A blockchain security research firm called Slowmist has released a full report on the attack that recently took place against Ethereum Classic. The report indicates that several exchanges are the victims of a concerted 51% attack.

Notably, the researchers report that the attack begins January 5th at 19:58:15 UTC. Days pass before anyone notices. The attacker dupes several exchanges in the process including Coinbase, Bitrue, and Gate.io. The analysis focuses heavily on Bitrue. Central to the attack was the owner of address 0x24fdd25367e4a7ae25eef779652d5f1b336e31da. The earliest movement is a little over 5,000 ETC from Binance to this address.

The Attack Begins With Coins From Binance

From there the coins move to a mining node, which mined block 7254355. Later, in block 7254430, a deposit is made to Bitrue in the amount of 4,000 ETC. This transaction no longer actually exists in the longest Ethereum Classic chain. It was sent to verified Bitrue address 0x2c9a81a120d11a4c2db041d4ec377a4c6c401e69. As you can see if you click that address, the official history does not show any such deposits.

But Bitrue’s own records remember. Bitrue tweets them:

💔‼️Ethereum Classic (ETC) 51% Attack Detected On @BitrueOfficial We've experienced an ETC 51% attack yesterday morning. The attacker tried to withdraw 13,000 ETC from our platform but got halted by our system. As demonstrated below: pic.twitter.com/V7YWzkldIv — Bitrue (@BitrueOfficial) January 8, 2019

Another 9000 ETC attack later happens the same way. The attacker moves the coins to other addresses, makes deposits, then withdraws them to safe addresses. The attack is simple at its heart: make a deposit, then make a withdrawal. He has the hashpower to ensure that the transactions he wants to exist will and that the ones he’d rather be forgotten are. In essence, he doubles his money simply by moving the coins to other addresses. Then he moves the original coins to safety.

Coinbase Just One Victim

Of course, this all adds to the confirmed damage at Coinbase. The report goes into some detail about that. It says that once Coinbase and other exchanges began blacklisting attacker addresses, the attack basically stopped being useful to the attacker on January 8th.

The report confirms two addresses certainly involved in the attack:

Combined, these addresses possess over 53,000 ETC at time of writing. They will struggle to find any liquidity for these tokens, as most exchanges have likely banned them from depositing. Security is fundamentally important to exchanges. These tokens can essentially be considered “tainted.”

Early in the hours of January 8th, Marshall Long says he thinks he knows the attacker personally:

https://twitter.com/OGBTC/status/1082559086070136832

Another user seems to indicate he knows the actual attacker:

https://twitter.com/sebseb7/status/1082934904713814016

Either way, the 51% attack against Ethereum Classic exchagnes is over and done with. For now. Some of the gains are very real.

Conclusions After a Real Attack

Exchanges must adapt their security policies to chains with smaller hashrates. Declining markets lead to reduced hashpower. It happens in all proof-of-work systems. Unsavory individuals view it as an investment opportunity. If the token is worth enough, dedicating massive hashpower to the chain in order to defraud legitimate exchanges is worth the effort.

As the report says:

[W]e recommend that all digital asset services platform block transfers from the above malicious wallet addresses. And strengthen the risk control, maintain a high degree of attention, and be alert to double spend attacks that may erupt at any time.

The incident provides lessons for all players in the blockchain ecosystem. The reality of decentralization is that every player is on their own. Exchanges can increase the number of confirmations required. They can also force users to register intended withdrawal addresses before ever making a withdrawal. Billions of dollars across markets are actually on the line. 51% attacks exist because proof-of-work is fair.

Featured image from Shutterstock.