Among all the scams and thievery in the bitcoin economy, one recent hack sets a new bar for brazenness: Stealing an entire chunk of raw internet traffic from more than a dozen internet service providers, then shaking it down for as many bitcoins as possible.
Researchers at Dell’s SecureWorks security division say they’ve uncovered a series of incidents in which a bitcoin thief redirected a portion of online traffic from no less than 19 Internet service providers, including data from the networks of Amazon and other hosting services like DigitalOcean and OVH, with the goal of stealing cryptocurrency from a group of bitcoin users. Though each redirection lasted just 30 second or so, the thief was able to perform the attack 22 times, each time hijacking and gaining control of the processing power of a group of bitcoin miners, the users who expend processing power to add new coins to the currency’s network.
The attacker specifically targeted a collection of bitcoin mining “pools”–bitcoin-producing cooperatives in which users contribute their computers’ processing power and are rewarded with a cut of the resulting cryptocurrency the pool produces. The redirection technique tricked the pools’ participants into continuing to devote their processors to bitcoin mining while allowing the hacker to keep the proceeds. At its peak, according to the researchers’ measurements, the hacker’s scam was pocketing a flow of bitcoins and other digital currencies including dogecoin and worldcoin worth close to $9,000 a day. “With this kind of hijacking, you can quite easily grab a large collection of clients,” says Pat Litke, one of the Dell researchers. “It takes less than a minute, and you end up with a lot of mining traffic under your control.”
The Dell researchers believe the bitcoin thief used a technique called BGP hijacking, which exploits the so-called border gateway protocol, the routing instructions that direct traffic at the connection points between the Internet’s largest networks. The hacker took advantage of a staff user account at a Canadian internet service provider to periodically broadcast a spoofed command that redirected traffic from other ISPs, starting in February and continuing through May of of this year. The Dell researchers won’t name that ISP, and they’re not sure how the hacker gained access to the account or whether he or she might have in fact been a rogue staffer.
That BGP hijack allowed the hacker to redirect the miners’ computers to a malicious server controlled by the hijacker. From that server, the hacker sent the mining machines a “reconnect” command that changed the mining computers’ configuration to contribute their processing power to a pool that stockpiled the bitcoins they produced rather paying them out to the mining pool’s participants. “Some people are more attentive to their mining rigs than others,” says Joe Stewart, a Dell researcher whose own computers were caught up in one victimized mining pool. “Many users didn’t check their setups for weeks, and they were doing all this work on behalf of the hijacker.”
In total, Stewart and Litke were able to measure $83,000 worth of cryptocurrency stolen in the BGP attack. But the total haul could be larger; The researchers stopped collecting data for several weeks of the attack because Stewart broke his ankle in the midst of the study.
BGP hijacking has been discussed as a potential threat to internet security since as early as 1998, when a group of hackers known as the L0pht testified to congress that they could use the attack to take down the entire internet in 30 minutes. The scheme gained renewed attention at the DefCon security conference in 2008, and five years later was used to temporarily and mysteriously redirect a portion of US internet traffic to Iceland and Belarus.
Compared to those large-scale digital hijackings, the latest bitcoin heist was a much smaller and targeted traffic-stealing operation. And given that it required inside access to an ISP, Dell’s researchers don’t expect Bitcoin thieves to repeat the attack any time soon.
In fact, the BGP bitcoin-stealing exploits represent less of a new vulnerability in bitcoin than the persistent fragility of the internet itself, Dell’s researchers say. If one Canadian ISP can be used to redirect large flows of the Internet to steal a pile of cryptocurrency, other attackers could just as easily steal massive drifts of Internet data for espionage or pure disruption. The Dell researchers suggest that companies set up monitoring through a service like BGPmon, which can detect BGP hijacking attacks. But they shouldn’t expect to be able to actually prevent those attacks any time soon.
“We’re going to see other events like this,” says Dell’s Stewart. “It’s ripe for exploitation.”