Blockchain burglar returns some of $1m crypto-swag

It isn’t often that the villains show their soft side, but a blockchain burglar apparently did just that last week. An unidentified thief who stole over $1 million from the Ethereum Classic blockchain has given some of it back.

The thief exploited a loophole that exists in Ethereum Classic along with several other cryptocurrencies called a “51% attack”, which enables attackers to rewrite the blockchain and spend cryptocurrency twice. They used the technique to attack several cryptocurrency exchanges with fraudulent transactions.

Then, less than a week later, they returned some of the cash, said affected exchange in a statement:

On Jan.10, we found that the recent ETC 51% attacker returned 100k USD value of ETC back to

Cryptocurrencies like Ethereum Classic are based on a proof-of-work algorithm, in which many different computers compete to solve a mathematical problem. The computer that wins the competition gets to seal the last few minutes’ transactions into a block (a little like a page in an accounting ledger).

If the computer that wins the competition tries to falsify those transactions, it will normally be found out because other computers that are also checking the transactions will report the discrepancy.

However, if one person gains access to more than half of the computing power across the whole blockchain, they can falsify transactions and get all of their computers to agree that the fake transactions are real. Because more than half of the blockchain agrees on the transactions, they are written into the blockchain as real.

This gives them effective control of the blockchain, enabling them to rewrite transactions as they see fit. They could pay someone else in cryptocurrency, receive the goods or services, and then rewrite the blockchain’s ledger to eradicate the payment and get their money back.

This is what happened early this month. Cryptocurrency exchange Coinbase detected anomalies in the Ethereum Classic blockchain as early as 5 January, suggesting several double spends.

The official Ethereum Classic Twitter account confirmed on 7 January that it was working with people in the community after finding that one private mining pool’s hash rate had hit over 50% of the entire blockchain’s capacity.

On 8 January, cryptocurrency exchange confirmed that it had suffered from a double-spending attack as a result of the 51% situation. Attackers made seven double-spending transactions involving the exchange stealing 40,000 Ethereum Classic tokens, it said, adding that it would swallow the loss on its users’ behalf.

Beijing-based cryptocurrency security team SlowMist subsequently released an analysis of the attack but was still none the wiser about the attacker’s identity.

Other exchanges were also hit:

Overall, around 219,000 tokens were stolen amounting to around $1.1m, CoinDesk said in its analysis.

Market data from CoinMarketCap shows how the price of Ethereum Classic fell in reaction to the news:

Then, the thieves gave back some of the cash, but not all, and it’s unclear why they gave any back at all. According to

We were trying to contact the attacker but we haven’t got any reply until now.

We still don’t know the reason. If the attacker didn’t run it for profit, he might be a white [hat – sic] hacker who wanted to remind people the risks in blockchain consensus and hashing power security

The return of some Ethereum Classic tokens is a positive step, but said that Ethereum Classic users should still be wary:

Based on our analysis, the hashing power of ETC network is still not strong enough and it’s still possible to rent enough hashing power to launch another 51% attack. has raised the ETC confirmation number to 4000 and launched a strict 51% detect for enhanced protection. We also suggest other ETC exchanges to take actions to protect the trader from blockchain rollback/reorg.

Ethereum Classic isn’t the only cryptocurrency to be stymied by a 51% attack.

Monacoin, Bitcoin Gold, Zencash and Litecoin Cash have all been hit with similar attacks in the past according to cryptocurrency-watching site CoinDesk, which suggests that they are becoming more of a problem.

CoinDesk cites research released by NYU computer science academic Joseph Bonneau in 2017 that estimated how much money it will cost to launch 51% attacks on top blockchains by simply renting power. It was all-too feasible, he suggested.

Ethereum Classic is a separate cryptocurrency to Ethereum, which was not affected by the attack.