From c91b80c3aafdf2fc1b83e9396342f69f57a8ed94 Mon Sep 17 00:00:00 2001 From: Christian Reitter Date: Mon, 27 Nov 2023 23:50:13 +0100 Subject: [PATCH] Improve wording in blogpost no.1 --- _posts/2023-11-22-research-update-1.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/_posts/2023-11-22-research-update-1.md b/_posts/2023-11-22-research-update-1.md index 84866f9..a088c2a 100644 --- a/_posts/2023-11-22-research-update-1.md +++ b/_posts/2023-11-22-research-update-1.md @@ -68,12 +68,12 @@ A noteworthy detail here is the apparent trend towards `192 bit` wallets, which Some relevant facts about the discovered wallets from ec-new: * Earliest use on 2016-12-15, likely with a pre-release version of `bx` `3.0.0`. All other usages are after the official release date. -* Overall, a total cumulative volume of **111.94BTC** has moved across the weak wallets of this type. +* Overall, a total cumulative volume of **111.94BTC** has moved across the weak wallets of this type (estimate based on known address history). * The last large outgoing transaction from this set of wallets is [3a5b1c78..f54fe376](https://mempool.space/tx/3a5b1c7816217f56a583f7dc910ffef2d022ed69e3c599e82bb4813df54fe376) with **1.13 BTC**, which happened on 2023-03-31 18:58. It is unclear to us if this is theft or a legitimate movement. -* The attacker behind the [2023-07-12 main theft]({% link disclosure.md %}#ongoing-on-chain-thefts---some-facts) was in control of at least one of these private keys, as proven by stealing from [1JUdUgFm7B9GZihtf4jtryCmt4YcRMaJGx](https://mempool.space/address/1JUdUgFm7B9GZihtf4jtryCmt4YcRMaJGx) via one of the three main theft transactions. The stolen amount was small: **0.0015 BTC**, less than $50 at the time. -* In August 2023, several small outgoing transactions moved other remaining funds, which individually were worth a few dollars. We think these were intentionally skipped by the attacker due to the remaining low value considering the transfer fee overhead, and are now slowly swept by other opportunistic thieves. The primary destination address for this is [bc1q0yxd9avwy2wnj7lpj35v5d5n5ejfn79mk37xgd](https://mempool.space/address/bc1q0yxd9avwy2wnj7lpj35v5d5n5ejfn79mk37xgd). +* The attacker behind the [2023-07-12 main theft]({% link disclosure.md %}#ongoing-on-chain-thefts---some-facts) found and used at least one of these private keys, as proven by stealing from [1JUdUgFm7B9GZihtf4jtryCmt4YcRMaJGx](https://mempool.space/address/1JUdUgFm7B9GZihtf4jtryCmt4YcRMaJGx) via one of the three main theft transactions. The stolen amount was small: **0.0015 BTC**, less than $50 at the time. +* In August 2023, several small outgoing transactions moved other remaining funds, which individually were worth a few dollars. We think these were intentionally skipped by the main attacker due to the their low value considering the transfer fee overhead, and are now slowly swept by other opportunistic thieves. The primary destination address for this is [bc1q0yxd9avwy2wnj7lpj35v5d5n5ejfn79mk37xgd](https://mempool.space/address/bc1q0yxd9avwy2wnj7lpj35v5d5n5ejfn79mk37xgd). -To summarize, the `bx ec-new` type of wallets generated with the weak `bx seed` PRNG were indeed used over multiple years and held sizeable funds. Based on our current understanding, the wallet owners were lucky enough that the PRNG issue was not exploited until some point 2023. Only one minor loss from this range can clearly be attributed to the 2023-07-12 theft actor. +To summarize, the `bx ec-new` type of wallets generated with the weak `bx seed` PRNG were indeed used over multiple years and held sizeable funds. Based on our current understanding, the wallet owners were lucky enough that the PRNG issue was not exploited until some point 2023. Only one minor loss from this range can clearly be attributed to the 2023-07-12 thief. ## 2023-07-12 On-Chain Theft - Ethereum Addresses