On June 1, XRP Forensics discovered that 201,000 Swiss rupiah (transaction F6E9E1385E11649A6C2F88723A821AF209B54030886539DCEF9DDD00E6446948) was stolen and immediately investigated.
It turns out that the robbed account was managed by Gatehub.com, and the offending account (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) stole a lot of money from several other Ripple accounts, which may also be managed by Gatehub.com.
On the same day, XRP Forensics contacted Gatehub to alert them to potential security breaches while continuing to investigate the theft independently and contacted some cryptocurrency exchanges as hackers might attempt to conduct through these exchanges. Money laundering .
- "Japan Amazon" Lotte launches cryptocurrency transaction service
- PAData: FCoin potential victims or more than 2000 people, per capita loss or more than 25 BTC
- Restoring the entire process of asset transfer: $6.02 million stolen from the DragonEX exchange
- How to "shock reduction" The risk control method of the head digital currency institution
- Market Weekly | The market is in a consolidation period, and the exchange has picked up
- "Gemini" Risk Control Interview: How the Traditional Financial Regulatory Framework Maps to the Crypto Industry
After further investigation, some accounts related to this theft have surfaced and 12 major suspicious accounts have been discovered:
In fact, XRP Forensics discovered the first victim by analyzing the data as early as UTC time 2019-05-30 12:25:40. The hacker stole the victim's 10,000 Swiss rupiah by trading 30FBBD47F6791A00BF0C1DCFF6CBD8AECBF9EF71141544C031B8FAF3EACB4C41.
As of UTC time 2019-06-05 16:00, approximately 80-90 victims were hacked, and the total amount stolen was approximately 23,200,000 Swiss rupiah, of which approximately 13,100,000 ribo has passed the cryptocurrency exchange and hybrid services. Wash white". Later, XRP Forensics got in touch with some of the victims, and Gatehub also contacted some cryptocurrency exchanges involving hacker money laundering.
Potential scenario analysis of this attack
Although XRP Forensics does not currently have solid evidence to point out where the attack originated, the following potential attack scenarios were analyzed in the survey:
1.Gatehub account is hacked
By analyzing the victim's access log and the transactions on the Ripple ledger, it seems that no account was attacked by using the client login credentials directly on Gatehub.net.
By communicating with the victims, they seem to have no one to be a victim of phishing scams, such as no one has received an email to open a link to Gatehub.net.
3. Replay attack
Most of the victim's accounts were registered in December 2017 (or earlier), and some initially thought that the old account was more susceptible to weak encryption of the transaction signature software deployment, but it seems that this is not the case. According to the actual situation, only a few accounts are vulnerable to such attacks, and no one is the victim of this attack.
Although replay attacks are not at the heart of the case, it is still possible that a poorly performing signature library uses incremental nonce, which makes brute force hacking possible. However, at this stage it is not possible to confirm or deny this possibility.
5. RippleTrade Migration
Since most victim accounts are registered in December 2017 (or earlier) and many accounts have a RippleTrade username, the unreliable handling of user account migrations may be one reason why these accounts are accessed by hackers. However, not all hacked accounts are old RippleTrade accounts. So from this perspective, the cause of this attack is also unlikely.
6. Browser client hacking
Although it is possible to retrieve user information by exploiting vulnerabilities in the Gatehub.net application programming interface (API), we have found that this approach is unlikely to be the cause of the attack. Therefore, the victims of this attack are all over the world, and any such attacks may occur by sniffing access on shared WiFi.
7. Old database leak
Since Gatehub.com is a managed wallet provider, they store their private key for the cryptocurrency. It is most likely because an unknown database leak was exploited by the hacker and then brute force the private key until the criminal found that sufficient funds were available.
Hackers have begun to cash out
Currently, XRP Forensics has identified some cryptocurrency exchanges that have received stolen Ripco, but only know some estimates, not exact numbers:
Changelly.com: 6,000,000 XRP
Changenow.io: 3,250,000 XRP
Kucoin.com: 1,500,000 XRP
Huobi.com: 930,000 XRP
Exmo.me: 135,000 XRP
Hitbtc.com: 115,000 XRP
Binance.com: 110,000 XRP
Alfacashier.com: 50,000 XRP
to sum up
As shown above, yellow represents the cryptocurrency exchange and account used to redeem stolen Ripco; blue represents the victim; red represents nine suspicious accounts. (Star Jun o-daily Note: Some victim funds may not be transferred through suspicious accounts, but directly sent to the exchange)
Because this victim is spread across the globe, it needs to be handled by national law enforcement agencies. XRP Forensics strongly recommends that victims file complaints with relevant law enforcement agencies within their jurisdiction.
This translation from https://medium.com/xrp-forensics/overview-of-the-gatehub-hack-f88a441c9203 original author: XRP Forensics editor: Thomas Silkjær Translator: Odaily Daily Planet Moni