Vanity Blockie Miner for Ethereum

Brute force generate Ethereum identicons to match an image

I love blockies… something about the symmetry causes me to see all sorts of faces and things.

When I was contributing to EthAvatar I was worried about an attacker replicating an Ethereum identicon (Blockie). I wanted to test how easy it would be to brute force replicate a similar enough blockie that you could use it to phish an account.

An identicon should really only be used to make sure you didn’t mistype an address; a quick, deterministic, procedurally generated, human identifiable picture. You copy and paste an address or shoot a QR code and give it a quick inspection between the two windows/screens to make sure they are the same. One small character change will result in an obviously different image:

However, if you don’t pay close enough attention, an attacker could craft an identicon to look similar to your trusted account:

The script is very simple and the source code is available here. It consists of a backend, frontend, and miner. The miner will generate Ethereum accounts as fast as possible, translate them to Blockies, and do a color compare with a target image. Plus, the frontend has a nice drag and drop UX:

Once you have an icon you like, you can click on it to get the private key. Paste that private key into MetaMask and you can start making transactions. Don’t forget to hit the “X” in the UI to delete the key from the miner. Even after covering your tracks, it’s probably best not to move a lot of money in and out of accounts where the private key was tossed around like this.