Hackers almost got away with 2M EOS (approx. $12M in value)

It was the first time that a hack was discovered by the Block Producers

Blacklisting of accounts should be prompted once an investigation has been exhausted

Even though EOS Price and RAM had only a slight change over the week, there were 20K new accounts created as of present, which is considered a high compared to the last 2 months. With that, the activity surged to 1.5MM transactions on a daily basis.

Success Comes at a Price

With the recent success, comes the price of attracting hackers and here is a story of how a 2M EOS hack was caught by Block Producers, as the hack was detected and investigated by a group of BPs led by Sw/eden, EOSRio, EOSDac, shEOS, and Jem.

An estimated $12M worth of EOS rescued by the BP. Whoever the attacker is, they tried to obscure the transactions after it the hack using random accounts.

Eric from Jem, added that the hackers have sent 23k EOS to one of the newly created accounts, the gm34qnqrepqt; then as soon as that was done, had quickly sent out 20k to another new account, gt3ftnqrrpqp, which in turn sent 16.3k to another new account,gtwvtqptrpqp, and from there 10k to another new account – the gm31qndrspqr; which in turn sent 6k to another newly created account lxl2atucpyos. The memo of the first transfer however, stated that it was a “refund”.

Blacklisting – at what cost?

Igor from the EOSRio, searched the account name and found it on the “EOS 911” group. So as soon as this was identified, Eric from Sw/eden contacted the account owner after creating “iwashackeda1” using the original keys from gm3dcnqgenes, which was the original account in question.

Transaction of the verified owner with the original keys for the account: https://bloks.io/transaction/a3d919d638bd8750d46078e815d87ca02936affb80f08de25c9b905bd66371c1

Once the transfer was made, it was 100% verified that the owner had the correct private key from the hacked account, gm3dcnqgenes. This then prompted, Sw/eden to blacklist the gm3dcnqgenes before the order from ECAF.

Eric from Sw/eden however, did not blacklist the other accounts:

“I didn’t blacklist the other accounts. Because I felt that needed further investigation.”

He found it unjustifiable to act on his own to blacklist an exchange, if in case this turns out to be legit. But upon further investigation, he finally got all the accounts blacklisted – they had to pull all their computers and updated their blacklist because an estimated $12M in value was on the line.

An Unexpected Turn of Events

When EOS was designed, Dan Larimer and Block.One did not expect the EOS, ECAF, and Blacklists to come out of it. However, in this it may have turned better than they anticipated. Efforts with the Blacklist in the past 4 months of operation have saved millions of dollars from hackers through the freezing of accounts, where the owner is able to prove that their private keys has been stolen.

Freezing of accounts can prevent any further actions from taking place until an investigation has been done.

Technically, every account owner can request to have their account blacklisted once there is an unauthorized transaction being identified. This is a unique occurence where the hack was detected and got investigated by a group of Block Producers, which was led by the Sw/eden, EOSRio EOSDac, shEOS, and Jem.

The issue was realized when the group of Block Producers and Ben Sigman who had dinner in London Celebrating their mid-Autumn Festival, lost 2 million votes! 2 million is a substantial amount that cannot be ignored by the Block Producer’s attention.

What happened after that is, they ran a quick check of the account history or the gm3dcnqgenes and realized that the active and owner keys have been changed and the entire balance of 2M EOS was unstaked immediately, and transferred to the DEX “newdexpocket”.

This was considered a suspicious transaction – the changing of a key, which is not associated with moving funds, but instead protecting them. In addition to this suspicious activity, this particular account had only voted once in August.

A Series of Questionable Transactions Got the Block Producers’ Attention

Whoever this attacker is, tried to obscure the transactions after it was hacked using random accounts, which seemed to look like accounts being generated by the EOS.IO snapshot.

This was the first time that a hack was discovered by the Block Producers, it was also the first time that the Block Producer blacklisted an account without waiting an order from the ECAF.

Based on the Rules of Dispute Resolution, it stated that any member of EOS, including the BP, can request an emergency measure of protection where a member has implemented an emergency measure of protection. An example is the freezing of an account, this is where the member shall be named as party to a duly filed arbitration to request a confirmation of the emergency measure.

This implies that, any action taken without a ruling is responsible for their actions, as stated. In addition, these members could face severe consequences if they were proven to be liable for causing the damages to another EOS account.

In this case the original account holder got lucky – he had kept his tokens staked, and with EOS it takes 3 days to unstake them, so even though the hack went undiscovered for some time, Block Producers were able to intervene.