Actively used private keys on the ethereum blockchain facilitate cryptocurrency theft

In the process, ISE discovered an individual or group they dubbed the “Blockchainbandit” pilfering ETH funds from some of the wallets associated with the discovered weak private keys. They observed that the bandit was sending that ETH to a destination wallet that was collecting the loot. On 13 January 2018, Blockchainbandit’s wallet held a balance of 37,926 ETH valued at $54,343,407, now worth far less by today’s valuation of ETH.

Even to this day, the bandit seems to be operating an ongoing campaign to loot cryptocurrencies from wallets derived from weak private keys. ISE researchers intentionally placed one U.S. dollar worth of ETH in a weak private key derived wallet and witnessed that within seconds, the ETH was transferred out and into the bandit’s wallet.

“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” says ISE Executive Partner Ted Harrington.

Duplicating or guessing just one randomly-generated private key already in use on the Ethereum blockchain would be a statistically significant event, yet ISE was able to uncover 732 of them, alluding to issues in key generation. These underlying problems likely extend to other cryptocurrency platforms and to any software which generates cryptographic keys. As a result, ISE offers a number of recommendations for developers and institutions that rely on cryptographically secure random values.

Recommendations for developers

·  Use well known libraries or platform specific modules for random number generation

·  Use a cryptographically secure pseudo-random number generator instead of just any pseudo-random number generator

·  Audit source code and resulting compiled code to verify randomly generated keys are not truncated or become malformed by faulty workflows that interact with them

·  Use multiple sources of entropy

·  Leverage NIST compatible hardware random number generation instructions provided by AMD/Intel (RDRAND/RDSEED)*

·  Review NIST/FIPS guidelines on cryptographic random number generation

·  Review and use the NIST Statistical Test Suite (NIST SP 800-22)

Tips for uses of Cryptographically Secure Wallets

·  Do not use untrusted software that may be harvesting private crypto currency keys

·  A cryptocurrency private key should be completely random, so use well trusted software and hardware wallets to generate private keys

·  Do not generate private keys based from passphrases, a.k.a. brain wallets – as people tend to commonly use similar or easily guessable passphrases

The study is part of an ongoing research initiative conducted by Independent Security Evaluators to inform developers and manufacturers about vulnerabilities in an effort to protect businesses and consumers.