Open in app

Sign in

Write

Sign in

Update on the recent events 4/1/2019

Nexus
4 min readApr 4, 2019

--

On April 1st 2019 a grey-hat hacker obtained over 2000 private keys from users running version 2.5.5 of the Nexus QT Windows wallet. This only affected Windows users who downloaded the QT wallet from our GitHub repository after the 18th of January 2019.

All funds that were transferred as a result of this theft were immediately handed over to the Nexus team and we are working through a process to return them to their rightful owners.

What happened?

The attacker accidentally included these keys in an automatically generated proof-of-stake transaction thereby transferring the funds from 2023 stolen addresses into a trust key. Shortly after the creation of this transaction the team was contacted by the attacker, via the community slack, who admitted that the stake transaction was generated by mistake and that the resultant movement of the funds was unintentional. They immediately handed over the private key to the stake address and asked the dev team to return the coins to their owners. The stake address can be viewed here:

https://nexplorer.io/addresses/2RunTvanB6sdauWR5R2g54yWUskAgbUuSYz9EyJ85sUWBK5VZYD

The transaction totaled 1,116,410.386 NXS and can be viewed here: https://nexplorer.io/transactions/b696afa21ea1458f9bc724335bb23cf9be453c87785dcaa882907d2d542fa7b4b81c8768d66029045e77e9277027059b8e1d100b38539807e9d70097b503cd39

At the time of writing, more than 500,000 NXS have been returned to their rightful owners.

How did they do it?

Soon after the theft it became apparent that those who were affected had been using a version of the nexus-qt.exe binary with a different MD5 hash than the binary that was compiled by us as part of the 2.5.5 release. In other words, the hacker had created a modified version of our nexus-qt.exe binary with their own code inserted to steal the private keys. The MD5 hash of the affected binary is 035790907175533296cc453990bf1c7e. The correct MD5 hash is f4f4c29a2340d132094ed33dd3cbca70. To check the hash of the wallet you are using please open a command prompt, change to the folder where the nexus-qt.exe exists, and issue the following command:

CertUtil -hashfile nexus-qt.exe MD5.

With the help of GitHub support, we now have confirmed that one of our developers had their GitHub account compromised and subsequently used to upload this modified binary, replacing the one included in the 2.5.5 release assets list. The binary was uploaded on 17th January at approximately 8pm (UTC) and a second version on the 26th of January at approximately 11am (UTC). It is not yet clear how they obtained the password to this account, but we can confirm that 2FA was not enabled for this particular user.

This was not a breach on the Nexus Protocol, so if you compiled for Linux, were using a Mac, or have the correct MD5 hash your funds are safe.

What do I do if I am affected?

If you believe you have lost funds as part of this attack please use the following instructions to generate a signed message and return address, and then post these into the #fund-recovery channel in the Nexus slack and our support team will ensure your funds are returned to you.

How to recover your funds:

  1. Go to your transactions page, and find your latest trust transaction (if you were effected you might see a large stake transaction, use the address before it that was your trust key.)
  2. Make sure to double check that your address you sign for was included in the coinstake transaction. It will look like this: https://nexplorer.io/addresses/2S2sz1sxshG3w26bJXjHgHYws3xhANqBKu6EvmPaMWRL1wmw5HL
  3. When you find the address, right click the transaction and click “Copy”
  4. Go to File -> Sign Message
  5. You will then get a dialogue box with a few fields, the first field is the address field, which you will want to paste in the address you just copied
  6. From there, you will see the message body, in which you will want to type your slack name (case sensitive)
  7. Once this is done, click the Sign Message button, and you will see a big data dump appear in the lower body. It will look something like this: IQA/r5KkI0Jh1xmy5PF1JM6wtFrAaGHM4m7aLajj9Ekhu/m2V8gmMXq32hA16es3X0RQbnue2wLfSnUwIUC/7q6KSHgoLJ4r6wOc3FqZ7xdqVlaicB23MukmXvKhHcDPxnBFVQsyk2sw9w+k2ecoLsBtxrkH9t7VBGfcXmmfAfe1KGa9gSyqmJNvn/TLbb7eHQ==
  8. Copy this into the #fund-recovery channel in Slack, along with the old address from which you lost the funds (ex. 2QhmC4xosD16g4Q26BdN3aqKUX56JVwJ6yswREg3LC9nT4buScX and a new address to return funds to. This address should be created with a fresh wallet to ensure your wallet has no compromised keys.
  9. We will then take this signature and verify you were in fact the owner of the balance in question and direct message you the txid of your returned funds once confirmed.

If you are not already a member of the Nexus slack you can join here:

https://join.slack.com/t/nexusearth/shared_invite/enQtNDUzNDIxOTU4NTUxLTY0MjhlYjA1MjA2MGQyMzEyYWM0ZDM5ODBiOWUwZmY1YzI2Njk0YzI0MTM3MDAwYzlmMDNkZjZjYWY5ZjYxNmM

How will we prevent this from happening again?

  1. 2FA is now required and enforced for all developer GitHub Accounts
  2. Public releases of MD5 hashes will be posted on GitHub, Twitter, and our Website
  3. Automatic updates on Tritium wallets will be signed by developer keys and verified during installation
  4. There will be a thorough assessment of our security protocols from a third party security firm to ensure our process is bulletproof

As always stay vigilant, stay united, and compile from source if you can. We are happy that this incident was resolved, funds are safe, and the investigation confirmed our original suspicions.

Thank You,

Viz.

Blockchain

--

--

Nexus

Written by Nexus

381 Followers

Developing open-source technology to support decentralization, innovative applications and responsible values. www.nexus.io

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams