WBTC Address Poison Exposed With ‘Digital Evidence’ — Match Systems
The address poisoning attacker who leaked an estimated $68 million worth of Bitcoin (WBTC) was exposed to “digital evidence,” including “device fingerprints,” according to a May 23 statement by Match Systems CEO Andrey Kutin. These digital evidences eventually strengthened the hands of the victims in negotiations and resulted in the full refund, he said.
According to the CEO of Match Systems, the attacker did not use regulated exchanges that met Know Your Customer and anti-money laundering standards. Therefore, researchers have not been able to confirm the identity of the man. But they find “secondary” or “circumstantial” evidence that the person they are investigating did not exercise due diligence and recklessly got hold of stolen money. This is what strengthened their hand in negotiations.
A $68 million address poisoning attack occurred on May 5 against an Ethereum account starting with “0x1e”. The attacker creates a fake transaction that pretends to transfer the victim's token to themselves. This confuses the victim and leads them to believe that the attacker's address is safe because the victim appears to have sent money to this address voluntarily in the past.
As a result, the victim sent $68 million WBTC to the attacker's address, resulting in a 97% loss on his account.
However, on May 10, the attacker sent almost all of the stolen money back to the victim, bringing a full refund. At the time, blockchain security platform Match Systems said that this sudden incident was the result of negotiations between the two parties. The group said the Cryptex cryptocurrency exchange also helped it with these negotiations.
In a May 23 chat with Cointelegraph, Match Systems' Kutin revealed new details on how they convinced the attacker to return the stolen funds.
According to Kutin, the group first became aware of the poisoning attack on the day it occurred, as several social media accounts reported that a crypto “well” had transferred $68 million in WBTC to a new address. The team quickly realized that the transfer was due to address poisoning. However, the victim's identity was unknown and there was no clear way to find them.
The Match Systems team decided to contact the victim and post a message to the Ethereum network. “If the hacker doesn't return the money, please contact us for help,” the message said.
In response, a “third party” contacted match researchers, Kutin said. The victim did not want to know their identity, so they used communication to facilitate communication. Cryptex also got involved this time around and offered to help facilitate the deal.
The attacker did not seed their wallet with unregulated funds or attempt to withdraw the stolen funds through one of these exchanges. As a result, there was no easy way to identify the attacker.
However, the team was able to trace some of the attacker's transactions to IP addresses in Hong Kong, Kutin said. These addresses became the springboard for further investigation.
In a May 8 blog post, blockchain security platform SlowMist also claimed to have obtained the IP addresses. According to him, the addresses were obtained through the SlowMist “Intelligence Network”. The IP addresses appear to correspond to “cell sites” or cell phone towers, although SlowMist cannot completely rule out that they are VPN servers.
According to Cutin, Match Systems was able to link these IP addresses to additional “digital evidence” that could identify the attacker, including a “device fingerprint.”
A “device fingerprint” may include information such as the user's operating system, processor type, memory, screen resolution, browser version, plug-ins and extensions, time zone settings, language preferences, installed fonts, average typing speed and browning habits, and other information. At the discretion of the Cyber Security Forum Trust.
Related: AssangeDAO's crypto activities suspicious, analysts urge caution
Kutin says digital evidence like this is the only way to catch cybercriminals in today's environment. Attackers will no longer attempt to cash in on regulated exchanges. Today there are “special escrow services” that facilitate hackers to trade their cryptocurrencies for cash.
The United States sometimes prosecutes these fake services, but “maybe they have suicide chats, and there's nothing on their phones or devices,” Kutin said, making it impossible for authorities to gather evidence against them. People have become “well-educated on both sides.”
Instead of trying to follow these bait services, Match Systems focuses on finding the “thinnest thread” of digital evidence that can be used to identify a cheater. This thin thread can include IP addresses, device fingerprints, and other “tips and tricks.”
The evidence was “secondary” or “circumstantial,” Kutin admitted. A device was confirmed to have been used only to launder the stolen money, so it could not be directly linked to the attack. However, he can still prove that the person making the transactions did not exercise due diligence in determining the source of the funds received.
“No, we received the stolen money. It wasn't our money that was stolen,” Kutin said, mimicking what he often hears from attackers. But “you have to know the very simple principle of due diligence,” he said.
The team used this evidence to negotiate with the attacker, using blockchain messaging to contact them and try to start a conversation. The end result is that the attacker returned all the money and has not been charged yet.
Kutin acknowledged that this could be considered a bad outcome as there was no public interest in prosecuting the attacker. However, he argued that the outcome was better than many alternatives, since at least the victim was able to recover all their money. “The ending may not be very good because the criminal will go unpunished, but it is not very bad for either side,” he argued.
Address poisoning attacks are a common problem for blockchain users, although most of them do not cause the huge losses that were first seen in this case. To avoid becoming a victim of this type of attack, experts recommend that users check the addresses sent to each transaction.
RELATED: Cyber Security Experts Catch Hacker Selling Stolen Telegram Tokens