- Electrum hacker stole 245 BTC
Electrum wallet was yesterday compromised by a malicious phishing attack, which we wrote about yesterday. New details about this hack emerged today as the potential address of the hacker was revealed, alongside his potential loot.
As a reminder, the phishing attack saw the hacker spam the Electrum network with fake servers he controlled. When wallet users that connected to a compromised server attempted to broadcast a Bitcoin transaction, they would receive an error message, asking the owner of the wallet to download an “update”. The software downloaded this way wasn’t an actual Electrum update but rather a piece of malware designed to steal your Bitcoin.
Reddit community managed to get a hold of the hacker’s address, indicating that a disturbing amount of funds might have been stolen by this attack. At the moment of writing, the wallet contains 245 BTC (currently worth just above $880 thousand). The wallet saw a total of five transactions sent to it, with one user apparently losing just over 200 BTC in the attack. As of now, Electrum released a quick fix that prevents the attacker from sending the error messages to victims. Even with that, the issue still hasn’t been completely resolved.
- Bitcoin Cash lags behind other popular cryptocurrencies
Popular crypto data aggregator LongHash revealed some rather interesting data about Bitcoin Cash. While the proponents of said cryptocurrency like to boast about BCH’s scalability, block size adjustments and low fees, it just can’t keep up with the market top dogs in various areas.
LongHash looked into most popular cryptocurrencies for online transactions and determined that Dash, Dogecoin and Litecoin currently dominate this specific segment of crypto markets. Bitcoin Cash lags behind these mentioned currencies, recording four times fewer transactions than a meme cryptocurrency like Dogecoin.
These numbers become even more jarring if we look at what Bitcoin, the currency BCH was made to replace, is able to do. BTC’s blockchain processes 20 times as many payments per day as Bitcoin Cash. The numbers become even harsher if we look at daily active addresses that each of these payment solutions has. Blame it on the market volatility, Bitcoin maximalism, head start that these currencies had on BCH or the recent hard fork controversy the project went through, the fact remains that the market doesn’t seem very interested to use BCH for value transfers.
- Hardware wallets vulnerable after all?!
During the 35th Computer Chaos Congress in Leipzig, Dmitry Nedospasov, Thomas Roth and Josh Datko gave a presentation called wallet.fail, where they tried presented a case as to why hardware wallets like Ledger Nano S or Trezor were vulnerable to several types of attacks.
Attacks performed against said hardware wallets ranged from breaking the proprietary bootloader protection, over breaking the web interfaces used to interact with wallets, up to physical attacks including glitching to bypass the security implemented in the IC of the wallet. As a result of their testing, the individuals found 5 types of vulnerabilities that apparently every hardware solution on the market suffers from:
- Firmware Vulnerabilities
Firmware vulnerabilities are vulnerabilities affecting the software that runs on the hardware wallet. Since most wallets provide update mechanisms this class of bug can be patched in a future firmware release. - Software Vulnerabilities
Software vulnerabilities are vulnerabilities affecting the host software that runs on the PC or smartphone and communicates with the hardware wallet. Since most wallets provide update mechanisms this class of bug can be patched in a future release of the host software. - Hardware Vulnerabilities
Hardware vulnerabilities are vulnerabilities affecting the device hardware of the hardware wallet. Hardware vulnerabilities are generally incorrectly set configurations of the hardware either during manufacturing or by the firmware. If the configuration is set by firmware these vulnerabilities can be patched in a future firmware release. Otherwise, they are unlikely to be fixed by the vendor. - Physical Vulnerabilities
Physical vulnerabilities are vulnerabilities affecting the hardware design of the hardware wallet. Once the device has been manufactured, hardware vulnerabilities cannot be mitigated and can only be fixed in a future hardware revision of the device. This class of vulnerabilities is unlikely to be fixed by the vendor. - Architectural Vulnerabilities
Architectural vulnerabilities are vulnerabilities affecting the overall architecture of the hardware wallet. These are inherent design flaws in the device and can only be fixed in a major hardware revision, i.e. a new version of the device. This class of vulnerabilities is unlikely to be fixed by the vendor.
Overall, the 1-hour long presentation addressed architectures, attack vendors and challenges of building a hardware wallet solution, revealing both the good and the bad of current hardware wallet lineup. Full presentation can be seen here. The community criticized the analysts for not responsibly disclosing their findings to the wallet manufacturers first before going live with the presentation.
TREZOR’s manufacturer SatoshiLabs responded to this presentation via his Twitter: “With regards to #35c3 findings about @Trezor: we were not informed via our Reponsible Disclosure program beforehands, so we learned about them from the stage. We need to take some time to fix these and we’ll be addressing them via a firmware update at the end of January.”
SatoshiLabs also responded, but through their subreddit: “Per my latest information (I am not present at the conference), we were not informed about this vulnerability via our Responsible Disclosure process, and therefore we are working with the information as it arrives. We will address this vulnerability as soon as possible, though we will need some time. Until then, you can mitigate it by using a passphrase (make sure to learn how it works first, as in case of passphrase-loss your funds are irrecoverable), or by making sure you do not lose physical access to your device. To exploit the vulnerability, the attacker needs to have physical access to your device — directly to its board.”
- Cardano launches an ambassador program
One of the market mainstays Cardano has decided to launch an ambassador program. Through this initiative, the project looks to leverage the power of their community to make the entire Cardano ecosystem a better place to be a part of.
Cardano ambassador program will be looking to recruit and reward 4 types of community members: assistants to arrange meetups, moderators for forums and chats, pros for the creation of content and translators into foreign languages.
Charles Hoskinson, the man behind IOHK (entity in charge of Cardano development) explained that Ambassadors will be selected based on their good work in the community; the Ambassador position is not something that is awarded directly by IOHK or other project members. A full list of requirements one ambassador needs to fulfill can be found here.