Following the trail: what we know about the hacker behind the EtherDelta attack
I have more information about the attack I detailed in my piece “How one hacker stole thousands of dollars worth of cryptocurrency with a classic code injection hack on EtherDelta and what you can learn from it” so I figured I would write another post. This is all based on what the same victim from that piece has shared with me. I hope that by sharing this, others with information will share what they have as well.
As I mentioned in my original piece, the attack was hard to trace because the contract that injected the malicious code to steal private keys was different from the addresses that were used to drain the funds. But we do know where the malicious code came from. It was inserted with this transaction in the early morning of September 24th:
(scroll down to “input data” and click “convert to ascii” to read it)
Here’s a screenshot:
Comically enough, the attacker has recently updated the code with another transaction:
(To be clear, I don’t fully understand how this transaction inserts the code into the contract, but I know that the first code snippet was what enabled the original attack.)
The contract was created from this wallet, which was first funded with just enough ETH to cover a few contract requests:
There isn’t much in that wallet, but those initial funds came from another wallet:
Which as of this writing, has over $130,000 worth of Ethereum and over 88,000 transactions.
Having such a high number of transactions, often with tiny amounts, is a likely sign that the owner of this wallet is “money laundering” with “mixers” that make it hard to trace the trail of funds going in and out. Mixing is a process by which a chunk of cryptocurrency is broken up into a lot of smaller amounts and then sent to a lot of different wallets, which are then sent to other wallets, and so on, while a similar amount of crypto is redirected from a similar set of wallets back into the original wallet, or into another wallet of the user’s choosing.
It’s important to keep in mind that while cryptocurrency wallets are “anonymous” in that they don’t contain any identifying information about the owner, they are also public and transparent. (There are some blockchains that have advanced privacy features, but Ethereum as of this writing does not.) In the event that someone is able to identify the owner of a wallet, the transaction history provides a complete “paper trail” of everything that was done with this wallet, including where the money came from and went to.
In short, if you are stealing, hiding, or even just receiving dirty money, you will want to mix these funds to make it harder to trace this behavior back to the wallet you use.
Now back to the topic at hand… while these addresses give us confirmation of the attack, it doesn’t tell us anything about the attacker. But I do have screenshots from when the attacker was fishing for victims on EtherDelta’s gitter chat room. Here is the attacker going by the name of “alex2299”:
Here you can see the attacker convinced the victim to import their private keys on EtherDelta, rather than using Metamask which is not susceptible to the exploit. Later, the attacker would send the victim a fake URL to EtherDelta containing the address of the malicious contract, and as soon as the victim clicked the link, the damage was done.
Gitter allows two options for creating accounts: Twitter and Github. This account is linked to a Github account, but that account has been deleted:
Unfortunately there isn’t too much to be gleaned from this, but another victim of this attack (yes, there are many) reported that the WhoIs entry for the domain that was used to collect the private keys (cdn-solutions.com) points to a 1337 Services, LLC . Curiously, the domain uses the nameserver “bitcoin-dns.com” but the email address associated with the domain leads to njal.la, which is a unique domain registration service that registers domains on behalf of customers that wish to remain completely anonymous. In essense, unless njal.la wishes to break their promise, or the registrant of this domain also happens to be the owner of njal.la, this is a dead end.
You can, however, search for “alex2299” in the EtherDelta chat room. Here he is playing good cop while another account (presumably him larping as the attacker) misleads everyone:
(p.s. “MaliciousTokenHacker” is also an account created from Github. It was created today and it’s still live on Github, with no activity.)
(This is called gaslighting.)
Going further back into the history, you can see “alex2299” playing good guy freelance chat support and claiming EtherDelta couldn’t possibly have a vulnerability to exploit:
The alex/mth roleplay came to a climax when “both” accounts got so frustrated with a user that they started yelling at him in unison:
Unfortunately there’s nothing linking this user to any more information, but chances are we won’t be seeing the last of them.
Update September 26: “alex2299” might be the same person as this TPB user.
Update September 28: Multiple people have reached out to me with information on a possible lead as to the identity of the hacker. I am going to share what I have in the hopes that this information is both correct and useful in bringing some sort of justice to this situation.
Twitter user @kums_uh looked into “alex2299”’s uploads on TPB and reports: “From [his uploads] I can tell you that he is… Indian and… mostly a native Hindi speaker. Also… most of his uploads are from songshl.com. Which means maybe he is the owner of that domain. So I looked up the whois data for songshl.com.”
The same information was shared by Tom Roggero in the responses to this piece.
However, Sanjeev Kumar might not be the right person, because what follows is a different lead.
In another response, Jamie Whitman took the IP address of cdn-solutions.com (181.215.235.111), went one digit down (181.215.235.110), and found a scam site that sells “Bitcoin doubling software” and even found a video demonstrating it.
(I have downloaded this video just in case it disappears soon.)
I watched the video and discovered that the speaker reveals his native language when a context menu appears at 1:50:
According to Google Translate, this is Lithuanian.
(Still, I don’t have any more identifying information about this user. It’s possible Sanjeev is the hacker, or this Lithuanian fellow, or this information is intentionally misleading, or there’s more than one person involved.)
Jamie Whitman also identified that cdn-solutions.com and bitcointoinvest.com share the same nameservers (ns1/ns2.bitcoin-dns.com). while bitcoin-dns.com and soft4cash.net (the name of the YouTube channel hosting the video is Soft4Cash) have different WhoIs info but also use private registrations so there’s no revealing information to be gleaned from that.
I did a little extra sleuthing and found that the IP address for cdn-solutions.com and bitcointoinvest.com maps to Admo.net LLC, a hosting company that was acquired by Contegix Hosting.
Maybe, with evidence of hacks and scams, Contegix and the various domain name providers could at least disable this user’s accounts. Unfortunately I still don’t know if this is enough information to identify the hacker, but I appreciate everyone who has come forward with information / made a sincere investigative effort.
Update #2 September 28: The victim of the original attack that kicked off this whole story has done some more investigative work based on my previous update. I am going to drop everything here quickly.
Here is the registration information for soft4cash.com (domain in previous update was soft4cash.net). While soft4cash.net is a full-fledged website, soft4cash.com is just a domain name registration with no website.
Registrant
Mantas Berzinis
Vilniaus g. 16
Vievis Vi
LITHUANIA
Email: berzinism@outlook.com
Administrative Contact
Mantas Berzinis
Vilniaus g. 16
Vievis Vi
LITHUANIA
Email: berzinism@outlook.com
Technical Contact
Mantas Berzinis
Vilniaus g. 16
Vievis Vi
LITHUANIA
Email: berzinism@outlook.com
Nameservers
This looks to be a sockpuppet account promoting Soft4Cash products: https://twitter.com/yosraalasttal1
This is a lookup of all emails associated with the email address berzinism@outlook.com:
They are soft4cash.com, acedsoft.com, acussoft.net, and bitcoin-x2.com (another “bitcoin doubler”).
Here is another video promoting AcedSoft / AcusSoft / Soft4Cash:
(I have also downloaded this video.)
Another context menu at 0:29 with Lithuanian text:
The name of the user on this YouTube channel is “Gabrius Masauskas.” AcusSoft.com is registered to a “Amitas Damba.” Also based in Lithuania:
Any one of these names could be a lead. It’s also possible none of these names are valid. Whoever he is, as of now it looks like he’s moving everything out of his wallet ASAP:
Please feel free to respond or message me with more information if you have it!
