Towards a first step to understand the cryptocurrency stealing attack on Ethereum

Zhen Cheng, Xinrui Hou, Runhuai Li, Yajin Zhou, Xiapu Luo, Jinku Li, Kui Ren

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

10 Citations (Scopus)

Abstract

We performed the first systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study aims to shed light on the attack, including malicious behaviors and profits of attackers. Specifically, we first designed and implemented a honeypot that could capture real attacks in the wild. We then deployed the honeypot and reported results of the collected data in a period of six months. In total, our system captured more than 308 million requests from 1, 072 distinct IP addresses. We further grouped attackers into 36 groups with 59 distinct Ethereum accounts. Among them, attackers of 34 groups were stealing the Ether, while other 2 groups were targeting ERC20 tokens. The further behavior analysis showed that attackers were following a three-steps pattern to steal the Ether. Moreover, we observed an interesting type of transaction called zero gas transaction, which has been leveraged by attackers to steal ERC20 tokens. At last, we estimated the overall profits of attackers. To engage the whole community, the dataset of captured attacks is released on https://github.com/zjuicsr/ethhoney.

Original languageEnglish
Title of host publicationRAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses
PublisherUSENIX Association
Pages47-60
Number of pages14
ISBN (Electronic)9781939133076
Publication statusPublished - 2019
Event22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019 - Beijing, China
Duration: 23 Sep 201925 Sep 2019

Publication series

NameRAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses

Conference

Conference22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019
Country/TerritoryChina
CityBeijing
Period23/09/1925/09/19

ASJC Scopus subject areas

  • Computer Science(all)
  • Safety, Risk, Reliability and Quality
  • Law
  • Safety Research

Cite this