How did some Ethereum users find themselves with empty wallets?

On the evening of June 29 (ET), users of Classic Ether Wallet were alerted to the sort of news anyone who invests in cryptocurrencies must dread.

It’s not clear who first noticed that something was awry with the the wallet’s domain, but Twitter was soon spewing warnings. By the early hours of the following morning, the Ethereum Classic cryptocurrency feed offered this confirmation that something unusual was up:

*Warning* We have reason to believe  has been hijacked. Do not use!!

By the time Cloudflare started warning visitors to the domain about a phishing attack, the news started to sink in: an attacker had taken control of the domain, which meant that anyone using accounts on it to store Ethereum Classic (ETC) currency in it (1 ETC = roughly $18) from the moment of the takeover would potentially have had them pilfered.

With panic setting in, and no quick way to take back the hijacked domain or have it blacklisted until Cloudflare stepped in, some users reportedly even suggested launching a defensive DDoS attack on it  to render it unreachable.

Comments on a Reddit thread suggest that hundreds of users might have lost currency worth several hundred thousand dollars, with the attacker manually transferring sums out in small batches.  Addresses and keys deposited before the attack were said to be safe.

How on earth did it come to this?

Hackers successfully targeting cryptocurrency wallets used to store virtual currency in supposed safety is far from a new phenomenon. What grabs the attention with this attack – and will doubtless lead to soul-searching – is the relatively simple weakness exploited to pull it off.

For background, Ethereum is actually two currencies: plain Ethereum (ETH) and the Ethereum Classic involved in this incident. How Ethereum came to  fork this way is a rather involved story connected to a hack of the currency’s Decentralized Autonomous Organization (DAO) crowdfunding initiative in 2016, which readers can read up on from a number of sources.

Suffice it say that Classic Ether Wallet is not the only wallet for ETC, but it a popular choice on the back of its ease of use – it even offers a Chrome browser extension, for example.

When it was set up last year, its admins seem to have overlooked setting a registry lock (basically more verification and time delay before changes can be made to a domain), which must have been noticed by the attacker.

It has been claimed (although not confirmed) that the attacker simply phoned up the German company looking after the domain and had them point it at a new rogue domain impersonating the real site.

If you were being kind to the admins you might describe this as the ultimate phishing attack, but that would imply that the users were somehow at fault when they clearly weren’t.  As far as they were concerned, they were logging into the correct domain.

The infuriating thing is that this sort of lateral attack that skirts security by attacking weaknesses in authentication (ie, who and how a top-level domain ends up pointing at the real server hosting it) has been used against domain owners before.

In 2013, the Syrian Electronic Army (SEA) pulled off a thematically related coup by using a hacked reseller account to alter the DNS records for a swathe of famous domains, including the New York Times, The Huffington Post and The Times. The same MO last year allowed attackers to take over numerous domains associated with  a Brazilian bank.

These were much more serious attacks than the one on Classic Ether Wallet albeit that  they didn’t involve individuals losing money. The lesson remains the same: why should hackers batter down the front gate when the side entrance is wide open?