Hacker was able to take $7.7 million from blacklisted account due to snafu

  • By Tom Cleveland

  • March 5, 2019
  • 2:15 am BST

Professional hacking gangs have definitely found greener pastures in Crypto-Land, if exchange compromises are any measure of criminal activity gone perverse. Billions have been lost over the past few years, as hackers strike with impunity, then launder their ill-gotten gains through countless layers of transfers and withdrawals before converting to the all-important fiat currency of their choice. Various methods have been deployed to block these money flows, but one hacker just extracted $7.7 million to the consternation of all involved.

It is one thing to get hacked, but when exchanges act quickly by freezing destination accounts or preparing blacklists to be obeyed before a transaction is allowed to happen, and then the crook still is able to abscond with the loot, it is a sad day indeed. Crooks tend to wait out the exchanges before extraction takes place. The complexity of the blockchain only builds over time, such that at some point, the hacker tests the system and notices when an opening appears for further steps in the process.

In this case, the theft involved EOS tokens. EOS is the fourth largest cryptocurrency by market capitalization. It was launched in June of 2018 after a successful $4 billon token sale, ostensibly to compete with Ethereum as the platform of choice for the development of decentralized applications. Illicit funds, 2.09 million EOS tokens, had found their way to an address on the EOS platform, which was quickly blacklisted. One feature of the EOS blockchain is that each of its Block Producers (BPs) must update the blacklist for it to work.

The process gets a bit technical from this point forward, but a new BP failed to update its blacklist for the “bad” address, thereby creating an opening for the hacker to leverage, which he quickly did. Huobi, a Korean exchange, was able to detect the movement of funds from a blacklisted account to its exchange and promptly froze the account, another way of holding stolen funds hostage. As a result, the EOS platform will attempt to use another method for nullifying the keys of blacklisted accounts, so that the same “snafu” will not repeat itself in future.

According to the EOS team: “All top 21 Block Producers must have their blacklist updated. If only one top 21 BP does not have an updated blacklist, hacked accounts are vulnerable to being emptied. This scenario played out in the last 24hrs when a newly rotated top 21 BP failed to apply the blacklist. Unfortunately, one blacklisted account holding [2 million] EOS began to be emptied.”

It appears that hackers are learning how to hack the very processes that are designed to thwart their criminal efforts to monetize their illicit activities. There is also a larger issue that will also raise its ugly head soon. The blockchain records for posterity every address that any token takes on its winding blockchain journey. One need only check its history to determine if the token was involved in some illegal act, if you have the right tools.

In other words, what happens if law enforcement can detect that funds were stolen some time back, but which you received as payment further down the stream after laundering had taken place? Do you have good funds? Are you liable for receiving stolen goods? The issue is known as “fungibility”, i.e., every Bitcoin is the same, or is it? If one is tainted by its history, will it be equivalent to a “clean” token? The jury is still out on this question, but regulators and law enforcement officials will soon be forcing the issue, if industry officials do not react first.