Deeply dig the death of Gatehub

On June 1, XRP Forensics discovered that 201,000 Swiss rupiah (transaction F6E9E1385E11649A6C2F88723A821AF209B54030886539DCEF9DDD00E6446948) was stolen and immediately investigated.

It turns out that the robbed account was managed by Gatehub.com, and the offending account (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) stole a lot of money from several other Ripple accounts, which may also be managed by Gatehub.com.

On the same day, XRP Forensics contacted Gatehub to alert them to potential security breaches while continuing to investigate the theft independently and contacted some cryptocurrency exchanges as hackers might attempt to conduct through these exchanges. Money laundering .

1560041383(1)

After further investigation, some accounts related to this theft have surfaced and 12 major suspicious accounts have been discovered:

rU6EsDCiHHYbTtA4uGGo8zaaiRz2sbDBST

rN5Gm1FijbTVeYFfpTRfGKfNZQY7hc9TbN

rprMix9uYyQng5vgga1Vg8HTeBMCzaeM2i

rUvPCdYJMzzGu9AFKrNeKgCTpxrpFc3RHt

rJpKe5rbjgzzGJc1wm1xqKj6j4UjBQ6s48

rGSWKo2oiJnJiPEoHvDZTK2XG7RtE62Cbh

rpBDxqWArAQTEfPeWwkUvBh1cbc885nirX

r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k

rKZ14F9KT65chQ382M33U41a4eniGMAyfG

rpfcbzdZZSWdB5EWDGcQvD5ycFhM6jdhpZ

rHvWywQiexNeCLWTa9dBjHTMAtt6tPN7Z1

rMcqiWXMJEAEMXaFFgnjeuASwAMmef8B8c

In fact, XRP Forensics discovered the first victim by analyzing the data as early as UTC time 2019-05-30 12:25:40. The hacker stole the victim's 10,000 Swiss rupiah by trading 30FBBD47F6791A00BF0C1DCFF6CBD8AECBF9EF71141544C031B8FAF3EACB4C41.

As of UTC time 2019-06-05 16:00, approximately 80-90 victims were hacked, and the total amount stolen was approximately 23,200,000 Swiss rupiah, of which approximately 13,100,000 ribo has passed the cryptocurrency exchange and hybrid services. Wash white". Later, XRP Forensics got in touch with some of the victims, and Gatehub also contacted some cryptocurrency exchanges involving hacker money laundering.

Potential scenario analysis of this attack

Although XRP Forensics does not currently have solid evidence to point out where the attack originated, the following potential attack scenarios were analyzed in the survey:

1.Gatehub account is hacked

By analyzing the victim's access log and the transactions on the Ripple ledger, it seems that no account was attacked by using the client login credentials directly on Gatehub.net.

2. Phishing

By communicating with the victims, they seem to have no one to be a victim of phishing scams, such as no one has received an email to open a link to Gatehub.net.

3. Replay attack

Most of the victim's accounts were registered in December 2017 (or earlier), and some initially thought that the old account was more susceptible to weak encryption of the transaction signature software deployment, but it seems that this is not the case. According to the actual situation, only a few accounts are vulnerable to such attacks, and no one is the victim of this attack.

Incremental nonce

Although replay attacks are not at the heart of the case, it is still possible that a poorly performing signature library uses incremental nonce, which makes brute force hacking possible. However, at this stage it is not possible to confirm or deny this possibility.

5. RippleTrade Migration

Since most victim accounts are registered in December 2017 (or earlier) and many accounts have a RippleTrade username, the unreliable handling of user account migrations may be one reason why these accounts are accessed by hackers. However, not all hacked accounts are old RippleTrade accounts. So from this perspective, the cause of this attack is also unlikely.

6. Browser client hacking

Although it is possible to retrieve user information by exploiting vulnerabilities in the Gatehub.net application programming interface (API), we have found that this approach is unlikely to be the cause of the attack. Therefore, the victims of this attack are all over the world, and any such attacks may occur by sniffing access on shared WiFi.

7. Old database leak

Since Gatehub.com is a managed wallet provider, they store their private key for the cryptocurrency. It is most likely because an unknown database leak was exploited by the hacker and then brute force the private key until the criminal found that sufficient funds were available.

Hackers have begun to cash out

Currently, XRP Forensics has identified some cryptocurrency exchanges that have received stolen Ripco, but only know some estimates, not exact numbers:

Changelly.com: 6,000,000 XRP

Changenow.io: 3,250,000 XRP

Kucoin.com: 1,500,000 XRP

Huobi.com: 930,000 XRP

Exmo.me: 135,000 XRP

Hitbtc.com: 115,000 XRP

Binance.com: 110,000 XRP

Alfacashier.com: 50,000 XRP

to sum up

1560041495(1)

As shown above, yellow represents the cryptocurrency exchange and account used to redeem stolen Ripco; blue represents the victim; red represents nine suspicious accounts. (Star Jun o-daily Note: Some victim funds may not be transferred through suspicious accounts, but directly sent to the exchange)

Because this victim is spread across the globe, it needs to be handled by national law enforcement agencies. XRP Forensics strongly recommends that victims file complaints with relevant law enforcement agencies within their jurisdiction.

This translation from https://medium.com/xrp-forensics/overview-of-the-gatehub-hack-f88a441c9203 original author: XRP Forensics editor: Thomas Silkjær Translator: Odaily Daily Planet Moni