The Internet’s Core Infrastructure Was Hacked to Steal Ethereum From a Popular Wallet Service

About $150,000 worth of ether was stolen from users of MyEtherWallet yesterday. The attackers apparently used an elaborate scheme to reroute internet traffic to target the popular wallet service.

The attackers exploited vulnerabilities in two basic internet protocols that route traffic around the world, the Border Gateway Protocol (BGP) and the Domain Name System (DNS). Such attacks are common, but this incident was notable for the lengths the hackers went to, affecting services from Amazon, Google, and major internet service providers in the process. Security researcher Kevin Beaumont called it the largest attack of its kind he has witnessed, highlighting the “fragility of internet security.”

MyEtherWallet users noticed something amiss when they went to the wallet’s website and received a warning saying it was using an invalid security certificate. One user on Reddit reported seeing the warning, but proceeding to log in anyway since the website address and everything else about the service appeared to be fine. After logging in, a 10-second timer appeared, counting down to the wallet’s funds being transferred out to the attacker. “I have no idea what happened,” Reddit user rotistain wrote.

It’s not really rotistain’s fault. The attack was particularly difficult for end-users to detect because it compromised fundamental internet systems. The internet is made up of clusters of networks—say, between carriers like Verizon and AT&T. Traffic passes between these clusters using the BGP system. But the system relies on each network to signal its traffic routes, and these signals are rarely checked. This lets an attacker post fraudulent announcements that redirect traffic without detection.

The incident “highlights how almost nobody noticed until the attack stopped,” Beaumont wrote. “There is a blind spot.”

Still, it’s not easy to hijack BGP to pull off an attack. “Mounting an attack of this scale requires access to BGP routers at major ISPs and real computing resource to deal with so much DNS traffic,” Beaumont wrote. In this case, it looks like the attackers were intercepting traffic bound for an Amazon Web Services feature called Route 53. Amazon said in a statement to Ars Technica that its systems weren’t compromised, and that the problem originated from an internet service provider making fraudulent traffic announcements. Research provider Internet Intelligence identified the ISP as eNet, in Ohio. When contacted, the firm said it couldn’t comment on an “ongoing investigation.” Beaumont’s analysis also shows that servers hosted by Equinix in Chicago were involved in the attack. Equinix told Ars Technica that it didn’t control the servers, which belonged to a customer.

MyEtherWallet chief executive Kosala Hemachandra urged his users to use an offline version of the wallet or a hardware wallet. “This is an ongoing battle that requires us all to stick together,” he said in a statement. That’s cold comfort for users of MEW who lost funds in the attack. A user who goes by scrap4crap on Reddit said 20 ETH was lost in the attack, worth about $14,000 at yesterday’s prices. “Going to kill myself now,” the user declared.