In a crime novel-worthy heist, a key part of the internet’s infrastructure was compromised for around two hours this week by a mysterious group of millionaire hackers, who managed to steal at least $150,000 in the cryptocurrency Ethereum .
The unknown collective was able to hijack Domain Name Service (DNS) traffic—the invisible system that transfers an internet user to a website—and reroute users of MyEtherWallet, a crypto storage platform, through a server hosted in Russia.
The culprits used a technique called “BGP hacking” to intercept data from traffic flowing through Amazon Web Services’ Route 53, a DNS system. It was seemingly conducted using a “man in the middle” cyberattack facilitated by a server based in a Chicago data center. During the two-hour period, some users were directed not to the legitimate crypto-wallet service, but a credential-stealing phishing version.
Victims were likely those who clicked an "ignore" button on a warning that would appear when they visited the malicious version of the website, MyEtherWallet said.
Users on Reddit were quick to report the problems, which were later confirmed and tracked by MyEtherWallet, Cloudflare and security blog DoublePulsar.com. “I have no idea what happened,” one alleged hacking victim complained. “I barely download things and thought I was careful enough at least to avoid problems.”
The full amount of cryptocurrency stolen remains unclear, but Etherscan, a website that records all Ethereum wallets in operation, indicated that at least 216 ether—the equivalent of around $152,000—was looted. The transactions are still being distributed to a slew of wallets, and the true figure could potentially be much higher.
At the time of writing, the hackers’ Ethereum wallet held approximately $16 million-worth of the virtual currency and multiple transactions were being made every few minutes on Wednesday. While these are permanently recorded, the nature of the cryptocurrency means the true owner of the account remains difficult to identify.
MyEtherWallet and AWS were not individually compromised. Instead, the hackers used the DNS-exploit attack to intercept traffic as it flowed across the internet. In the past, this has been used to target banks and websites and enable defacements. Rarely are BGP and DNS gaps targeted at this scale, one security expert warned.
“This is the largest scale attack I have seen that combines both, and it underscores the fragility of internet security,” wrote Kevin Beaumont, a U.K.-based cybersecurity researcher who runs DoublePulsar.com, in a blog post on Tuesday.
“It also highlights how almost nobody noticed until the attack stopped,” he added. “There is a blind spot.” The incident has now been resolved.
According to technology website The Register, the Chicago data center service—called Equinix—was linked to an internet service provider called eNet, which was allegedly compromised. In a statement, Equinix said the server was not its own, but rather “customer equipment deployed at one of our Chicago IBX data centers.”
MyEtherWallet released a statement via Reddit and Twitter. It read: “Users, please ensure there is a green bar SSL certificate that says MyEtherWallet Inc. before using MEW. We advise users to run a local (offline) copy of the MEW.
“We urge users to use hardware wallets to store their cryptocurrencies. In the meantime, we urge users to ignore any tweets, Reddit posts, or messages of any kind which claim to be giving away or reimbursing ETH on behalf of MEW.”
A statement from AWS stressed that it was not hacked. “An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered,” it said. “These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain.”
Internet services provider Cloudflare has released a summary of how BGP attacks work. It ultimately concluded: “There is no perfect and unique solution.”
It remains unclear if the MyEtherWallet website was the sole victim of the cyberattack, but speculation is now mounting that more AWS-linked businesses could have been targeted in the incident. “It seems unlikely MyEtherWallet.com was the only target when [the hackers] had such levels of access,” Beaumont wrote.
More from Newsweek