Cybercriminal group has managed to steal a total of 38,642 Ether, worth more than $20,500,000, from clients exposing the unsecured interface on port 8545.

Cybercriminals have raked over 20 million dollars in the past few months by hijacking poorly configured Ethereum nodes exposed online are continuing their operations.

In March, security experts from Qihoo 360 Netlab reported a hacking campaign aimed at Ethereum nodes exposed online, crooks were scanning for port 8545 to find wallets that exposed their JSON-RPC.

According to the researchers, the cybercrime gang stole 3.96234 Ether (between $2,000 and $3,000)., but currently, they have tracked another criminal gang that already stolen an amazing amount of funds that are available in their wallets.

Researchers claim the cybercriminal group has managed to steal a total of 38,642 Ether, worth more than $20,500,000.

Remember this old twitter we posted? Guess how much these guys have in their wallets? Check out this wallet address https://t.co/t4qB17r97J $20,526,348.76, yes, you read it right, more then 20 Million US dollars https://t.co/SXHrdTcb6e — 360 Netlab (@360Netlab) June 11, 2018

“If you have honeypot running on port 8545, you should be able to see the requests in the payload, which has the wallet addresses,” states Qihoo 360 Netlab team. “And there are quite a few IPs scanning heavily on this port now.”

Geth is a popular client for running Ethereum node allowing users to manage them remotely through the JSON-RPC interface.

Developers can use this programmatic API to build applications that can retrieve private keys, transfer funds, or retrieve personal details of the owner of the wallet.

The hackers moved stolen funds to the Ethereum account having the address 0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464.

The good news is that the JSON-RPC interface comes disabled by default in most apps.

In May 2018, crooks used the Mirai-based Satori botnet to scan the Internet for Ethereum mining software that were left accidentally left exposed online.

Unfortunately there are several groups that are actively scanning the Internet for insecure JSON-RPC interface to steal funds from unsecured cryptocurrency wallets.

Development team have to secure their applications by only allowing connections to the geth client originating from the local computer, another alternative consists in the implementation of authentication mechanism for remote RPC connections.

Experts believe the hackers will increase their scanning for port 8545 also thanks the availability online of tools that automate the process.

Pierluigi Paganini

(Security Affairs –port 8545, hacking)

Share this...

Linkedin Reddit Pinterest

Share On