Powerful attacks on blockchains are increasing. So far this year, hackers have effectively executed a minimum of five separate “51-percent attacks” on cryptocurrency projects, with profits amounting to almost $20 million.
This represents a remarkable increase in success, after renowned cybersecurity firm Group-IB recorded no completed 51-percent attacks last year.
Group-IB has just released the full version of its annual report on trends in high-tech crime, which it has shared with Hard Fork.
The report also revealed cryptocurrency hackers went on a veritable rampage between April and June of this year.
51% attacks guarantee free money
A 51-percent attack consists of (as the name implies) an attacker taking control over at least 51 percent of the overall mining power of a Proof-of-Work blockchain, which known as its hashrate.
“They can be either carried out by one miner with a large number of computers or a group of miners forming a mining pool,” Group-IB explains. “Control over 51-precent of the network power itself is not necessarily an attack — unless there has been intentional use of this advantage.”
An attacker controlling a majority of a blockchain’s hashrate can freeze the system, stop transaction verification, suspend mining, prevent other miners from verifying transactions, and the ultimate perk: double spending.
Double spending involves the creation of a hidden, alternative blockchain that 51-percenters can use to verify their own (fake) transactions. This often leads to hackers creating of large amounts of cryptocurrency out of thin air.
Presently, Group-IB notes double spending to be the greatest threat to Proof-of-Work blockchains.
“It is possible to double spend even without controlling this much network power,” clarifies Group-IB. “However, control over 51-percent is an absolute guarantee that the fraudster’s block is recognized as correct.”
Attackers earn $19.5M by targeting small cryptocurrencies
This year, hackers successfully attacked the altcoin Verge twice. Once in April, when a bug in its code led hackers to steal more than $1 million worth of cryptocurrency, and again in May, when hackers took over and refused to process transactions.
In a separate attack in June, unknown criminals siphoned $550,000 worth of ZEN cryptocurrency over four hours by controlling the ZenCash blockchain.
In the same month, a small-time cryptocurrency project called Litecoin Cash, also had to interrupt critical infrastructure needed to maintain smooth operation after hackers invaded its mining pools.
But the most lucrative of all the attacks this year was the crippling attack on Bitcoin Gold. In May, a malicious miner took captured a majority of the BTG hashrate, allowing them to send 388,000 BTG ($18M) directly to their personal wallet.
The fallout continued months later, with US-based exchange Bittrex delisting Bitcoin Gold with concerns for investor security, should the attackers return.
“Cybercriminals can get high rewards and steal lots of money by attacking small and unknown cryptocurrencies,” a Group-IB spokesperson told Hard Fork. “It is just technically easier to compromise relatively unknown cryptocurrencies, which usually do not have the capacity for the rapid response necessary to stop the attacker converting stolen funds to a more stable currency.”
51% attacks aren’t cheap
There is actually a website that tracks just how much it would cost miners to conduct 51-percent attacks on the major cryptocurrency platforms.
In order for miners to execute the attack, they must first sacrifice the lucrative income the network normally rewards them with for legitimately processing cryptocurrency transactions.
In fact, Group-IB reports that the ZenCash attack, which netted $550,000 in cryptocurrency, cost the hackers at least $30,000 to prepare and carry out.
After all, the premise of the cryptocurrency mining industry rests on the incentives awarded to miners for maintaining the network outweighing the possible rewards that come with a successful 51-percent attack.
With that in mind, according the site, it currently costs just over $520,000 to take control of the Bitcoin network for a solid hour, and only $150,000 to bring Ethereum to its knees for the full sixty minutes.
For smaller cryptocurrency projects to minimize the risk of being controlled by a 51-percent attack, Group-IB declare it necessary to use encryption algorithms different from the ones employed by those big market players.
“This would allow to avoid the scenario where a mining pool is compromised and has negative effects on other cryptocurrencies that use the same algorithms,” a spokesperson explains.
But hey, as long as nobody is willing to pay, then we’re good, right?
Published October 23, 2018 — 15:01 UTC