Yesterday, June 6th 2019, cryptocurrency wallet service, GateHub, announced that 100 of their XRP ledger wallets had been compromised. As a result roughly $10m USD worth of Ripple’s XRP has been stolen.

Within the GateHub announcement they mention that the company was alerted to the attack by members of their community. And, as a result, they have started an “extensive internal investigation”.

The nature of the attack is still unknown to GateHub’s staff although they have confirmed that they do not suspect the actions of their staff to have either facilitated, or allowed the hack.

While conducting their investigation GateHub have discovered “suspicious API calls” occurring on some accounts. They have contacted the people affected via email and provided advise to protect their remaining XRP.

“We already sent out an email to all users that might be affected as a result of suspicious API calls with instructions on how to protect their funds.”

How Did it Happen?

Hackers Used Valid API Access Tokens: When users wish to allow bots or other applications (such as wallets) to access an account they will utilise an API system. API systems provide a unique access token which acts like a password. This grants access to your account from the outside world, without exposing your password.

When users wish to allow bots or other applications (such as wallets) to access an account they will utilise an API system. API systems provide a unique access token which acts like a password. This grants access to your account from the outside world, without exposing your password. No Sign of Brute Force or Suspicious Logins: Brute force attacks see the attacker try to guess a user’s login information. Usually they would use a form of software which can work much faster than a human.

Brute force attacks see the attacker try to guess a user’s login information. Usually they would use a form of software which can work much faster than a human. An Increased Number of API Calls From Select IPs: A small number of IP addresses were used to access accounts. They did so using the valid access tokens mentioned above. GateHub speculate that this is how the attacker gained access to secret keys.

A small number of IP addresses were used to access accounts. They did so using the valid access tokens mentioned above. GateHub speculate that this is how the attacker gained access to secret keys. Decryption of Secret Keys: Secret keys are essentially the pin number to a cryptocurrency wallet. GateHub state that their keys were stored encrypted. This has left them stumped when questioning how the attacker managed to decrypt them.

The exact methods used by the attackers is still not clear. However, GateHub have confirmed that their preliminary investigation has found a few points of interest:

On June 5th 2019, Thomas Silkjær (a community member who alerted the GateHub team of the attack) made a post on Medium regarding the incident. Within the post he states “roughly 23,200,000 XRP has been stolen from 80–90 victims, of which ~13,100,000 XRP have already been laundered through exchanges and mixer services.”.

He also goes on to theorise the possible methods by which the hack occurred. Thomas writes that the most likely cause of the attack is either “Incremental nonces” or an “Old database leak”.

The likelihood of incremental nonces being the culprit is unlikely as GateHub have ruled out brute force attacks since Thomas’s post. This means, at present, the most likely cause of the attack is an old database leak.

In such a scenario an attacker would have acquired a database of encrypted keys and systematically brute force attacked it offline. By doing so they would be able avoid raising flags for failed attempts. This would mean the attacker would be able to wait until they had access to a desirable sum of money and nobody would know until it was too late.

Whatever the cause of the hack this will no doubt affect GateHub’s service and should emphasise the need for crypto holders to practice stringent security measures.

Love, peace and happiness?