The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.

Fredrik Korsb├Ąck hugge at nordu.net
Tue Apr 24 20:03:46 UTC 2018


"that depends".

we for sure know that 150K or so got immediately snatched of the bat, but how much more wallets is at stake? no one knows.

What is known however is that they are trying to deploy smokescreens with tons of transfers moving ETH around wallets
and all seems to be ending up sooner or later in this account.

https://etherscan.io/address/0xb3aaaae47070264f3595c5032ee94b620a583a39

Which is good for 17MUSD.

That doesn't really matter though - i wanna speak what we do about this in the DFZ.

Can someone from HE comment on how your ingress route-filtering policy looks like towards your customers? I typically
base my peering-relationships on people/operators that i have some kind of level of trust in.



> Is MyEtherWallet really doing 500k/hr in business though?
> 
>> On Apr 24, 2018, at 2:35 PM, Fredrik Korsb├Ąck <hugge at nordu.net> wrote:
>>
>> Aloha.
>>
>> Surprised this hasnt "made the news" over at this list yet.
>>
>> https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f
>>
>> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44RM/Yqk5GHSpCQAJ
>>
>> https://twitter.com/barton_paul/status/988788348272734217
>>
>> TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
>> IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
>> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
>> with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
>>
>> I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939)
>> that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the
>> problem in almost all recent hijacks.
>>
>> Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help
>> here) to track how big the propagation was?
>>
>> Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since
>> you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift
>> transfers without having actual access to the real site (for good ....and bad).
>>
>> -- 
>> hugge @ 2603
>>
> 


-- 
hugge



More information about the NANOG mailing list