Investigations regarding the ABET wallet hack

The Hack

Two days ago, around 11 PM PDT, over 60,000 POLIS were stolen from multiple masternode owners, without them giving access to their coins, nor their private keys.

You can see the transaction here:

https://insight.polispay.org/tx/cee1625ad2752bbd4f0a64e853795ed44ec71646a18c5199a93a566353bb7b9b

The attacker immediately sold all his coins at market price on CryptoBridge, driving the POLIS price to a maximum low for a few hours.

After selling the coins, many POLIS owners came to our Discord channel for support, and after conversing for a while, we we found out that not only POLIS was affected, but other popular masternodes were affected too. Then after a conversation with over 15 people, we concluded that the common factor between all of them, was the latest ABET windows wallet update to 2.0.0, which led us to post this announcement:

@everyone 
DO NOT, UNDER ANY CIRCUMSTANCE INSTALL AN ALTBET WALLET IN YOUR COMPUTER.
There are reasons to believe that the newest ALTBET update has a trojan, and you might lose all your coins if you install it.
Be safe.

After that announcement, more Discord servers started posting similar announcements, leading to ABET developers thinking we were making false claims, and demanding that we apologize.

We decided to further look at this issue, with the help of GIN, DOGEC, SPK, the ABET team itself, and other blockchain developers. In the following lines we will describe our investigation and conclusion.

The investigation

At first, we uploaded the wallet QT file to virus scanners, you can find them here:

https://www.virustotal.com/gui/file/373d6f53792a5a9b70578b8dcce08d3173df6177ece195e16c86ea649b6bbe8a/detection

and here:

https://www.joesandbox.com/analysis/120863/0/html

Those sites analyzed the QT wallet, and the results tell that there might be malicious code.

However, we can’t conclude the investigation with this data, we had to dig deeper.

After looking for a while at ABET official GitHub release, we realized it had no gitian huild, meaning that we had no easy way to know if the compiled version was the same as the source code.

After checking the binary we realized that the source code is not the same as the final build.

We also found out that the compiled build had the following method:

This code recursively gets files from the user, and sends them to the ABET servers. This means that the ABET wallet was sending files from the user computer, to the ABET servers.They were also collecting the user OS and hard drive info.

Conclusion

If you have an ABET 2.0.0 wallet, the Polis teams recommends to send all your funds to another wallet in another computer, with different wallet.dat and uninstall your ABET wallet immediately. If you do not, your funds might be at risk.

The Polis Team is working on a written security guide, and a YouTube video too. Like our friends at SPK say: ‘As an open source community, we strongly believe all wallet sources should be public and complete and open to 3rd party audits.’

Special thanks to our friends at GIN, DOGEC, SPK, for helping getting to the bottom of this issue.