Internet Security Blog - Hackology

EtherDelta Hacked – Millions Stolen



Update:  February 2019 – Everything written this point onward is done in February 2019

EtherDelta Sold and Tweets Deleted

It amazes me that people still use EtherDelta , after I reported about their last Hack in December 2017, I didn’t follow them much, but today I stumbled upon their profile and opened the tweets to find them deleted , after updating the tweets with internet Archive , i came to know that right after the mentioned Hack – EtherDelta was sold to some “Chinese Company” , and its founder heavily fined by SEC afterwards.

The new company came up with a new ICO plan which didn’t seem to work and their Github Activity shows the same.

I would strongly recommend to move to a better alternative Decentralized Exchange. EtherDelta might be a kind in its own capacity but it is certainly not anymore.

Update 10 Jan 2018 : EtherDelta has not been hacked again, what you heard was probably rumors. MyEtherWallet is also not hijacked. If you are not sure about a hack you can ask me for a quick system check and will let you know

Hackers started transferring coins from EtherDelta to their Wallets , 3 hours have passed since hackers have been emptying EtherDelta. An Ethereum Wallet linked with hackers have been identified and hackers have transferred 0.2 Million USD worth of ETH to their own wallet.

Just few days back a korean exchange closed due to second hacking attempt in an year and now its another. Cryptocurrency has increased the risks of losing high amount of fiat as exchanges are still the weakest link

How EtherDelta was Hacked

EtherDelta staff was only 2 hours late to identify the Hack and even after they acknowledged they were hacked ,hackers were still emptying wallets of EtherDelta.

Dear users, we have reason to believe that there had been malicious attacks that temporarily gained access to @etherdelta https://t.co/NnqU5Er4rj DNS server. We are investigating this issue right now – in the meantime please DONOT use the current site.

— EtherDelta (@etherdelta) December 20, 2017

As per the tweet, DNS Servers were compromised of the website which means that hackers never had access to the actual website but if that was the case how did the hackers manage to pull out 278 ETH from EtherDelta wallets ? (and counting)
Update (21 Dec 17 5:44 AM ) : Count of stolen Ethereum from EtherDelta wallet has increased to 307.995 ETH

A follow up tweet was made from EtherDelta Twitter Account

1/2 *IMPORTANT* we have reason to believe that there had been malicious attacks that temporarily gained access to @etherdelta DNS server. We are investigating this issue right now – in the meantime please *DONOT* use the current site.

— EtherDelta (@etherdelta) December 20, 2017

2/2 *BE AWARE* The imposer’s app has no CHAT button on the navigation bar nor the offical Twitter Feed on the bottom right. It is also populated with a fake order book.

— EtherDelta (@etherdelta) December 20, 2017

It means its a typical DNS Hijacking and the Hackers redirected the users to their own FAKE version of etherdelta , that way they might have gained login details and started logging in to original accounts got users a crafted websiet where the order books data was coming off etherdelta charts while logging Wallet details including keys which were later used to empty individual accounts and started draining cryptocurrency from original website users.

But why did not EtherDelta close their website or disable withdrawals ? as you can see in EtherScan hackers were still transferring ETH after the above tweets were made :
EtherDelta Hacker Wallet
0x3f8a37bde9b15b65c82f9cdd00192e0ba36cc5fc

EtherScan has flagged the above wallet as Fake_Phishing305

More details will be added as they are available,this Hack took place just after 2 days of new CEO Terry Liu of EtherDelta , Weird ?

Who are the Hackers of EtherDelta stealing Ethers ?

Currently it is unknown who the hackers are but there are strong possibilities that they may get caught

  • Hackers can be traced by looking at the NameServers which were used for DNS Hijacking. Details of Hackers can be accessed after unlocking

    Hackers used Wildcard Networks Hosting and used Server IP : 185.27.134.140 which redirected all etherdelta.com visitors to hackers phishing website where they obtained Login Details.

  • As visible above, DNS hijacking was not done, rather Cloudflare account of EtherDelta was compromised and A RECORDS were shifted to Hackers website
  • Its really strange that it took hours for EtherDelta to respond and all the loss of Coins is totally fault of EtherDelta as they should have kept better login security means.

Poor Show EtherDelta , It can also be an inside job. An angry employee ?

12 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.



Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)

Pin It on Pinterest

Shares
Share This