Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum

We performed the first systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Cheng, Zhen, Hou, Xinrui, Li, Runhuai, Zhou, Yajin, Luo, Xiapu, Li, Jinku, Ren, Kui
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page
container_issue
container_start_page
container_title
container_volume
creator Cheng, Zhen
Hou, Xinrui
Li, Runhuai
Zhou, Yajin
Luo, Xiapu
Li, Jinku
Ren, Kui
description We performed the first systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study aims to shed light on the attack, including malicious behaviors and profits of attackers. Specifically, we first designed and implemented a honeypot that could capture real attacks in the wild. We then deployed the honeypot and reported results of the collected data in a period of six months. In total, our system captured more than 308 million requests from 1,072 distinct IP addresses. We further grouped attackers into 36 groups with 59 distinct Ethereum accounts. Among them, attackers of 34 groups were stealing the Ether, while other 2 groups were targeting ERC20 tokens. The further behavior analysis showed that attackers were following a three-steps pattern to steal the Ether. Moreover, we observed an interesting type of transaction called zero gas transaction, which has been leveraged by attackers to steal ERC20 tokens. At last, we estimated the overall profits of attackers. To engage the whole community, the dataset of captured attacks is released on https://github.com/zjuicsr/eth-honey.
doi_str_mv 10.48550/arxiv.1904.01981
format Article
fullrecord <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_1904_01981</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>1904_01981</sourcerecordid><originalsourceid>FETCH-LOGICAL-a671-795c58847d7802f52db4d52d931dbca7634ef918cd7d2122f04f64ce6de4baf63</originalsourceid><addsrcrecordid>eNotj8tKw0AYhWfjQqoP4Mp5gcSZyVyXJbQqFKQY1-HPXDTYTsJkqubtTaubczjwceBD6I6SkmshyAOkn_6rpIbwklCj6TXaN8M3JDdhwNs-TRm_Zj_iPOC36PyyITqcPzyu0zzmwZ5S8tHOZwoOfXzH65zBfuIh4s2CJX863qCrAIfJ3_73CjXbTVM_FbuXx-d6vStAKlooI6zQmiunNGFBMNdxt6SpqOssKFlxHwzV1inHKGOB8CC59dJ53kGQ1Qrd_91enNox9UdIc3t2ay9u1S-Vcko5</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum</title><source>arXiv.org</source><creator>Cheng, Zhen ; Hou, Xinrui ; Li, Runhuai ; Zhou, Yajin ; Luo, Xiapu ; Li, Jinku ; Ren, Kui</creator><creatorcontrib>Cheng, Zhen ; Hou, Xinrui ; Li, Runhuai ; Zhou, Yajin ; Luo, Xiapu ; Li, Jinku ; Ren, Kui</creatorcontrib><description>We performed the first systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study aims to shed light on the attack, including malicious behaviors and profits of attackers. Specifically, we first designed and implemented a honeypot that could capture real attacks in the wild. We then deployed the honeypot and reported results of the collected data in a period of six months. In total, our system captured more than 308 million requests from 1,072 distinct IP addresses. We further grouped attackers into 36 groups with 59 distinct Ethereum accounts. Among them, attackers of 34 groups were stealing the Ether, while other 2 groups were targeting ERC20 tokens. The further behavior analysis showed that attackers were following a three-steps pattern to steal the Ether. Moreover, we observed an interesting type of transaction called zero gas transaction, which has been leveraged by attackers to steal ERC20 tokens. At last, we estimated the overall profits of attackers. To engage the whole community, the dataset of captured attacks is released on https://github.com/zjuicsr/eth-honey.</description><identifier>DOI: 10.48550/arxiv.1904.01981</identifier><language>eng</language><subject>Computer Science - Cryptography and Security</subject><creationdate>2019-04</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,780,885</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/1904.01981$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.1904.01981$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Cheng, Zhen</creatorcontrib><creatorcontrib>Hou, Xinrui</creatorcontrib><creatorcontrib>Li, Runhuai</creatorcontrib><creatorcontrib>Zhou, Yajin</creatorcontrib><creatorcontrib>Luo, Xiapu</creatorcontrib><creatorcontrib>Li, Jinku</creatorcontrib><creatorcontrib>Ren, Kui</creatorcontrib><title>Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum</title><description>We performed the first systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study aims to shed light on the attack, including malicious behaviors and profits of attackers. Specifically, we first designed and implemented a honeypot that could capture real attacks in the wild. We then deployed the honeypot and reported results of the collected data in a period of six months. In total, our system captured more than 308 million requests from 1,072 distinct IP addresses. We further grouped attackers into 36 groups with 59 distinct Ethereum accounts. Among them, attackers of 34 groups were stealing the Ether, while other 2 groups were targeting ERC20 tokens. The further behavior analysis showed that attackers were following a three-steps pattern to steal the Ether. Moreover, we observed an interesting type of transaction called zero gas transaction, which has been leveraged by attackers to steal ERC20 tokens. At last, we estimated the overall profits of attackers. To engage the whole community, the dataset of captured attacks is released on https://github.com/zjuicsr/eth-honey.</description><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotj8tKw0AYhWfjQqoP4Mp5gcSZyVyXJbQqFKQY1-HPXDTYTsJkqubtTaubczjwceBD6I6SkmshyAOkn_6rpIbwklCj6TXaN8M3JDdhwNs-TRm_Zj_iPOC36PyyITqcPzyu0zzmwZ5S8tHOZwoOfXzH65zBfuIh4s2CJX863qCrAIfJ3_73CjXbTVM_FbuXx-d6vStAKlooI6zQmiunNGFBMNdxt6SpqOssKFlxHwzV1inHKGOB8CC59dJ53kGQ1Qrd_91enNox9UdIc3t2ay9u1S-Vcko5</recordid><startdate>20190403</startdate><enddate>20190403</enddate><creator>Cheng, Zhen</creator><creator>Hou, Xinrui</creator><creator>Li, Runhuai</creator><creator>Zhou, Yajin</creator><creator>Luo, Xiapu</creator><creator>Li, Jinku</creator><creator>Ren, Kui</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20190403</creationdate><title>Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum</title><author>Cheng, Zhen ; Hou, Xinrui ; Li, Runhuai ; Zhou, Yajin ; Luo, Xiapu ; Li, Jinku ; Ren, Kui</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a671-795c58847d7802f52db4d52d931dbca7634ef918cd7d2122f04f64ce6de4baf63</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Cheng, Zhen</creatorcontrib><creatorcontrib>Hou, Xinrui</creatorcontrib><creatorcontrib>Li, Runhuai</creatorcontrib><creatorcontrib>Zhou, Yajin</creatorcontrib><creatorcontrib>Luo, Xiapu</creatorcontrib><creatorcontrib>Li, Jinku</creatorcontrib><creatorcontrib>Ren, Kui</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Cheng, Zhen</au><au>Hou, Xinrui</au><au>Li, Runhuai</au><au>Zhou, Yajin</au><au>Luo, Xiapu</au><au>Li, Jinku</au><au>Ren, Kui</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum</atitle><date>2019-04-03</date><risdate>2019</risdate><abstract>We performed the first systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study aims to shed light on the attack, including malicious behaviors and profits of attackers. Specifically, we first designed and implemented a honeypot that could capture real attacks in the wild. We then deployed the honeypot and reported results of the collected data in a period of six months. In total, our system captured more than 308 million requests from 1,072 distinct IP addresses. We further grouped attackers into 36 groups with 59 distinct Ethereum accounts. Among them, attackers of 34 groups were stealing the Ether, while other 2 groups were targeting ERC20 tokens. The further behavior analysis showed that attackers were following a three-steps pattern to steal the Ether. Moreover, we observed an interesting type of transaction called zero gas transaction, which has been leveraged by attackers to steal ERC20 tokens. At last, we estimated the overall profits of attackers. To engage the whole community, the dataset of captured attacks is released on https://github.com/zjuicsr/eth-honey.</abstract><doi>10.48550/arxiv.1904.01981</doi><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier DOI: 10.48550/arxiv.1904.01981
ispartof
issn
language eng
recordid cdi_arxiv_primary_1904_01981
source arXiv.org
subjects Computer Science - Cryptography and Security
title Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-27T01%3A39%3A38IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Towards%20a%20First%20Step%20to%20Understand%20the%20Cryptocurrency%20Stealing%20Attack%20on%20Ethereum&rft.au=Cheng,%20Zhen&rft.date=2019-04-03&rft_id=info:doi/10.48550/arxiv.1904.01981&rft_dat=%3Carxiv_GOX%3E1904_01981%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true