A mysterious attacker is scanning the Internet for EOS blockchain nodes that are accidentally exposing private keys through an API misconfiguration.

The scans started today, according to threat intelligence firm GreyNoise, and all the malicious activity appears to be originating from the IP address: 185.169.231.209.

If you run an @EOS_io node, be aware of an actor at 185[.]169[.]231[.]209 sweeping the Internet for unauthenticated EOS RPC daemons on TCP/8888, specifically the /v1/wallet/list_keys endpoint. — GreyNoise Intelligence (@GreyNoiseIO) May 29, 2018

Scans appear to have started today, hours after security researchers from Chinese security firm Qihoo 360 published a report about a remote code execution flaw affecting the EOS blockchain platform, but the scans don't seem to be related to this report.

Scans related to GitHub bug report

Instead, the scans appear to be related to a GitHub bug report filed five days ago. In this bug report, a user reported an issue with an EOS RPC API endpoint that was accidentally revealing the private keys of EOS accounts.

The scans GreyNoise picked up today are related to this API endpoint, and more precisely the API endpoint located at /v1/wallet/list_keys, exposed via port 8888.

According to the GitHub bug report, there is no authentication system to protect access to this API endpoint, which is also automatically exposed via the EOS node's public Internet-facing interface.

The person behind the scans has clearly seen the GitHub bug report and is now looking for EOS nodes where this API endpoint has been turned on and left exposed online without the user's knowledge.

But the situation is not as dark and grim as it sounds. According to an EOS developer answering to the bug report, this API endpoint is not a standard feature of the EOS API and is only part of the wallet_plugin. This is an API plugin meant for running tests, meaning very few node owners are likely to be exposing this API endpoint online, and generally not on production nodes.

Nonetheless, careless EOS node owners who couldn't be bothered to read the API docs, should take note and disable this plugin, and use another method of retrieving private keys from their EOS blockchain node.

No correlation to Qihoo 360 bug report disclosed today

EOS is a blockchain platform built by Block.one. It is a platform similar to Ethereum, meaning it allows developers to run smart contracts on a public blockchain.

The EOS initial coin offering (ICO), which is currently raising funds to build this infrastructure, is on pace to raise $4 billion, becoming by far the largest ICO in the world, dwarfing Telegram's $1.7 billion.

EOS tokens, issued during the ICO, are ranked as the fifth largest cryptocurrency/token (based on total market cap) in the world, right after Bitcoin, Ethereum, Ripple, and Bitcoin Cash.

Earlier today, cyber-security firm Qihoo 360 revealed details [1, 2, 3] about a severe vulnerability in the EOS blockchain that would have allowed an attacker to upload a smart contract to an EOS node and take control over that node, and later spread to the entire EOS blockchain.

The EOS team fixed the reported flaw yesterday and today downplayed its severity in a series of Telegram messages.