Myetherwallet the web’s most popular client-side ethereum wallet, has been compromised in a DNS attack.
Numerous users are reporting missing funds and Mycrypto, a sister site which spun off from Myetherwallet earlier this year, has confirmed as much. The incident highlights the dangers of relying on a centralized interface, even when the funds are held by the individual, and exposes the inherent weaknesses of the Domain Name System.
Users of MyEtherWallet, a web app for storing and sending ether and ethereum-based tokens, experienced an attack Tuesday that saw users of the service lose around $152,000 worth of ether.
The company was quick to alert users to the danger however tweeting a warning at 7:29 a.m. EDT, within fifteen minutes of when the hack began:
Couple of DNS servers were hijacked to resolve https://t.co/xwxRJ4H4i8 users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.
— MyEtherWallet.com (@myetherwallet) April 24, 2018
Even so, users took to social media to report that they were losing funds.
On April 24, scores of Myetherwallet users began to report suspicious activity when trying to access the web-based ethereum interface. As the web’s most popular client-side ethereum wallet, Myetherwallet is widely used for sending money to crowd-sales, buying Cryptokitties, and conducting many more day-to-day transactions that involve sending ether or ERC20 tokens. The platform does not hold user funds, but like all websites it is still at risk of being hacked by having its DNS servers taken over, exposing the data of anyone who interacts with the service. Shortly after rumors began to circulate, MEW issued a tweet to confirm their veracity:
The first signs that something was wrong emanated from the Myetherwallet Reddit, where a user posted a thread titled “Think I got scammed/phished/hacked”. They had noticed that something was amiss after seeing the following notice when visiting the site:
They explained: “Even though every part of my body told me not to try and log in, I did. As soon as I logged in, there was a countdown for about 10 seconds and A tx was made sending the available money I had on the wallet to another wallet.” The address the funds have been sent to currently displays on Etherscan with a warning noting that it may have been involved in a MEW scam. It has conducted 180 transactions, and claimed a total of 215 ETH. It’s been reported that MEW were redirected to an isp based in Russia.
“Went on to myetherwallet and saw that myetherwallet had [an] invalid connection certificate in the corner,” rotistain posted to the wallet’s subreddit around 8:30 a.m. EDT, adding:
“As soon as I logged in, there was a countdown for about 10 seconds and A tx was made sending the available money I had on the wallet to another wallet ‘0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29.’ I have no idea what happened.”
Micky Socaci, lead developer at BlockBits.io, explained the attack in a post to the ethereum subreddit.
“Do not use myetherwallet.com if you’re using Google Public DNS (22.214.171.124 / 126.96.36.199) at this moment,” he wrote, adding: “It seems these DNS servers are resolving the domain to a bad server that CAN steal your keys!”
His explanation fits with MyEtherWallet’s assertion that the attack was not on their side. Domain Name System (DNS) servers resolve website URLs to the appropriate IP addresses.
As of press time, the affected funds are being shuffled around and broken into smaller increments, according to data from blockchain information provider Etherscan.
Initially, the Etherscan block explorer showed 0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29 as having received 179 inbound transactions starting from 7:17 a.m. and totaling 216.06 ether, or nearly $152,000 at the time of writing.
The attacker then sent 215 ether to another address, 0x68ca85dbf8eba69fb70ecdb78e0895f7cd94da83, at 10:15 a.m. Since then, the funds have been split even further, with increments being divided between multiple wallet addresses.
According to MyEtherWallet CEO Kosala Hemachandra, “all the DNS servers are resolving back to correct addresses.”
“But I want to wait another [hour] or so,” he added during a conversation on Skype
It’s unclear how the hackers were able to gain control of MyEtherWallet’s Domain Name System (DNS), but this type of attack has exploited cryptocurrency-related websites on multiple occasions.
As in previous instances, the malicious website phished user’s private keys when they entered them into the fraudulent MyEtherWallet client.
It appears that the hacker obtained about 215 ETH (~$160,000) from the attack, which lasted several hours. One unfortunate user lost more than 85 ETH, worth nearly $70,000.
Coins stolen as part of the attack have been funneled into this wallet, which contains more than $17 million in ETH and has been linked to previous phishing scams.
Users who accessed the fraudulent website using a hardware wallet such as Trezor were protected from the private key exploit, though it’s possible that the malicious website could have replaced the address to which they were attempting to send their coins with a false one controlled by the hacker.
Your private keys never leave the TREZOR device, so even this DNS hijack does not endanger your funds. However, it is possible that the fraudulent site might replace your addresses. Always verify the address on your TREZOR screen when sending and receiving.
— TREZOR (@TREZOR) April 24, 2018
For added security, it’s a wise idea to download a browser extension that maintains a blacklist of malicious websites. EtherAddressLookup and MetaMask are two popular options for Chrome users. These tools will not guarantee protection from phishing scams, but they provide an extra layer of protection.
MyEtherWallet users can also download a copy of the website from Github and run the client on an offline computer, further increasing their security.
Mycrypto Reveals More
Earlier this year, rival site Mycrypto launched as a direct competitor after the Myetherwallet founders went through a split. While the Mycrypto team would not wish misfortune on any members of the ethereum community, there may have been a touch of schadenfreude evident in their willingness to frankly disclose the nature of the predicament Myetherwallet has found itself in, writing:
Mycrypto also wrote: “Lots of anti-phishing folks in the community and on our team are attempting to collect information about what happened to Myetherwallet, as well as attempting to get in touch with their team to assist in any way we can. Moral of the story: use a hardware wallet or run offline.” Services such as Myetherwallet and Mycrypto can be used in desktop versions by downloading the software, which eliminates the risk of DNS attack.
DNS attacks are becoming more prevalent. In December of last year another ethereum-based platform, Etherdelta, was hit by a similar attack to the one that has affected Myetherwallet, with users also reporting stolen funds. Myetherwallet is not the only cryptocurrency site to have had DNS issues today either.
Earlier, Binance tweeted to say that Google’s DNS were down, preventing some users from accessing the exchange. Incidents such as today’s Myetherwallet attack demonstrate that for all the precautions a user may take sites still present a single, centralized point of failure.