Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum

by   Zhen Cheng, et al.

We performed the first systematic study of a new attack on Ethereum to steal cryptocurrency. The attack is due to the unprotected JSON-RPC endpoints existed on Ethereum nodes that could be exploited by attackers to transfer Ether and other ERC20 tokens to attackers-controlled accounts. This study sheds light on the attack, including malicious behaviors involved and profits of attackers. Specifically, we first designed and implemented a honeypot that could capture real attacks in the wild. We then deployed the honeypot on the Internet and reported the results of the collected data in a period of six months. In total, our system captured more than 308 million RPC requests, coming from 1,072 distinct IP addresses. We further grouped attackers into 36 groups with 59 distinct Ethereum accounts. Among them, attackers from 34 groups were stealing the Ether, while other 2 groups were targeting ERC20 tokens. The further behavior analysis showed that attackers were following a three-steps pattern to steal the Ether. Moreover, we observed an interesting type of transaction called zero gas transaction, which has been leveraged by attackers to steal ERC20 tokens. At last, we estimated the overall profits of attackers. To engage the whole community, we will release the dataset of all captured attacks by our system.


page 1

page 2

page 3

page 4


With Trail to Follow: Measurements of Real-world Non-fungible Token Phishing Attacks on Ethereum

With the popularity of Non-Fungible Tokens (NFTs), NFTs have become a ne...

Empirical analysis and statistical modeling of attack processes based on honeypots

Honeypots are more and more used to collect data on malicious activities...

A Large-Scale Analysis of Attacker Activity in Compromised Enterprise Accounts

We present a large-scale characterization of attacker activity across 11...

A Study of Newly Observed Hostnames and DNS Tunneling in the Wild

The domain name system (DNS) is a crucial backbone of the Internet and m...

Detecting and Characterizing Lateral Phishing at Scale

We present the first large-scale characterization of lateral phishing at...

ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks

Despite the fact that cyberattacks are constantly growing in complexity,...

The Far Side of DNS Amplification: Tracing the DDoS Attack Ecosystem from the Internet Core

In this paper, we shed new light on the DNS amplification ecosystem, by ...

Please sign up or login with your details

Forgot password? Click here to reset