The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.

Daniel Corbe dcorbe at hammerfiber.com
Tue Apr 24 18:59:05 UTC 2018


Is MyEtherWallet really doing 500k/hr in business though?

> On Apr 24, 2018, at 2:35 PM, Fredrik Korsb├Ąck <hugge at nordu.net> wrote:
> 
> Aloha.
> 
> Surprised this hasnt "made the news" over at this list yet.
> 
> https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f
> 
> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44RM/Yqk5GHSpCQAJ
> 
> https://twitter.com/barton_paul/status/988788348272734217
> 
> TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
> IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
> with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
> 
> I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939)
> that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the
> problem in almost all recent hijacks.
> 
> Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help
> here) to track how big the propagation was?
> 
> Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since
> you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift
> transfers without having actual access to the real site (for good ....and bad).
> 
> -- 
> hugge @ 2603
> 



More information about the NANOG mailing list