Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum
We performed the first systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study...
Gespeichert in:
Hauptverfasser: | , , , , , , |
---|---|
Format: | Artikel |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext bestellen |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
container_end_page | |
---|---|
container_issue | |
container_start_page | |
container_title | |
container_volume | |
creator | Cheng, Zhen Hou, Xinrui Li, Runhuai Zhou, Yajin Luo, Xiapu Li, Jinku Ren, Kui |
description | We performed the first systematic study of a new attack on Ethereum that
steals cryptocurrencies. The attack is due to the unprotected JSON-RPC
endpoints existed in Ethereum nodes that could be exploited by attackers to
transfer the Ether and ERC20 tokens to attackers-controlled accounts. This
study aims to shed light on the attack, including malicious behaviors and
profits of attackers. Specifically, we first designed and implemented a
honeypot that could capture real attacks in the wild. We then deployed the
honeypot and reported results of the collected data in a period of six months.
In total, our system captured more than 308 million requests from 1,072
distinct IP addresses. We further grouped attackers into 36 groups with 59
distinct Ethereum accounts. Among them, attackers of 34 groups were stealing
the Ether, while other 2 groups were targeting ERC20 tokens. The further
behavior analysis showed that attackers were following a three-steps pattern to
steal the Ether. Moreover, we observed an interesting type of transaction
called zero gas transaction, which has been leveraged by attackers to steal
ERC20 tokens. At last, we estimated the overall profits of attackers. To engage
the whole community, the dataset of captured attacks is released on
https://github.com/zjuicsr/eth-honey. |
doi_str_mv | 10.48550/arxiv.1904.01981 |
format | Article |
fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_1904_01981</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>1904_01981</sourcerecordid><originalsourceid>FETCH-LOGICAL-a671-795c58847d7802f52db4d52d931dbca7634ef918cd7d2122f04f64ce6de4baf63</originalsourceid><addsrcrecordid>eNotj8tKw0AYhWfjQqoP4Mp5gcSZyVyXJbQqFKQY1-HPXDTYTsJkqubtTaubczjwceBD6I6SkmshyAOkn_6rpIbwklCj6TXaN8M3JDdhwNs-TRm_Zj_iPOC36PyyITqcPzyu0zzmwZ5S8tHOZwoOfXzH65zBfuIh4s2CJX863qCrAIfJ3_73CjXbTVM_FbuXx-d6vStAKlooI6zQmiunNGFBMNdxt6SpqOssKFlxHwzV1inHKGOB8CC59dJ53kGQ1Qrd_91enNox9UdIc3t2ay9u1S-Vcko5</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum</title><source>arXiv.org</source><creator>Cheng, Zhen ; Hou, Xinrui ; Li, Runhuai ; Zhou, Yajin ; Luo, Xiapu ; Li, Jinku ; Ren, Kui</creator><creatorcontrib>Cheng, Zhen ; Hou, Xinrui ; Li, Runhuai ; Zhou, Yajin ; Luo, Xiapu ; Li, Jinku ; Ren, Kui</creatorcontrib><description>We performed the first systematic study of a new attack on Ethereum that
steals cryptocurrencies. The attack is due to the unprotected JSON-RPC
endpoints existed in Ethereum nodes that could be exploited by attackers to
transfer the Ether and ERC20 tokens to attackers-controlled accounts. This
study aims to shed light on the attack, including malicious behaviors and
profits of attackers. Specifically, we first designed and implemented a
honeypot that could capture real attacks in the wild. We then deployed the
honeypot and reported results of the collected data in a period of six months.
In total, our system captured more than 308 million requests from 1,072
distinct IP addresses. We further grouped attackers into 36 groups with 59
distinct Ethereum accounts. Among them, attackers of 34 groups were stealing
the Ether, while other 2 groups were targeting ERC20 tokens. The further
behavior analysis showed that attackers were following a three-steps pattern to
steal the Ether. Moreover, we observed an interesting type of transaction
called zero gas transaction, which has been leveraged by attackers to steal
ERC20 tokens. At last, we estimated the overall profits of attackers. To engage
the whole community, the dataset of captured attacks is released on
https://github.com/zjuicsr/eth-honey.</description><identifier>DOI: 10.48550/arxiv.1904.01981</identifier><language>eng</language><subject>Computer Science - Cryptography and Security</subject><creationdate>2019-04</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,780,885</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/1904.01981$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.1904.01981$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Cheng, Zhen</creatorcontrib><creatorcontrib>Hou, Xinrui</creatorcontrib><creatorcontrib>Li, Runhuai</creatorcontrib><creatorcontrib>Zhou, Yajin</creatorcontrib><creatorcontrib>Luo, Xiapu</creatorcontrib><creatorcontrib>Li, Jinku</creatorcontrib><creatorcontrib>Ren, Kui</creatorcontrib><title>Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum</title><description>We performed the first systematic study of a new attack on Ethereum that
steals cryptocurrencies. The attack is due to the unprotected JSON-RPC
endpoints existed in Ethereum nodes that could be exploited by attackers to
transfer the Ether and ERC20 tokens to attackers-controlled accounts. This
study aims to shed light on the attack, including malicious behaviors and
profits of attackers. Specifically, we first designed and implemented a
honeypot that could capture real attacks in the wild. We then deployed the
honeypot and reported results of the collected data in a period of six months.
In total, our system captured more than 308 million requests from 1,072
distinct IP addresses. We further grouped attackers into 36 groups with 59
distinct Ethereum accounts. Among them, attackers of 34 groups were stealing
the Ether, while other 2 groups were targeting ERC20 tokens. The further
behavior analysis showed that attackers were following a three-steps pattern to
steal the Ether. Moreover, we observed an interesting type of transaction
called zero gas transaction, which has been leveraged by attackers to steal
ERC20 tokens. At last, we estimated the overall profits of attackers. To engage
the whole community, the dataset of captured attacks is released on
https://github.com/zjuicsr/eth-honey.</description><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotj8tKw0AYhWfjQqoP4Mp5gcSZyVyXJbQqFKQY1-HPXDTYTsJkqubtTaubczjwceBD6I6SkmshyAOkn_6rpIbwklCj6TXaN8M3JDdhwNs-TRm_Zj_iPOC36PyyITqcPzyu0zzmwZ5S8tHOZwoOfXzH65zBfuIh4s2CJX863qCrAIfJ3_73CjXbTVM_FbuXx-d6vStAKlooI6zQmiunNGFBMNdxt6SpqOssKFlxHwzV1inHKGOB8CC59dJ53kGQ1Qrd_91enNox9UdIc3t2ay9u1S-Vcko5</recordid><startdate>20190403</startdate><enddate>20190403</enddate><creator>Cheng, Zhen</creator><creator>Hou, Xinrui</creator><creator>Li, Runhuai</creator><creator>Zhou, Yajin</creator><creator>Luo, Xiapu</creator><creator>Li, Jinku</creator><creator>Ren, Kui</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20190403</creationdate><title>Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum</title><author>Cheng, Zhen ; Hou, Xinrui ; Li, Runhuai ; Zhou, Yajin ; Luo, Xiapu ; Li, Jinku ; Ren, Kui</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a671-795c58847d7802f52db4d52d931dbca7634ef918cd7d2122f04f64ce6de4baf63</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Cheng, Zhen</creatorcontrib><creatorcontrib>Hou, Xinrui</creatorcontrib><creatorcontrib>Li, Runhuai</creatorcontrib><creatorcontrib>Zhou, Yajin</creatorcontrib><creatorcontrib>Luo, Xiapu</creatorcontrib><creatorcontrib>Li, Jinku</creatorcontrib><creatorcontrib>Ren, Kui</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Cheng, Zhen</au><au>Hou, Xinrui</au><au>Li, Runhuai</au><au>Zhou, Yajin</au><au>Luo, Xiapu</au><au>Li, Jinku</au><au>Ren, Kui</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum</atitle><date>2019-04-03</date><risdate>2019</risdate><abstract>We performed the first systematic study of a new attack on Ethereum that
steals cryptocurrencies. The attack is due to the unprotected JSON-RPC
endpoints existed in Ethereum nodes that could be exploited by attackers to
transfer the Ether and ERC20 tokens to attackers-controlled accounts. This
study aims to shed light on the attack, including malicious behaviors and
profits of attackers. Specifically, we first designed and implemented a
honeypot that could capture real attacks in the wild. We then deployed the
honeypot and reported results of the collected data in a period of six months.
In total, our system captured more than 308 million requests from 1,072
distinct IP addresses. We further grouped attackers into 36 groups with 59
distinct Ethereum accounts. Among them, attackers of 34 groups were stealing
the Ether, while other 2 groups were targeting ERC20 tokens. The further
behavior analysis showed that attackers were following a three-steps pattern to
steal the Ether. Moreover, we observed an interesting type of transaction
called zero gas transaction, which has been leveraged by attackers to steal
ERC20 tokens. At last, we estimated the overall profits of attackers. To engage
the whole community, the dataset of captured attacks is released on
https://github.com/zjuicsr/eth-honey.</abstract><doi>10.48550/arxiv.1904.01981</doi><oa>free_for_read</oa></addata></record> |
fulltext | fulltext_linktorsrc |
identifier | DOI: 10.48550/arxiv.1904.01981 |
ispartof | |
issn | |
language | eng |
recordid | cdi_arxiv_primary_1904_01981 |
source | arXiv.org |
subjects | Computer Science - Cryptography and Security |
title | Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum |
url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-27T01%3A39%3A38IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Towards%20a%20First%20Step%20to%20Understand%20the%20Cryptocurrency%20Stealing%20Attack%20on%20Ethereum&rft.au=Cheng,%20Zhen&rft.date=2019-04-03&rft_id=info:doi/10.48550/arxiv.1904.01981&rft_dat=%3Carxiv_GOX%3E1904_01981%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |