Misconfigured Ethereum Clients Lose Over $20 Million To Hackers

Chinese cyber-security firm Qihoo 360 Netlab have recently reported that over $20 million has been stolen from Ethereum-based apps and mining rigs.

After the sudden boost in the prices of cryptocurrency in November 2017, a massive scam for Ethereum JSON RPC points was reported to have taken place by a threat actor who identified that a version of the Electrum wallet app was shipping with its JSON RPC enabled by default, leaving users’ funds vulnerable. An RPC [Remote Procedure Call] interface’s purpose is to provide access to a programmatic API that an approved third-party service or app can interact with or get information from the original Ethereum-based service that users or companies have set up for mining or managing funds.

Every Ethereum based software, comes with an RPC today which is disabled by default and months after its launch, an official security advisory from the Ethereum Project was also released so the users don’t leave their RPC interfaces exposed if not secured by Access Control List (ACL), a firewall or other authentication systems but users often tend to carelessly fiddle with their apps without knowing what they are doing regardless of the warning.

Security experts from Qihoo 360 Netlab reported that one of the many threat actors whose targeted devices ran on port 3333, started mass scans for port 8545, where the default RPC interface resides. The attacker made only 3.96234 Ether (~$2,000-$3,000) in March this year. The scans are reported to have only intensified since and today, multiple groups have stolen over $20 million.

We can expect this to attract more attention from threat actors which means that owners of Ethereum wallets should start reading the documentation, be careful while changing their settings or review their Ethereum node’s settings so their RPC interface is not exposed to external connections and therefore, their money not vulnerable to such threats.