Hi everyone,

Late in the evening of the past 4th of may (european time), we were alerted by a user through Discord that his wallet had suddenly been drained after logging into his nanowallet.io account. In the last month, we have been doing research, checking logs, contacting certificate authorities, DNS providers, law enforcement, etc. Below is what we have found out so far.

The attack consisted on redirecting nanowallet.io’s traffic to a phishing site, a perfect clone of the genuine wallet, in a way practically impossible to detect by a user. The attack lasted for about 30 minutes, with a handful number of users being affected. Our initial thought was that it was achieved via some kind of DNS hijacking. It was practically impossible for a user to realise that he was logging in to a malicious site, as nothing was suspicious to plain sight. The domain was correct, the green lock was set up, even if the page was bookmarked it was seen as such, and since the page was a perfect clone, everything worked in the exact same way as the legitimate nanowallet.io page. The only two ways to determine if the site was legitimate were:

By checking the SSL certificate, as it was a different certificate than ours and was issued that same day. By inspecting the code.

Our genuine certificate

The malicious certificate

As at nanowallet.io we have HSTS enabled, the redirect to the malicious site by itself wouldn’t have been an issue, as the browser would have blocked the connection if it wasn’t secured by a valid SSL certificate. However, the attacker was able to issue an SSL certificate with LetsEncrypt. Initially we thought that given that the DNS was pointing somewhere else, they could have done a plain http-based domain validation to prove ownership over the domain and get the certificate. To check, we contacted LetsEncrypt to check their logs on what IP address the domain was resolving to when the certificate was issued. The IP address they had was our own IP address, the correct one. That discards an attack at the DNS level. So, if the IP used to validate the domain was ours, was our server compromised? We revoked all credentials and generated new ones to get started. Then we started inspecting all our access logs, auth logs, login logs, etc. Our server didn’t process the request from the CA validating the domain, and no unrecognized accesses were found.

The strange thing here is that the attack consisted on a “Man in the Middle”, which is why a new certificate was issued, because if someone could access our server he could have injected the code directly there without needing a new certificate. We know it was a MITM because the IP addresses used to log in to the affected wallets and broadcast the unauthorized transactions weren’t the real user’s IP addresses. We identified 7 different IP addresses used on the attack, all of them from the same datacenter, which is the same datacenter our server is hosted in, which is extremely interesting. We are currently investigating if it was possible for someone to modify which machine was bound to our IP address during the attack.

Also, as per our investigations, the attacker did not gather users’ login credentials or wallet keys. He injected a piece of code to the genuine code which once logged in the users wallet, sent all the funds out to a couple of addresses controlled by the attacker using the wallet UI, filling inputs and clicking buttons automatically.

The next monday (07/05/2018), a couple of users suddenly reported that they had an unauthorized outgoing transaction which emptied their wallets. Some of them were sent from the attacker’s IP address, others from their legitimate user IP. That meant that some users had logged in to the legitimate nanowallet.io site but still had the malicious JS cached in their browser, while others were still logging into the phishing site.

We decided to immediately shut down all logins to make sure no more wallets could be emptied while we worked on a solution to re-enable logins safely again. First, all of the attackers IPs were banned, and a block of any send transaction to the attackers wallet was imposed. Then, the solution we came up with consisted of a registry of authorized IP addresses which can log in to each wallet. Every single IP address attempting to log in to a wallet must now be confirmed via email, which provides a url to a web where users are able to see their current IP address and the one trying to log in to their wallet, with their respective locations, side by side, in order to compare them. This way, if the domain being accessed is hijacked, users will see different IP addresses and will easily notice if there is something suspicious happening. Usually this kind of measure should have been activated after confirming each user’s email address, to make sure the email is valid, the user has access to it, and our emails are delivered correctly. Instead, we decided to activate it for all users as we preferred to have complaints about emails not being received, which we can solve in support, instead of having users missing funds.

Example of IP verification for login

We naturally revoked all malicious certificates.

As we initially thought it was something DNS related we enabled DNSSEC too. DNSSEC stands for Domain Name System Security Extensions, and in short words, is one of the latest measures being taken to avoid DNS spoofing attacks, which are becoming incredibly common and dangerous in the last years.

Furthermore, all users who were affected by the attack that we have been able to contact have been fully refunded, accounting a total of around 4000 NANO. We have been delaying the release of this statement, which is long due to the community, in order to have the maximum amount of information possible about the incident.

We at Nanowallet.io are deeply sorry for these unfortunate events, and will keep working in order to improve and provide an easy and versatile open-source light web wallet for NANO. Moreover, integration for the Ledger hardware wallet and other features will be implemented soon.

We would also like to remember the importance of education and awareness, especially in the cryptocurrency space, as phishing, scams and all sort of attacks happen on a daily basis, which users can easily detect with some basic precautions.

The NanoWallet.io team.