Internet Security Blog - Hackology

EtherDelta Hacked – Millions Stolen

Update:  February 2019 – Everything written this point onward is done in February 2019

EtherDelta Sold and Tweets Deleted

It amazes me that people still use EtherDelta , after I reported about their last Hack in December 2017, I didn’t follow them much, but today I stumbled upon their profile and opened the tweets to find them deleted , after updating the tweets with internet Archive , i came to know that right after the mentioned Hack – EtherDelta was sold to some “Chinese Company” , and its founder heavily fined by SEC afterwards.

The new company came up with a new ICO plan which didn’t seem to work and their Github Activity shows the same.

I would strongly recommend to move to a better alternative Decentralized Exchange. EtherDelta might be a kind in its own capacity but it is certainly not anymore.

Update 10 Jan 2018 : EtherDelta has not been hacked again, what you heard was probably rumors. MyEtherWallet is also not hijacked. If you are not sure about a hack you can ask me for a quick system check and will let you know

Hackers started transferring coins from EtherDelta to their Wallets , 3 hours have passed since hackers have been emptying EtherDelta. An Ethereum Wallet linked with hackers have been identified and hackers have transferred 0.2 Million USD worth of ETH to their own wallet.

Just few days back a korean exchange closed due to second hacking attempt in an year and now its another. Cryptocurrency has increased the risks of losing high amount of fiat as exchanges are still the weakest link

How EtherDelta was Hacked

EtherDelta staff was only 2 hours late to identify the Hack and even after they acknowledged they were hacked ,hackers were still emptying wallets of EtherDelta.

Dear users, we have reason to believe that there had been malicious attacks that temporarily gained access to @etherdelta DNS server. We are investigating this issue right now – in the meantime please DONOT use the current site.

— EtherDelta (@etherdelta) December 20, 2017

As per the tweet, DNS Servers were compromised of the website which means that hackers never had access to the actual website but if that was the case how did the hackers manage to pull out 278 ETH from EtherDelta wallets ? (and counting)
Update (21 Dec 17 5:44 AM ) : Count of stolen Ethereum from EtherDelta wallet has increased to 307.995 ETH

A follow up tweet was made from EtherDelta Twitter Account

1/2 *IMPORTANT* we have reason to believe that there had been malicious attacks that temporarily gained access to @etherdelta DNS server. We are investigating this issue right now – in the meantime please *DONOT* use the current site.

— EtherDelta (@etherdelta) December 20, 2017

2/2 *BE AWARE* The imposer’s app has no CHAT button on the navigation bar nor the offical Twitter Feed on the bottom right. It is also populated with a fake order book.

— EtherDelta (@etherdelta) December 20, 2017

It means its a typical DNS Hijacking and the Hackers redirected the users to their own FAKE version of etherdelta , that way they might have gained login details and started logging in to original accounts got users a crafted websiet where the order books data was coming off etherdelta charts while logging Wallet details including keys which were later used to empty individual accounts and started draining cryptocurrency from original website users.

But why did not EtherDelta close their website or disable withdrawals ? as you can see in EtherScan hackers were still transferring ETH after the above tweets were made :
EtherDelta Hacker Wallet

EtherScan has flagged the above wallet as Fake_Phishing305

More details will be added as they are available,this Hack took place just after 2 days of new CEO Terry Liu of EtherDelta , Weird ?

Who are the Hackers of EtherDelta stealing Ethers ?

Currently it is unknown who the hackers are but there are strong possibilities that they may get caught

  • Hackers can be traced by looking at the NameServers which were used for DNS Hijacking. Details of Hackers can be accessed after unlocking
    [sociallocker]Hackers used Wildcard Networks Hosting and used Server IP : which redirected all visitors to hackers phishing website where they obtained Login Details.[/sociallocker]
  • As visible above, DNS hijacking was not done, rather Cloudflare account of EtherDelta was compromised and A RECORDS were shifted to Hackers website
  • Its really strange that it took hours for EtherDelta to respond and all the loss of Coins is totally fault of EtherDelta as they should have kept better login security means.

Poor Show EtherDelta , It can also be an inside job. An angry employee ?


This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • You can , currently their NS point to

    which resolve to

    Although, if it was a normal DNS Hijacking the SSL certificate would have been violated but as cloudflare was directly accessed thus there were no alarms or warnings , as previously cloudflare nameservers (DNS ) were used, which wouldn’t have alerted you even if you put up your own hosts file

  • MFA insinuates something in addition…so yes, keys + google auth or hw nano would do the trick

  • A couple of things, Etherdelta has no login. They didn’t bring the website down because what the hackers did was hijack the DNS (Website address) to take the address down they had to contact the Server provider (by the way a crappy cheap provider) convince them that the website address is theirs, recover the account and then shut it off. This is why you should never skimp on server provider.

  • login part is correct will reflect it in the article.
    about the DNS part.. their cloudflare was hijacked they had no control , their only bet was to open their domain manager and remove the NS pointing to cloudlfare , which they should have but as you said “crappy cheap provider” …

  • Good point, vulnerability was Cloudfarw then. I would love to see finding when these companies get hacked. This way we all can improve security and beat them bastards.

  • but surprisingly, hardly a post-hack report comes out from official sources ..

    p.s. removed the “website login” part , thanks for pointing out

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem