Dr-HackUpdate: February 2019 – Everything written this point onward is done in February 2019
EtherDelta Sold and Tweets Deleted
It amazes me that people still use EtherDelta , after I reported about their last Hack in December 2017, I didn’t follow them much, but today I stumbled upon their profile and opened the tweets to find them deleted , after updating the tweets with internet Archive , i came to know that right after the mentioned Hack – EtherDelta was sold to some “Chinese Company” , and its founder heavily fined by SEC afterwards.
The new company came up with a new ICO plan which didn’t seem to work and their Github Activity shows the same.
I would strongly recommend to move to a better alternative Decentralized Exchange. EtherDelta might be a kind in its own capacity but it is certainly not anymore.
Update 10 Jan 2018 : EtherDelta has not been hacked again, what you heard was probably rumors. MyEtherWallet is also not hijacked. If you are not sure about a hack you can ask me for a quick system check and will let you know
#MyEtherWallet seems to be working fine, nor their DNS has been manipulated/tampered or HACKED.
So #MEW has not been Hacked till NOW.When it does I will share it and do not mix MEW with @etherdelta Hackhttps://t.co/lkH83Nj2Be
— Hackology (@Hackology) January 9, 2018
Hackers started transferring coins from EtherDelta to their Wallets , 3 hours have passed since hackers have been emptying EtherDelta. An Ethereum Wallet linked with hackers have been identified and hackers have transferred 0.2 Million USD worth of ETH to their own wallet.
Just few days back a korean exchange closed due to second hacking attempt in an year and now its another. Cryptocurrency has increased the risks of losing high amount of fiat as exchanges are still the weakest link
How EtherDelta was Hacked
EtherDelta staff was only 2 hours late to identify the Hack and even after they acknowledged they were hacked ,hackers were still emptying wallets of EtherDelta.
Dear users, we have reason to believe that there had been malicious attacks that temporarily gained access to @etherdelta https://t.co/NnqU5Er4rj DNS server. We are investigating this issue right now – in the meantime please DONOT use the current site.
— EtherDelta (@etherdelta) December 20, 2017
As per the tweet, DNS Servers were compromised of the website which means that hackers never had access to the actual website but if that was the case how did the hackers manage to pull out 278 ETH from EtherDelta wallets ? (and counting)
Update (21 Dec 17 5:44 AM ) : Count of stolen Ethereum from EtherDelta wallet has increased to 307.995 ETH
A follow up tweet was made from EtherDelta Twitter Account
1/2 *IMPORTANT* we have reason to believe that there had been malicious attacks that temporarily gained access to @etherdelta DNS server. We are investigating this issue right now – in the meantime please *DONOT* use the current site.
— EtherDelta (@etherdelta) December 20, 2017
2/2 *BE AWARE* The imposer’s app has no CHAT button on the navigation bar nor the offical Twitter Feed on the bottom right. It is also populated with a fake order book.
— EtherDelta (@etherdelta) December 20, 2017
It means its a typical DNS Hijacking and the Hackers redirected the users to their own FAKE version of etherdelta , that way they might have gained login details and started logging in to original accounts got users a crafted websiet where the order books data was coming off etherdelta charts while logging Wallet details including keys which were later used to empty individual accounts and started draining cryptocurrency from original website users.
But why did not EtherDelta close their website or disable withdrawals ? as you can see in EtherScan hackers were still transferring ETH after the above tweets were made :
EtherDelta Hacker Wallet : 0x3f8a37bde9b15b65c82f9cdd00192e0ba36cc5fc
EtherScan has flagged the above wallet as Fake_Phishing305
More details will be added as they are available,this Hack took place just after 2 days of new CEO Terry Liu of EtherDelta , Weird ?
Who are the Hackers of EtherDelta stealing Ethers ?
Currently it is unknown who the hackers are but there are strong possibilities that they may get caught
- Hackers can be traced by looking at the NameServers which were used for DNS Hijacking. Details of Hackers can be accessed after unlocking
[sociallocker]Hackers used Wildcard Networks Hosting and used Server IP : 185.27.134.140 which redirected all etherdelta.com visitors to hackers phishing website where they obtained Login Details.[/sociallocker] - As visible above, DNS hijacking was not done, rather Cloudflare account of EtherDelta was compromised and A RECORDS were shifted to Hackers website
- Its really strange that it took hours for EtherDelta to respond and all the loss of Coins is totally fault of EtherDelta as they should have kept better login security means.
Poor Show EtherDelta , It can also be an inside job. An angry employee ?
Taj S
Abdul Raziq
Wow. My Heart Goes Out to the Victims.
You think maybe it’s time to switch to MFA instead of using keys
MFA along time with Keys would be better
Can we get the original IP for DNS please so we can manually edit our hosts file?
You can , currently their NS point to
ns1.dreamhost.com
ns2.dreamhost.com
ns3.dreamhsot.com
which resolve to
64.90.62.230
208.97.182.10
Although, if it was a normal DNS Hijacking the SSL certificate would have been violated but as cloudflare was directly accessed thus there were no alarms or warnings , as previously cloudflare nameservers (DNS ) were used, which wouldn’t have alerted you even if you put up your own hosts file
MFA insinuates something in addition…so yes, keys + google auth or hw nano would do the trick
A couple of things, Etherdelta has no login. They didn’t bring the website down because what the hackers did was hijack the DNS (Website address) to take the address down they had to contact the Server provider (by the way a crappy cheap provider) convince them that the website address is theirs, recover the account and then shut it off. This is why you should never skimp on server provider.
login part is correct will reflect it in the article.
about the DNS part.. their cloudflare was hijacked ..so they had no control , their only bet was to open their domain manager and remove the NS pointing to cloudlfare , which they should have but as you said “crappy cheap provider” …
Good point, vulnerability was Cloudfarw then. I would love to see finding when these companies get hacked. This way we all can improve security and beat them bastards.
but surprisingly, hardly a post-hack report comes out from official sources ..
p.s. removed the “website login” part , thanks for pointing out
[…] Source link […]