An unknown hacker has stolen 45,000 Ether (ETH) by exploiting weaknesses in private keys, according to a report by Independent Security Evaluators (ISE) on April 23.
ISE senior analyst Adrian Bednarek said he came across this “blockchain bandit” by chance. In research conducted by the ISE team, he discovered 732 weak private keys, which granted them the power of the account holder to finalize any transactions from the wallets guarded by said keys.
Furthermore, instead of applying a more statistical approach, Bednarek narrowed down the generated keys by looking for faulty code and faulty random number generators. Bednarek believes the cryptocurrency thief has taken things to another level compared to ISE, by completely automating his entire process and re-directing siphoned funds to his own address.
“We found 735 private keys, he happened to take money from 12 of those keys we also had access to. It’s statistically improbable he would guess those keys by chance, so he was probably doing the same thing […] he was basically stealing funds as soon as they came into people’s wallets,” explained Bednarek.
According to Bednarek, there are two possibilities for explaining the weak private keys. The first is malfunctions in the coding process caused by the software generating them. Secondly, the holders of the private keys had created duplicates using easily guessable passphrases, or not creating passphrases at all.
The blockchain bandit has managed to seal an estimated 44,744 ETH – an Ethereum equivalent of $6.1 million at press time. It is estimated that the value of the stolen funds was worth up to $50 million when the value of Ethereum was at its peak.