners for the non-reorged chain are some regular miners, who continued to mine the blocks, not knowing about the attacker.
  4. Not just blocks, but transactions, transfers, smart contract calls, and events are different in the reorged and non-reorged chain.

Let’s have a look at the attacker’s mining activities.

Attacker’s mining activity

The Attacker managed to insert blocks from the block height from 10904147 to 10907761. After the block 10907761, he continued to mine some blocks, but that did not cause major reorgs. The attacker’s activity can be seen at:

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
attacker’s mining activity

In total, the attacker mined 4280 blocks for four days. Note that he did only a little mining before and stopped mining after the attack. This is not the behavior of a regular miner.

In result, the miner sent all the mining reward money (13K ETC ) to address 0x401810b54720faad2394fbe817dcdeae014066a1, where it resides at the time of writing:

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
attacker’s mining reward transactions

Attack Timeline

Based on our investigation, the attacker performed the following action to execute the 51% attack:

  1. July 29–31. The attacker withdraws 807K ETC from a Crypto exchange to several wallets.
  2. Jul 31, 16:36 UTC. The attacker started mining blocks by purchasing the hash power for double price from Nicehash provider daggerhashimoto, as we found in the first article. The total cost of mining is approx 17.5 BTC ( ~$192,000 )
  3. Jul 31, 17:00–17:40 UTC. The attacker created private transactions, sending money to his/her own wallets, and inserted these transactions in the blocks he/she was mining. No one saw these transactions because the attacker didn’t publish the blocks.
  4. Jul 31, 18:00– Aug 1, 2:50 UTC. The attacker sends money back to the Crypto exchange using intermediary wallets on the non-reorged chain, which was visible to everyone. During this, the attacker has plenty of time to monetize this money — convert to USD and withdraw or change them to BTC, whatever. Long attack duration(12 hours) allowed attackers to split operations into smaller parts to avoid any suspicion.
  5. Aug 1, 4:53 UTC, the attacker publishes his/her blocks with the version of the transaction created in step #3 and executed the chain re-organization. It means that transactions on step #4 replaced with transactions on step #3.
, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
Attack timeline

Now let’s see a detailed look at the steps and how miner was able to get away with more than ~807K ETC ($5.6 million).

Transactions inserted by the attacker ( in reorged chain )

There are just 11 transactions, that miner inserted during the attack. This fact probably caused the speculations that “The offending miner has lost access to internet access for a while when mining.” Noteworthy, that these transactions were not sent to other miner’s transaction memory pool (mempool). So they are not mined by other miners in the network.

Take a look at these transactions:

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
Transactions mined by the ETC attacker (Link to Excel)

Notice, first five transactions with high amounts of ETC value. Let’s check these transactions one by one.

First Transaction (Value — 353005 ETC) (Tx)

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
The first transaction mined by attacker 353K ETC

Second Transaction (Value — 77955 ETC) (TX)

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
The second transaction mined by attacker 77.955K ETC

Third Transaction (Value — 194100 ETC) (TX)

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
Third transaction mined by the attacker, value — 194.1K ETC

Fourth Transaction (Value — 97710 ETC) (TX)

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
Fourth Transaction mined by the attacker, value — 97.1 ETC

Fifth Transaction (Value — 84490 ETC) (TX)

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
fifth transaction mined by the attacker, value — 84.49 ETC

Comparing these transactions, you will notice the pattern:

  1. Amounts are in thousands of ETC
  2. All the Transaction originated from the address 0x63a8ab05ae4a3bed92580e05e7dce3b268b54a7f
  3. All the transactions happen within a 40 minutes time range starting from 17:00 July, 31, just before the attack began.

Wallets are ready to execute the 51% attack

To perform a 51% attack, the attacker had to own the money in wallets he/she controls. There are 5 addresses, that had prepared balances before the attack:

  1. 0x439ff9e3a81a4847d0c2041c06e5a272883f69f2, received 353K ETC from 0x63a8ab05ae4a3bed92580e05e7dce3b268b54a7f in 22 transactions at 29–30 July, 2020
  2. 0x9ac1785943ead4dafb2198003786b4b29143f081, received 78K ETC from 0x63a8ab05ae4a3bed92580e05e7dce3b268b54a7f in 7 transactions at 30–31 July, 2020
  3. 0xad599aa123c2b5b00773b9bfadacf8c3e97ea72d, received 194K ETC from 0x63a8ab05ae4a3bed92580e05e7dce3b268b54a7f in 16 transactions at 30–31 July, 2020
  4. 0xda88ea478545581eafffa3598fd11fc38f13c508, received 97.7K ETC from 0x63a8ab05ae4a3bed92580e05e7dce3b268b54a7f in 7 transactions at 30–31 July, 2020
  5. 0x305292887ad1ffa867e8564c804575f3d7a19a1f, received 84K ETC from 0x63a8ab05ae4a3bed92580e05e7dce3b268b54a7f in 5 transactions at 30–31 July, 2020

In total, before the attack, the total ETC value on these addresses was ~ 807K ETC ($5.6 million).

Transactions in non-reorged chain

When the attack started, nobody knew about it, as the attacker did not publish any blocks. However, the attacker created private transactions that we recorded in our second dataset ( non-reorged chain ).

This graph expands for the addresses that we mentioned before, shows how the attacker withdrew money from the Exchange to his/her own wallet and sent back the money to Exchange again.

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
Graph of transfers made by the attacker, Note, that you have to manually expand addresses by double-click to get this picture.

When combining the data from Non-reorged chain and reorged chain, we can see that in the non-reorged chain, the money goes back to the Exchange:

  • Before the attack, money was withdrawn from address 0x63a8 to the 5 different addresses. We believe 0x63a8 is an Exchange wallet.
  • during the attack, the money was sent back to exchange 0x63a8 through 1–3 intermediary addresses
  • As a result, all money withdrawn from exchange 0x63a8, got back to the exchange 0x63a8 and these transactions were confirmed as no one knew about the attack that was undergoing.

For example, the transactions below shows how the attacker sent money back to exchange in small portions:

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
Money transferred by the attacker back to the Exchange

This was visible in the non-reorged chain, and these transactions were valid for at least 12 hours, while miner created new blocks privately.

As a result, the attacker got away with 807K ETC plus mining rewards ( 13K ETC ) by successfully executing the 51% attack on Ethereum classic. In total, it is approx. $5,650,820. Much more than money spent on mining ( $192K ).

Following attacker’s double-spent ETC

The attacker now needs to monetize the double-spent ETC remaining at his/her wallets. And here, we see a typical pattern of splitting amounts for many addresses and multiple hops transfers.

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
https://explorer.bitquery.io/ethclassic/address/0x1e3a5208db53be56b6340f732ec526b4bdc37981/graph, expanded to the right

However, with our Coinpath® technology, we traced the double-spent ETCs. The current distribution to the time of writing is:

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
Coinpath API report starting from 0x1e3a5208db53be56b6340f732ec526b4bdc37981 address

Identifying the Crypto Exchange

We do not know the exact owner for the address 0x63a8ab05ae4a3bed92580e05e7dce3b268b54a7f, but we are pretty confident this is a Crypto exchange because of the high volumes in transactions and other behavioral patterns.

What we can guess is this address belongs to the OKEx exchange or its affiliates. The same address in Ethereum Mainnet has a lot of related activity to OKEx wallets.

, Ethereum Classic 51% Attack and Investigation Into Stolen Millions.
All transfers were with OKEx other wallets, https://explorer.bitquery.io/ethereum/address/0x63a8ab05ae4a3bed92580e05e7dce3b268b54a7f/outflow

Victor Fang, CEO of Blockchain Ecosystem Intelligence Anchain.ai, confirmed that this address belongs to the OKEx exchange.

Note: Special thanks to Victor Fang(Anchain) and Yaz Khoury for helping in preparing the article.