First release | Github user 1400 Bitcoin stolen event analysis

One day, when you transfer money on Alipay, a pop-up window reminds you that the transfer failed because the version is too low.

If the pop-up window not only reminds you that the transaction failed, but also attaches an Alipay update link, most people may click on the link to update.

If this link is a phishing link and directly obtains your transfer authority, it means that the money in your account will also be ruthlessly transferred.

This time, a user encountered a similar situation.

On August 31, Beijing time, the CertiK Skynet system (Skynet) detected that 1,400 bitcoins stolen from Github user “1400BitcoinStolen” had begun to be sent to multiple different addresses.

First release | Blockchain technology and software security practice base officially established: Jinse Finance reported that today, China Soft Association Blockchain Branch, People's Public Security University, and Heze City Public Security Bureau jointly built a blockchain technology and software security practice base Officially established. At the same time, Song Ailu, deputy secretary-general of the Blockchain Branch of the China Software Association, was hired as a special expert in the blockchain technology and software security practice base.

The blockchain technology and software security practice base mainly involves the following areas: illegal digital currency transactions and money laundering, blockchain pyramid schemes and telecom fraud, online gambling, four-party payment, fraudulent trademark registration, etc., joint social governance, urban security, cutting-edge technology Industry experts in the field cooperate with the Police Association.

According to public reports, the public security organs under Heze City have just cracked a huge telecommunications network fraud case recently, smashed a number of fraudulent gangs suspected of using online loans and investing in "bitcoin", arrested 83 suspects, and seized and frozen the funds involved in the case 27 million yuan. [2020/7/21]

The victim told about the loss of 1400 bitcoins in the Github issue of electrum and posted his bitcoin wallet address.

First release | Bithumb will launch encrypted asset transfer service with Bithumb Global: Bithumb insiders revealed to Jinse Finance that Bithumb will launch a fast transfer service of encrypted currency assets between Bithumb and Bithumb Global without handling fees. The daily encrypted asset transfer limit is 2 BTCs. The news will be announced to the public this evening. It is reported that currently only BTC and ETH asset transfers are supported. [2020/2/26]

In the blockchain browser (reference link 3), it can be seen that a total of 1404 BTC (worth 16.7 million US dollars) were withdrawn from his wallet on August 30 and deposited into the hacker's wallet.

IMEOS debut EOS Go announces two new check-in conditions:According to Jinse Finance partner IMEOS report: Today, EOS Go announced two new check-in conditions on steemit:

1. Plan to ensure security: whether the candidate node publishes an article on steemit to introduce the node’s security method and plan. The “safety method” standard is an opportunity to show EOS voters the knowledge of security best practices and the organization’s implementation plan;

2. Position: Describe the position of the node to share inflation rewards and/or distribute dividends to EOS token holders (candidate nodes are published on steemit). The following two issues are mainly elaborated:

Will the organization provide payments to EOS token voters for any reason, including BP elections and community advice?

Does the organization have a written no-ticket payment policy? If so, please provide a link. [2018/4/27]

IMEOS’s first BM said that EOS contracts have integer overflow protection: According to IMEOS, a cooperative media of Jinse Finance, recently ETH has experienced multiple ERC20 smart contract processing overflow errors, and BM commented on Twitter: The new ETH contract bug may destroy the entire Token The supply of tokens allows holders to leave valueless Token. This is why the code cannot become law, and it immediately means that the EOS erc contract is not vulnerable to this attack. Some people in the EOS official group also expressed concern about whether EOS has integer overflow protection? BM Response: There are plenty of C++ template classes that encapsulate types and check for overflow. [2018/4/25]

The user is using the Electrum Bitcoin wallet, which was last used in 2017. Electrum has released security updates since then, but the user has not installed them.

When a user uses Electrum to make a transaction, the wallet will broadcast a transaction to the server. If there is a problem with the transaction, the server will return an error message and display it to the user in the form of a pop-up window.

Electrum wallets before version 3.3.2 will not verify the error information returned by the server, and even render the returned information in html (refer to link 4).

It is worth mentioning that anyone can set up an Electrum node server. If a user connects to the attacker's server and initiates a transaction, the server can return any designed error message. For example, return an error message asking the user to update the Electrum wallet, as shown in the figure below.

However, the link in the picture points to the malware written by the attacker himself. Once the user downloads and installs the software and imports his wallet into it, all the bitcoins in the wallet will be transferred by the attacker.

This is actually a phishing attack in essence, but because the phishing information sent by the attacker is displayed through the official Electrum wallet, many people will believe it.

In this incident, the victim's wallet was connected to the server controlled by the attacker, causing it to receive a phishing message from the server, and the attacker transferred all his bitcoins.

The problem with the Electrum wallet has been widely discussed as early as the end of 2018 (reference link 4).

Electrum officially fixed this problem in the wallet version 3.3.4 in 2019. Subsequent versions of the Electrum wallet will no longer directly display the content-ethexc returned by the server to the user, nor will it render html.

In addition, since the old version of the wallet still has this problem, all normal servers will conduct denial of service (DoS) attacks on wallets before version 3.3 to force users to update (refer to link 5).

When users use wallets for transactions, they need to ensure that the wallets are of the latest version. Old versions of wallets may have loopholes that can be exploited by hackers.

When downloading the wallet update, the user should pay attention to verify whether the download URL is consistent with the official one, and verify the signature of the wallet after the download is completed.

For the wallet development team, it is necessary to find a professional team to do the testing work, so as to avoid loopholes in the project and cause losses to users.

Reference link:

1. https://github.com/spesmilo/electrum/issues/5072

2. https://zhuanlan.zhihu.com/p/53920688

3. https://www.blockchain.com/btc/tx/2db616f5b4545805dc1de59bc65b21b548c0d553ab187fa1625ef73c727f1e54

4. https://github.com/spesmilo/electrum/issues/4968

5. http://twitter.com/electrumwallet/status/110647957391772467

Tags：

Bitcoin