TY - GEN
T1 - Towards a first step to understand the cryptocurrency stealing attack on Ethereum
AU - Cheng, Zhen
AU - Hou, Xinrui
AU - Li, Runhuai
AU - Zhou, Yajin
AU - Luo, Xiapu
AU - Li, Jinku
AU - Ren, Kui
N1 - Funding Information:
Acknowledgements The authors would like to thank the anonymous reviewers for their insightful comments that helped improve the presentation of this paper. Special thanks go to Siwei Wu, Quanrun Meng for their constructive suggestions and feedbacks. This work was partially supported by Zhejiang Key R&D Plan (Grant No. 2019C03133), the National Natural Science Foundation of China under Grant 61872438, the Fundamental Research Funds for the Central Universities, the Key R&D Program of Shaanxi Province of China under Grant 2019ZDLGY12-06. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of funding agencies.
Publisher Copyright:
© 2019 RAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses. All rights reserved.
PY - 2019
Y1 - 2019
N2 - We performed the first systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study aims to shed light on the attack, including malicious behaviors and profits of attackers. Specifically, we first designed and implemented a honeypot that could capture real attacks in the wild. We then deployed the honeypot and reported results of the collected data in a period of six months. In total, our system captured more than 308 million requests from 1, 072 distinct IP addresses. We further grouped attackers into 36 groups with 59 distinct Ethereum accounts. Among them, attackers of 34 groups were stealing the Ether, while other 2 groups were targeting ERC20 tokens. The further behavior analysis showed that attackers were following a three-steps pattern to steal the Ether. Moreover, we observed an interesting type of transaction called zero gas transaction, which has been leveraged by attackers to steal ERC20 tokens. At last, we estimated the overall profits of attackers. To engage the whole community, the dataset of captured attacks is released on https://github.com/zjuicsr/ethhoney.
AB - We performed the first systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study aims to shed light on the attack, including malicious behaviors and profits of attackers. Specifically, we first designed and implemented a honeypot that could capture real attacks in the wild. We then deployed the honeypot and reported results of the collected data in a period of six months. In total, our system captured more than 308 million requests from 1, 072 distinct IP addresses. We further grouped attackers into 36 groups with 59 distinct Ethereum accounts. Among them, attackers of 34 groups were stealing the Ether, while other 2 groups were targeting ERC20 tokens. The further behavior analysis showed that attackers were following a three-steps pattern to steal the Ether. Moreover, we observed an interesting type of transaction called zero gas transaction, which has been leveraged by attackers to steal ERC20 tokens. At last, we estimated the overall profits of attackers. To engage the whole community, the dataset of captured attacks is released on https://github.com/zjuicsr/ethhoney.
UR - http://www.scopus.com/inward/record.url?scp=85078047068&partnerID=8YFLogxK
M3 - Conference article published in proceeding or book
AN - SCOPUS:85078047068
T3 - RAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses
SP - 47
EP - 60
BT - RAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses
PB - USENIX Association
T2 - 22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019
Y2 - 23 September 2019 through 25 September 2019
ER -