Hackers stole more than $20 million from Ethereum users

According to the Chinese cybersecurity company Qihoo 360 Netlab, a group of hackers stole coins worth more than $20 million from applications on the Ethereum network. The attack became possible due to unprotected network ports of Ethereum nodes (default RPC port: 8545).

The RPC interface is designed to provide access to an API (application programming interface) that is used by applications to access data and conduct operations on the Ethereum network. It is used by mining management programs, wallets, and blockchain explorers.

The RPC interface allows you to perform security-critical operations such as retrieving private keys and transferring funds. Therefore, access to the RPC interface must be strictly limited, both within the network and locally for applications running on the system.

Therefore, RPC is disabled by default, and when activated, the developer receives an appropriate warning about the need to comply with security measures.

Most modern Ethereum-based software requires access to RPC, but in most cases it is only allowed for the local system (localhost - 127.0.0.1), that is, even with By activating it, it is only available to applications running on the same physical machine.

However, many users do not like to read the documentation.

For many years, individual developers have cobbled together their applications without really thinking about what they do. 

This is not a new problem; a few months later, the Ethereum Project team sent out an official security alert. It said that many mining pools operate with an RPC interface open to the external network.

Attempts to detect vulnerable systems have never stopped. But after the explosive rise in cryptocurrency prices at the end of 2017, many new people appeared who wanted to get easy money using vulnerabilities and holes left by careless developers.

One of the most massive surges in Ethereum JSON RPC scanning activity was noted in November 2017. In many cases, this scan was successful because, for example, one version of the Parity wallet and the eth implementation, a full node implementation written in C++, were initially shipped with ports open to the outside world. 

In May 2018, Satori, one of the largest IoT botnets, was also seen scanning Ethereum RPC ports.

According to Qihoo 360 Netlab, at that time the hackers managed to obtain only 3.96234 Ether (~$2,000-$3,000)..

However, after reviewing these studies later, the Netlab team states that the attack on RPC has never stopped, but on the contrary, it is only intensifying. New groups are constantly joining it. One of the groups of hackers was luckier and was able to withdraw about $20 million in Ether from vulnerable systems.

Since ready-made tools for automatically scanning and hacking Ethereum ports can be found in the public domain on github, leaving them open is actually financial suicide.

Qihoo 360 Netlab strongly recommends that all owners of online wallets, mining farms and pools carefully check the settings of their systems and conduct a security audit.