The private key in most blockchains is a string of 256 bits: it will take millions of years for modern computers to guess such a password for a specific address.
However, crypto wallets are still vulnerable to hacker attacks due to bugs in applications and user errors.We talk about six ways of hacking and explain how to secure funds from theft.
1.Weak Address – Vulnerable Keys
Due to a bug in the Random Number Generator (RNG), the wallet can generate a private key with only a few random bytes.Ideally, the application works like this:
Generates a random number of the given length.Converts it to the short key format of the corresponding blockchain.Generates a public address from a key.
In this case, the number fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364110 converted to key 5Km2kuu7vtFDPpxywn4u3NLpbr5jKpTB3jsuDU2KYEqeoQJAairwhich manages the address 1CaZUpjd7VmsyWDFrk9WG9nTYMLcLLvvCw.
But sometimes the RNG makes a mistake and
generates a string with lots of zeros like 0000000000000000000000000000000000000000ffa3cafff0000000000000000 instead of a truly random number.
Hackers call these wallets Weak Addresses.
Attackers create bots.Their algorithms regularly check the balances of weak addresses in the Bitcoin and Ethereum networks.If the user generates such an address and sends cryptocurrency to it, the bot immediately steals it.
How to protect yourself: after creating a wallet, check if the symbols in it are really random.Use open source tools like
Swippcore to convert a short format key to a long one on the local machine.
2.Random Vulnerability – extracting private keys from transactions
Bitcoins exist in the form of UTXOs – unused outputs.When sending funds, the wallet collects them for the required amount and signs the transaction with a combination of a private key and a random number – a nonce.
Due to a RNG bug, an application can sign different operations with the same nonce.
If the attackers match and decrypt the signatures of such transactions, they can extract the private keys.
This method is called
Random Vulnerability.With its help, hackers hacked more than two thousand wallets worth 484 BTC.
According to a study by Kudelski Security, the vulnerability is also
meets in Ethereum wallets and EVM-compatible networks.
How to protect yourself: update wallet applications in time, including Bitcoin Core and its analogues for other blockchains.
3.Weak Brainwallet – generating keys from non-random data
Brainwallet is a way to generate a private key based on a user phrase instead of a random number.It can be easily remembered, which means literally “keep in the head.”
Often, users generate keys from single words, obvious combinations like 12341234, phone numbers, or movie quotes.Hackers take advantage of human predictability: they create keys from popular or leaked passwords and then withdraw cryptocurrencies from the corresponding wallets.Thus, since 2009, attackers
hacked over 19,000 Bitcoin wallets and stole at least 4,000 BTC.
Examples of hacked wallets whose owners generated keys from common phrases.
Data:
Privatekeys.
How to protect yourself: do not use Brainwallet, as a last resort – come up with a really complex password from lowercase and uppercase letters, numbers and special characters.
4.Phishing – the user himself gives the key
From a technical standpoint, the easiest way to gain access to a wallet is to convince the owner to send you the key.
To do this, attackers pose as exchange and wallet support staff, famous personalities or security experts.
For example, in February 2023, hackers
sent Trezor users received fake emails from the company, reporting that their wallet software had been hacked and asking them to pass on a seed for “verification.”
In addition, attackers use on-chain analytics tools for attacks on the wallets of bitcoin whales — famous personalities, blockchain project managers, and crypto influencers.They write personalized letters and contact victims through personal communication channels.
How to protect yourself: never send the private key or seed phrase to anyone.
5.Keys in public access – monitoring GitHub
Developers of blockchain applications and smart contracts sometimes use personal wallets to test the functionality of the code.They may accidentally leave keys in files when publishing projects to
hosting services.
Hackers track updates and downloads of repositories on GitHub, Pastebin, and other popular note-taking platforms.
They check for strings that start with “5” (Bitcoin keys in WIF format), contain words from a seed dictionary, or match the length of the private key.
How to protect yourself: do not store passwords on your computer in unencrypted files, do not use your personal wallet for
business purposes.
6.
Scam sites – generating compromised keys
Since 2019, hackers have been using online wallet generators as a hacking tool.Such services may issue the same keys to different users or contain vulnerabilities to intercept them.
So, in July 2023, the user r/jdmcnair announced the theft of $3,000 in bitcoin from a paper wallet that he had generated in an online service.
How to protect yourself: Do not use websites – create addresses only in hardware devices or wallet applications.
How to create a secure wallet
Private keys are more secure than most passwords, but they can also become vulnerable due to application bugs and human error.
To avoid being hacked, follow the steps to create a secure bitcoin wallet:
Do not use sites to generate addresses – only hardware wallets and applications.Do not create keys from phrases and passwords that you can remember: they are more vulnerable than the combinations created by the RNG.After generating a wallet, check if the symbols in it are really random.If more than half of the characters in the key are zeros, it is vulnerable to brute force.
In addition, it is important not to use personal crypto-currency addresses for developing Web3 applications to regularly update the wallet.
Remember: private keys cannot be sent to third parties, no matter what they say.
Subscribe to ForkLog on social networks
Found a mistake in the text? Select it and press CTRL+ENTER
ForkLog Newsletters: Keep your finger on the pulse of the bitcoin industry!
2023-08-10 13:00:06
#hackers #break #wallets #main #vulnerabilities.
