EOS Sw/eden to the Rescue
This is a really cool story of how 2M EOS (approx. $12M in value) was saved from hackers by a BP-led investigation.
EOS, ECAF, and Blacklists might not be exactly what Block.One and Dan Larimer had intended when they designed EOS.IO — but I think it might have turned out even better than they had hoped. The Blacklist efforts in the past 4 months have saved millions of dollars from hackers by “freezing” accounts where the owner is able to prove that their account keys have been stolen. The freezing of accounts prevents any actions from taking place until an investigation can be completed.
Normally, account owners request to have their account blacklisted once they have identified that their account had unauthorized activities on it. This is a unique situation where the hack was detected and investigated by a group of Block Producers led by Sw/eden, EOSRio, EOSDac, shEOS, and Jem. We were at dinner with a group of Block Producers in London celebrating Mid-Autumn Festival when we suddenly lost 2 million votes! That’s a good way to get a Block Producer’s attention.
We ran a quick check of the account history for gm3dcnqgenes and found that the active and owner keys had been changed, the entire balance of 2M EOS was unstaked immediately, and that all of the airdrops were sold on a DEX “newdexpocket.”
That’s suspicious behavior because changing a key is typically not very closely associated with moving funds, but instead protecting them. In addition, the account had previously only voted once in August, and never adjusted afterward.
The attacker tried to obscure the transactions after the hack by using random accounts which looked like the accounts generated by the EOS.IO snapshot. “The hackers sent 23k EOS to a newly created account, gm34qnqrepqt, which then quickly sent 20k out to another new account, gt3ftnqrrpqp, which then sent 16.3k to another new account, gtwvtqptrpqp, which then sent 10k out to new account gm31qndrspqr, which then sent 6k to new account lxl2atucpyos, where it sits now.” says Eric of the investigation that Jem did. The memo on the first transfer was “refund.”
Igor from EOSRio searched the account name and found it in “EOS 911” group. Eric from Sw/eden reached out to the account owner after creating an the “iwashackeda1” with the original keys from gm3dcnqgenes.
This is the transaction that verified owner had the original keys for the account:
https://bloks.io/transaction/a3d919d638bd8750d46078e815d87ca02936affb80f08de25c9b905bd66371c1
As soon as this transfer was made — it was 100% certain that the owner had the corrrect private key from gm3dcnqgenes — the hacked account. So Sw/eden blacklisted gm3dcnqgenes before the order from ECAF.
Eric from Sw/eden says “I didn’t blacklist the other accounts. Because I felt that needed further investigation. Didn’t want to make a mistake and of my own decision blacklist an exchange or something 🤷… Then I jumped into a car, and 10 minutes after entering the location for the event, I heard Moti was there so I went up to him, presented myself and told him what I did :)”
“A few hours later the order came for all of the accounts to be blacklisted. So we all pulled out our computers and updated the blacklist.”
It was the first time a hack was discovered by Block Producers, but also the first time a Block Producer blacklisted an account without an order from ECAF. According to the Rules of Dispute Resolution any member of EOS (including a BP) may request “an emergency measure of protection” and where a member “has already executed an emergency measure of protection, for example by freezing an account, that Member shall be named as party to a duly filed arbitration to request confirmation of the emergency measure.” This means that any action taken without a ruling is responsible for their actions. These members could face severe consequences if they are found to be liable for causing damages to another EOS account. I strongly recommend that BPs do not do anything that they are not 100% certain that they are not going to cause any problems for another EOS account. It would likely cost them their company if they made any error there.
Here are a few things that we have learned in the past few months about keeping your EOS safe:
- Voting makes you safer because if BPs have a reason to monitor your account, then they will.
- You can think of keeping your tokens “staked” as a “safe-mode” for your EOS since it takes 3 days to unstake.
- It’s possible to detect a hack by watching for unusual account activity.
If you want to monitor your own account, EOS Authority has a great tool for tracking account activity on your EOS account via Telegram or Email.
