'Blockchain Bandit' reawakens: $90M in stolen crypto seen shifting

Published at: Jan. 26, 2023

A hacker dubbed the “Blockchain Bandit” has finally woken from a six-year slumber and has started to move their ill-gotten gains.

According to Chainalysis, around $90 million in crypto pilfered from the attacker’s long-running string of “programmatic theft” since 2016 has started moving over the past week.

This included 51,000 Ether (ETH) and 470 Bitcoin (BTC), worth around $90 million leaving the Bandit’s address for a new one, with Chainalysis noting:

“We suspect that the bandit is moving their funds given the recent jump in prices."

The hacker was dubbed the “Blockchain Bandit” due to being able to empty Ethereum wallets protected with weak private keys in a process termed “Ethercombing.”

The attacker’s “programmatic theft” process has drained more than 10,000 wallets from individuals across the globe since the first attacks were perpetrated six years ago.

1/ $90M stolen funds on the move: After 6 years of hodling, the “Blockchain Bandit” has awoken. In this we cover how the Blockchain Bandit amassed this treasure trove and where the funds are currently held.

— Chainalysis (@chainalysis) January 25, 2023

In 2019, Cointelegraph reported that the "Blockchain Bandit" managed to amass almost 45,000 ETH by successfully guessing those frail private keys.

A security analyst said he discovered the hacker by accident while researching private key generation. He noted at the time that the hacker had set up a node to automatically filch funds from addresses with weak keys.

The researchers identified 732 weak private keys associated with a total of 49,060 transactions. It is unclear how many of those were exploited by the bandit, however.

“There was a guy who had an address who was going around and siphoning money from some of the keys we had access to,” he said at the time.

Chainalysis produced a diagram depicting the flow of the funds, however, it did not specify the target address, only labeling them as "intermediary addresses."

To avoid having weak private keys, Chainalysis advised users to use well-known and trusted wallets, and consider moving funds to hardware wallets if large amounts of cryptocurrency are involved to avoid having weak private keys.

Related: Hackers keeping stolen crypto: What is the long-term solution?

Also in 2019, a computer researcher discovered a wallet vulnerability that issued the same key pairs to multiple users.

Tags
Related Posts
Digital intelligence must overcome challenges to solving crypto crimes
While the value of cryptocurrencies has varied wildly in the last year, this has not diminished crypto’s attractiveness to criminals. Many of them are moving their illegal activities underground and outside the view of law enforcement. Because of the public nature of most blockchains, however, this rapid movement shouldn’t be a major concern to law enforcement agencies. With the right tools and training, following the proceeds of crypto-enabled crime is actually not as difficult as it may seem. However, intelligence agencies must have a cryptocurrency investigation plan that includes the right tools to lawfully collect digital evidence and the properly …
Technology / Aug. 20, 2021
Don’t blame crypto for ransomware
Recently, gas has been a hot topic in the news. In the crypto media, it’s been about Ethereum miner’s fees. In the mainstream media, it’s been about good old-fashioned gasoline, including a short-term lack thereof along the East Coast, thanks to an alleged DarkSide ransomware attack on the Colonial Pipeline system, which provides 45% of the East Coast’s supply of diesel, gasoline and jet fuel. In cases of ransomware, we generally see a typical cycle repeat: Initially, the focus is on the attack, the root cause, the fallout and steps organizations can take to avoid attacks in the future. Then, …
Technology / May 30, 2021
Expert Warns: Don’t Trust Ransomware Groups Amid Pandemic
A cybersecurity expert explained why he is convinced that the promises made by ransomware groups amid the pandemic are irrelevant. Brett Callow — threat analyst at cybersecurity firm Emsisoft — told Cointelegraph that multiple ransomware groups recently made promises to halt their activity against medical organizations amid the coronavirus pandemic. Still, he believes that those promises are irrelevant: “The claims of a ceasefire made by ransomware groups are irrelevant [and] should be completely disregarded. Would you leave your front door unlocked simply because the local burglars had pinky-promised not to rob you? Probably not. The story of the frog and …
Blockchain / April 16, 2020
Cryptojacking Code Found in 11 Open Libraries, Thousands Infected
A cryptojacking code was found in 11 open-source code libraries written in Ruby, which have been downloaded thousands of times. Hackers downloaded the software, infected it with malware, and subsequently reposted it on the RubyGems platform, industry news outlet Decrypt reported on Aug. 21. The malicious code was first noticed by a GitHub user, who posted about the issue on Aug. 19. He said that, when executed, the library downloaded additional code from text hosting service Pastebin, which then triggered the malicious mining. The malware also sent the address of the infected host to the attacker, alongside environment variables which …
Blockchain / Aug. 21, 2019
DeFi exploits and access control hacks cost crypto investors billions in 2022: Report
Cyber criminals used a variety of novel ways to carry out hacks and exploits in 2022, with over $2.8 billion of cryptocurrency stolen last year. According to a report from CoinGecko using data sourced from DeFiYield’s REKT Database, nearly half of the total crypto stolen in 2022 was fleeced using diverse methods. This includes bypassing verification processes, market manipulation, ‘crowd looting’ as well as smart contract and bridge exploits. The biggest hack of 2022 was carried out through an access control hack. Sky Mavis, the developer behind popular game Axie Infinity, saw its Ronin bridge hacked in March 2022, leading …
Blockchain / Feb. 13, 2023