The analysis of ETC 51% attack from SlowMist Team

Beijing time On January 06, 2019, we warned of the possibility of the ETC 51% attack in SlowMist Zone based on the information analysis of SlowMist Zone Intelligence and the BTI (Blockchain Threat Intelligence) system.

The next day, we got ETC official, Coinbase official response and analysis.

ETC release official Twitter:

“Chinese blockchain security firm SlowMist sent out an alert that the Ethereum Classic (ETC) network might have been targeted by a 51% attack.” Exclusive: One $ETC Private Pool Claimed over 51% Network Hashrate — Reported via @SlowMist_Team

Coinbase release official blog:

Jan. 7, 10:27pm PT:The Coinbase has identified a total of 15 attacks, 12 of them included double spend, totaling 219,500 ETC (about $1.1 million)

On January 08, 2019, the news was received. The official confirmed the ETC’s 51% attack. 7 transactions were detected rollback. There are four of them, and the attackers have traded a total of 54200 ETC, their txHash are:

0xb5e074866653670f93e9fd2d5f414672df9f5c21baa12b83686e136444796338
0xee31dffb660484b60f66e74a51e020bc9d75311d246f4636c0eabb9fdf161577
0xb9a30cee4ff91e7c6234a0aa288091939482a623b6982a37836910bb18aca655
0x9ae83e6fc48f63162b54c8023c7a9a55d01b7085294fb4a6703783e76b1b492a

The ETC wallet addresses which owned and manipulated by the attacker are:

0xb71d9CD39b68a08660dCd27B3EAE1c13C1267B10
0x3ccc8f7415e09bead930dc2b23617bd39ced2c06
0x090a4a238db45d9348cb89a356ca5aba89c75256

Since January 06, 2019, we began to continue to focus and track based on the BTI system, related disclosed intelligence and related blockchain explorer:

Tracking found that the address that intersected the malicious wallet address 0x3ccc8f7415e09bead930dc2b23617bd39ced2c06

for the first time was 0x24FdD25367E4A7Ae25EEf779652D5F1b336E31da

Based on this address, we continue to track and find the address at the first point in time:

0x24fdd25367e4a7ae25eef779652d5f1b336e31da

time:

2019–01–05 19:58:15 UTC

0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE is Binance wallet address:

In other words, the attacker extracted a large number of ETC from the Binance wallet to:

0x24fdd25367e4a7ae25eef779652d5f1b336e31da

And then, transfer the coin to the account:

0x3ccc8f7415e09bead930dc2b23617bd39ced2c06

According to the exclusive information provided to us by AnChain.ai, the Bitrue wallet address is 0x2c9a81a120d11a4c2db041d4ec377a4c6c401e69

According to this, we trace the attack:

Query block height: 7254355

Block: 7254430

We found that the original transaction in the follow figure on the block did not exist.

AT this point, the attacker completes the first 4000 ETC attack on Bitrue.

The same as another 9000 ETC attack on Bitrue

Bitrue was confirmed on Twitter:

We continue to track forward

time:

2019–01–06 03:26:56 UTC

Query block height:

time:

2019–01–06 03:27:11 UTC

Query block height:

And then the attacker completed the first 600 ETC attack on 0xbbe16859214e2c0ef0b7857b11f3681adedf6034

It is consistent with the information posted on the Coinbase blog:

Based on continuous tracking, we found that, in view of the increase in block confirmations and the ban on malicious wallet addresses by exchanges, the attacker’s 51% attack on ETC is in UTC 2019–01–08 04:30:17 (Beijing time 2019–01- 08 12:30:17 ) has stopped after that.We think that every large attack from the attacker must be backed up by adequate cost and under consideration of the risk,involving the money spent and time cost before the attack and during the attack,the countervailing traceability costs of money laundering after the attack. Through our intelligence analysis, the identity of the attacker can be finally located if the relevant exchanges are willing to assist.

At the same time, we believe that due to the recent decline in blockchain funding, the net mining power of the whole network has declined. You have really felt the impact of the 51% on ETC, and it is foreseeable that the attack will be increase rapidly with the cost of attack reduced. t is particularly recommended to add a risk control mechanism to the following token that have profitable space.

Reference address: https://www.crypto51.app (note that the data of this website is for reference only, absolutely can not be sloppy to represent the real attack situation)

Remarks:

Gate.io wallet address:

0x0d0707963952f2fba59dd06f2b425ace40b492fe

Gate.io gives the ETC wallet address owned and manipulated by the suspected attacker:

0xb71d9CD39b68a08660dCd27B3EAE1c13C1267B10
0x3ccc8f7415e09bead930dc2b23617bd39ced2c06
0x090a4a238db45d9348cb89a356ca5aba89c75256

Bitrue wallet address:

0x2c9a81a120d11a4c2db041d4ec377a4c6c401e69

Attacked address:

0xbbe16859214e2c0ef0b7857b11f3681adedf6034
0x2c9a81a120d11a4c2db041d4ec377a4c6c401e69
0x882f944ece4c9d5f17c657d8448c52c1f295de78
0x53dffbb30740f5e6a42685e43e8fbc1e8194afa0
0xc4bcfee7085d8026750fdc799ab30e175868497b

Involving miners or large investor:

http://gastracker.io/addr/0x090a4a238db45d9348cb89a356ca5aba89c75256
http://gastracker.io/addr/0x07ebd5b21636f089311b1ae720e3c7df026dfd72

We have the first time to add these malicious wallet address and malicious associated address to BTI and made available to partners to prevent an attacker from further attack other exchanges. And provide intelligence to partners to prevent attackers from further attacking other exchanges. Finally, we recommend that all digital asset services platform block transfers from the above malicious wallet addresses. And strengthen the risk control, maintain a high degree of attention, and be alert to double spend attacks that may erupt at any time.

If you have any questions, please contact us directly at

team@slowmist.com