How I hacked an Ethereum hacker (and how you can do it also)
Hacker

How I hacked an Ethereum hacker (and how you can do it also)

By Magic_Pickles | Take back control! | 4 Sep 2021


TL;DR

I've made a simple script that steal ETH from an Ethereum thief that would like to steal your tokens. It is hosted here on github.

Run it on a 24/7 Ubuntu server to watch a corrupted address and collect passive incomes from generous greedy people.

 

Introduction

As I like to say, Blockchain is to the 2020's what the World Wide Web is to the 90's. This is for better and for worse.

As I like to say, Blockchain is to the 2020's what the World Wide Web is to the 90's. It is so huge and disruptive that we don't even know yet what is coming up. This is for better and for worse.

This innovation comes with big advantages: fault-tolerant infrastructure by design, censorship-resistance, privacy, transparency. Unfortunately, most news companies mostly talk about negative impacts. That's understandable: this is new, this is powerful and this is complicated. So people tend to see it as a threat.

One of the things they reproach the blockchain for is the high risk of scams. Actually, the 2 main public blockchains, Bitcoin and Ethereum, are among the most secure IT systems in the world (or most secure at all). As often, the real problem is between the chair and the keyboard.

So let me explain how I hacked a hacker. Being more specific, I am talking about thieves, people who steal your Ethereum seed phrase and then the crypto currencies in your wallet.

With a very simple bash script running on a Cloud server, I managed to steal money from the guy who had my private key. I'll show you how.

 

The hack story

I'm not a developer. The script I used and I want to share with you probably relies on some bad practices, performance issues and may have breaches. So do not hesitate to propose your improvements, even if it means erasing 100% of the original script and developing a new solution from scratch with a different language and architecture. I do really think the idea behind is useful for the whole Ethereum community.

Stop talking, let's have fun. Let me explain what I did.

 

One day I was thinking about what could happen to my cryptocurrencies if someone would steal one of my Ethereum private key. the answer is obvious: I would lose everything. So I wanted to find a way to trap potential thieves. The following idea came up and it is actually very simple: if there is no ETH on the corrupted address, the thief will have to send some in order to steal the balance. If I am quicker than him, I'll be able to get this amount of ETH.

First, I had to create my honey pot. This is basically a corrupted Ethereum address I have created beforehand and left the seed phrase somewhere in a public place.

Then, I had to put some valuable tokens (of course which are not ETH) in order to attract a thief. DAI was a good choice for that and deposited 25 DAI.

And then, the script did the whole thing. It is intended to work as follows: it monitors a given address balance, the corrupted one. Once some amount of Ethereum is received on this address, the script will try to send the ETH balance to another given address, that you would set just before. The script automatically sets the gas fees based on ethgasstation.info.

I waited for several days or weeks. Finally someone took the bait: 383ed44d57d6edd54a849b8db16bd35ae6c01e6b622ef89316b120f23f216a16.png

The guy sent 0.0076934 ETH from FTX Exchange 2. Then my script sent those ETH to my other address. It only took 25 secondes for the script to detects it and get the transaction validated on the Blockchain. After that, no more ETH and that address, only the initial DAIs ready to get a new fish.

 

Setup your Ethereum trap: step by step guide

You want to trap some Ethereum thieves? Just follow those steps:

1. Create required accounts.

  • infura.io: This account will allow you to communicate with the blockchain. You can create 2 or 3 accounts to use as "backup" in case of you exceed the threshold limit.
  • etherscan.io: this will allow you to check the transaction status
  • Pushbullet (optional): in order to be notified on your smartphone when a new thief is trapped.

2. Make sure to have 2 Ethereum addresses

  • An address that you think might be corrupted because you lost your seed phrase paper somewhere.
  • A target address where you would like to get the thief's ETH. 

3. Set up a Linux server that is ready to run 24/7. I recommend using Ubuntu because I only tested the script on this distribution.

You can use an EC2 micro instance for free during 1 year with the AWS free tiers.

4. Install git: sudo apt update && sudo apt install git

5. Then clone this repository from github: git clone https://github.com/jeremyfritzen/Ethereum-honey-pot.git

6. Install the requirements:

  • web3 : curl -LSs https://raw.githubusercontent.com/gochain/web3/master/install.sh | sh
  • jq: sudo apt update && sudo apt install jq
  • httpie: sudo apt update && sudo apt install httpie

7. Configure the script:

  • copy the "template.conf" in 2 new files: TEST.conf and PROD.conf
  • set your own configuration in the 2 new conf files.
  • In eth_honey_pot.sh file, set testMode variable to true or false depending on your self-confidence (I really recommend you to test it on ropsten network at first)

8. Run the script.

I recommend using screen: 

  • screen -S eth-honey-pot
  • cd <path_to_script>
  • ./eth_honey_pot.sh

9. Add some DAI on your honey pot corrupted address. 25 DAI should be enough.

 

/!\ Warning /!\

This is a very simple script with probably some bad practices and breaches.

As I write this, the script is not able to adapt gas fees based on the thief's transaction. If his transaction fees are higher, it may be able to steal your tokens. 

 

Conclusion

This is really a Proof of Concept. I am very bad at coding. I had an idea and wanted to make it real.

I am sure some very good programmers could make something good and secure with it.

I hope this solution will allow you to make you feel more secure and to prevent Ethereum criminals from stealing. 

How do you rate this article?


114

3

Magic_Pickles
Magic_Pickles

Love IT tech and innovation. Interested in all wha't's related w/ blockchain & decentralized systems. Not fundamentally against gov(s). or other form of centralization. My conviction: we are at the beginning of what those techs will bring to the world.


Take back control!
Take back control!

When I started working as an IT consultant, I barely knew what a server was. So I practiced on my own time, helping my "professional life" and vice versa. Then, one thing came to my mind: reinviting the wheel is a good thing. It allows you to learn and take back control - on your data or even your life. Over time, taking back control became an everyday challenge. And 3 enablers help me to reach it: the Blockchain tech, personal finance and Open-Source. I want share my tips about those.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.