Cryptocurrency Hacking

EtherDelta Hacked – Millions Stolen

Written by Dr-Hack



Update 10 Jan 2018 : EtherDelta has not been hacked again, what you heard was probably rumors. MyEtherWallet is also not hijacked. If you are not sure about a hack you can ask me for a quick system check and will let you know

Hackers started transferring coins from EtherDelta to their Wallets , 3 hours have passed since hackers have been emptying EtherDelta. An Ethereum Wallet linked with hackers have been identified and hackers have transferred 0.2 Million USD worth of ETH to their own wallet.

Just few days back a korean exchange closed due to second hacking attempt in an year and now its another. Cryptocurrency has increased the risks of losing high amount of fiat as exchanges are still the weakest link

How EtherDelta was Hacked

EtherDelta staff was only 2 hours late to identify the Hack and even after they acknowledged they were hacked ,hackers were still emptying wallets of EtherDelta.

As per the tweet, DNS Servers were compromised of the website which means that hackers never had access to the actual website but if that was the case how did the hackers manage to pull out 278 ETH from EtherDelta wallets ? (and counting)
Update (21 Dec 17 5:44 AM ) : Count of stolen Ethereum from EtherDelta wallet has increased to 307.995 ETH

A follow up tweet was made from EtherDelta Twitter Account

It means its a typical DNS Hijacking and the Hackers redirected the users to their own FAKE version of etherdelta , that way they might have gained login details and started logging in to original accounts got users a crafted websiet where the order books data was coming off etherdelta charts while logging Wallet details including keys which were later used to empty individual accounts and started draining cryptocurrency from original website users.

But why did not EtherDelta close their website or disable withdrawals ? as you can see in EtherScan hackers were still transferring ETH after the above tweets were made :
EtherDelta Hacker Wallet
0x3f8a37bde9b15b65c82f9cdd00192e0ba36cc5fc

EtherScan has flagged the above wallet as Fake_Phishing305

More details will be added as they are available,this Hack took place just after 2 days of new CEO Terry Liu of EtherDelta , Weird ?

Who are the Hackers of EtherDelta stealing Ethers ?

Currently it is unknown who the hackers are but there are strong possibilities that they may get caught

  • Hackers can be traced by looking at the NameServers which were used for DNS Hijacking. Details of Hackers can be accessed after unlocking

    Hackers used Wildcard Networks Hosting and used Server IP : 185.27.134.140 which redirected all etherdelta.com visitors to hackers phishing website where they obtained Login Details.

  • As visible above, DNS hijacking was not done, rather Cloudflare account of EtherDelta was compromised and A RECORDS were shifted to Hackers website
  • Its really strange that it took hours for EtherDelta to respond and all the loss of Coins is totally fault of EtherDelta as they should have kept better login security means.

Poor Show EtherDelta , It can also be an inside job. An angry employee ?



  • Maxwell Swanson

    Wow. My Heart Goes Out to the Victims.

  • Alien Dogstar

    You think maybe it’s time to switch to MFA instead of using keys

  • MFA along time with Keys would be better

  • Robert De Wilde

    Can we get the original IP for DNS please so we can manually edit our hosts file?

  • You can , currently their NS point to
    ns1.dreamhost.com
    ns2.dreamhost.com
    ns3.dreamhsot.com

    which resolve to
    64.90.62.230
    208.97.182.10

    Although, if it was a normal DNS Hijacking the SSL certificate would have been violated but as cloudflare was directly accessed thus there were no alarms or warnings , as previously cloudflare nameservers (DNS ) were used, which wouldn’t have alerted you even if you put up your own hosts file

  • Alien Dogstar

    MFA insinuates something in addition…so yes, keys + google auth or hw nano would do the trick

  • cmil

    A couple of things, Etherdelta has no login. They didn’t bring the website down because what the hackers did was hijack the DNS (Website address) to take the address down they had to contact the Server provider (by the way a crappy cheap provider) convince them that the website address is theirs, recover the account and then shut it off. This is why you should never skimp on server provider.

  • login part is correct will reflect it in the article.
    about the DNS part.. their cloudflare was hijacked ..so they had no control , their only bet was to open their domain manager and remove the NS pointing to cloudlfare , which they should have but as you said “crappy cheap provider” …

  • cmil

    Good point, vulnerability was Cloudfarw then. I would love to see finding when these companies get hacked. This way we all can improve security and beat them bastards.

  • but surprisingly, hardly a post-hack report comes out from official sources ..

    p.s. removed the “website login” part , thanks for pointing out

Pin It on Pinterest

Shares