Imagine a thief going door to door in a neighborhood, checking for homes that were left unlocked to rob. That’s essentially what’s happening on the ethereum blockchain, but on a much larger scale—and at a dizzying pace.
Somebody is actively monitoring weakly protected wallets on the world’s second-largest cryptocurrency network and draining them the instant that funds arrive. This unusual, automated theft was detected by Independent Security Evaluators (ISE), a Baltimore-based group of researchers and activists. ISE published its findings on “ether combing” this week.
ISE calls the unidentified thief the “blockchain bandit.” At one stage, this ingenious person (or group? or state?) had collected more than $54 million in ether via the wallet-monitoring-and-draining scheme.
Although blockchain technology is revered by the cryptocurrency community for its mathematical fortifications, the security offered by complex calculations only works if users are careful about creating and protecting their private keys. In public-key cryptography, a person selects a private key (an unchangeable password) and then generates a public key (a receiving address). A private key is similar to safety deposit box key—except the key determines which safe belongs to you, not vice versa.
In the cryptocurrency world, a person shares their public key with the world. That’s the address where they receive crypto funds from other users. To send funds, though, they use their private key, which must be guarded at all costs. Anybody who discovers the private key to a wallet can send—or steal—funds from that address. Normally, the odds of guessing a random private key are infinitesimally small.
However, if a person settles on a private key that’s easy to guess, a thief can reverse engineer the public key to check whether the vulnerable wallet contains any funds. It’s the crypto equivalent of making your password “password.” ISE’s researchers also found that compiling errors—when a program crashes due to faulty code—may result in weakened keys. So, in some instances, the randomness of blockchain can be undone, and security efforts rendered meaningless.
Ironically, the transparency that makes bitcoin and its offshoots trusted by crypto enthusiasts is exactly what makes the wallet-draining scheme possible. When you deposit money into a bank account, that transaction isn’t broadcasted to the entire world. And your neighbors don’t know when you swipe your credit card at Chipotle. But in cryptocurrency, all that activity is publicly stored. Even if specific identities are unknown, crypto wallet balances and transfers can be seen by anybody who peruses the blockchain’s history.
This isn’t to cast doubt on the mathematics of blockchain. The issue is that individual users may not be practicing great password hygiene and older wallet generators might be susceptible to programming errors.
“We must not forget that just because an ethereum private key is 32 bytes/64 hex characters long, does not automatically make it secure,” explains Kosala Hemachandra, CEO of MyEtherWallet, an cryptocurrency wallet service. “‘0xabcdef0123456789aaabbbcccdddeee111222333445566688999fffddd111223’ is a valid private key that will derive a public address but the entropy is low, meaning that it is possible to guess because it is made up of similar values.”
So, if you’re creating a private key, what should you do? “The key ingredient to a secure private key is entropy, or making it unpredictable,” says Hemachandra. “Humans should never be the ones creating them as we are more likely to pick a string of characters that are easy to guess. This should always be a task for modern computers.” For ethereum, MyEtherWallet and MyCrypto are two services that can help. Or, you can also opt to store your digital coins on an exchange, leaving wallet management in the hands of professionals.
Masayoshi Son, the billionaire behind SoftBank—one of the largest investors in Uber—was reportedly burned badly by the crypto crash. Near the peak of the bubble in late 2017, Son made an enormous personal investment in bitcoin on the advice of Peter Briger of Fortress Investment Group. Son lost nearly $130 million, says the Wall Street Journal (paywall).
Takeaway: Son’s decision to cut his losses may indicate SoftBank’s attitude toward crypto more broadly. Indeed, it’s telling that he decided to realize his loss rather than gut it out—or “HODL” (hold on for dear life) in crypto parlance. Bitcoin still has fans among tech gurus, like Twitter and Square CEO Jack Dorsey, but Son’s retreat shows that even billionaires with cash to spare may consider crypto too risky a bet.
Please send news, tips, and random number generators to email@example.com. Today’s Private Key was written by Matthew De Silva and edited by Jason Karaian. Buy not on optimism, but on arithmetic.