The number of smart contract applications deployed each day in the Ethereum Blockchain is increasing every day. Fascinated by the security aspect of the newly proposed Blockchain technology. More people ...
Many new Blockchain users and developers think that the Blockchain offers the ultimate security solution to whatever use case we want to create. Unfortunately, this is not the case and any Blockchain component could be hacked. Therefore, can crypto wallets be hacked?
A crypto wallet can be hacked using one or more of the following techniques:
In this blog post, we are going to discuss in detail how attackers hack wallets and what are the techniques they use. In addition, we are going to discuss what wallets are the best to avoid this kind of attack and how to prevent them. So if you are interested just keep reading and leave a comment below.
As I said in a previous blog post about smart contract hacks, crypto wallets are also programs made by humans, which means they are prone to bugs and vulnerabilities. Therefore, crypto wallets could be hacked.
However, you should make the difference between a wallet and an address. A wallet is a software that manages multiple addresses where you can receive or send money from in the Blockchain. Those wallets hold and protect the private keys that are used in each transaction, and track each address’s funds in the Blockchain.
Addresses on the other hand are simply the public key related to the private key saved by the wallet. This key is what could be shared by users and used to receive money from others.
Hacking a crypto wallet simply means putting his hands on the private keys and using them to transfer money to the attacker’s address. Therefore, to get to that objective attackers use multiple techniques ranging from social engineering to exploiting vulnerabilities in those wallets.
In the third section of this blog post, we are going to explain in detail how each used technique works and how attackers could put their hands on private keys using those techniques.
If you take any wallet in the market right now, then it will be either a hot or a cold wallet. Hot wallets are those that are constantly connected to the internet, contrary to cold wallets. That’s the main difference between these two types of wallet implementations.
Hot wallets could be found in form of software that either you install on your desktop, smartphone, or even open in a web browser. This type of wallet is the most popular because of the low cost of its installation and the flexibility they offer. In a hot crypto wallet, there is usually no cost to use the software and you can access it anywhere in the world with just a click of a button.
Here is a list of some types of hot crypto wallets:
Cold wallets are considered the most secure compared to hot wallets. This is because it signs the transaction using the private keys offline. When you are accessing your keys, a cold storage technique is not able to connect with any other electrical device unless it is physically hooked into that device. Any online transaction is first temporarily moved to an offline wallet stored on a USB stick, CD, hard drive, piece of paper, or offline computer. There, it is digitally signed before being sent back to the online network.
Here is a list of the most popular cold wallets:
If you want to know what are the pros and cons of each cold wallet, I highly recommend the following blog post.
To hack a wallet, the attacker uses multiple techniques to reach the private keys. Some are very easy to apply and could be done by anyone with minimum technical information, and others require more advanced information. However, most of the used techniques are very popular and were used against classic apps from the beginning of the internet. Therefore, you might be more or less familiar with some of them.
Here is a list of some of the most popular and used techniques, which you may encounter:
The easiest way of attacking wallets is the use of the phishing technique. In this technique, the attacker tries to implement some fake wallet mobile or web apps and try to get other people to use them. Usually, those apps are either similar to well-known ones or offer some attractive functionalities.
Once the victim installs the app or imports his private key to it, the attacker copies them and performs a transaction to his own account.
However, you may not notice these operations as the application will work normally for you, as all the transactions will be done correctly, and so on.
In some cases, the attacker may not send a big amount of money to not attract your attention. He may try to send small amounts in separate time frames. Unfortunately, in some cases, those kinds of attacks are very difficult to detect and you should stick to only the popular apps.
Usually, people tend to save a copy of the keys in their personal machines. Therefore, they are the target of attackers to find private keys. Unfortunately, personal computers are the most difficult machines to protect against cyber-attacks. This idea comes from the fact that there are so many apps running on the personal computer and installed by the user itself. This means that there are higher chances to be vulnerable.
Moreover, most users even those with limited technical knowledge tend to have full admin permissions on their computers. Therefore, by exploiting a vulnerability in their computer, the attacker could easily do a privilege escalation. Once the attacker has admin access to your machine he can search and retrieve your private keys, and then use them. In addition, most users rarely install system updates on their computer, which make the situation even worst.
As hot wallets are usually installed in smartphones to be able to perform transactions at any moment, attackers tend to target them. To do that, they either use phishing, social engineering, or exploiting a vulnerability in the phone operating system. We have already talked about phishing in the previous subsection, and social engineering will be further detailed in the next ones. Therefore, in this section, we will discuss the finding and exploitation of an operating system vulnerability.
I think one of the most difficult techniques that attackers may use to hack your wallet is hacking your smartphone. Finding a vulnerability in a smartphone system is really difficult as the system updates are forced by the system itself and usually do not take too much time to be installed. In addition, some smartphones like iOS perform a deep separation between apps installed into them so that no one can access the other data. This adds a certain level of security to protect the whole smartphone.
However, the risk of finding a zero-day in a smartphone is always present and at any moment someone could use them to target your wallet. Even if the risk is very low.
Keylogging is the fact of recording all that user’s tape on the keyboard. This attack usually happens when users try to use public computers to log in to their wallets. The attacker installs a keylogger in those computers and waits for users to write their information into it.
However, keyloggers could be served inside legitimate software. Once you install the legitimate software, the keylogger gets installed too and starts recording your keys. Therefore, even your personal computer could be targeted by this malicious software.
Another direct technique that attackers may use to get their hands on your keys is exploiting a vulnerability in the wallet itself. Wallets are simply programs made by humans and humans make mistakes no matter how knowledgeable and security-aware they are. Therefore, finding a vulnerability in a wallet is a risk that should be taken into consideration.
Moreover, some wallets are simply web applications that are 24h/7d exposed to the internet. In this case, attackers try to find a vulnerability in the web application to be able to penetrate it and get their hands on the database and eventually your private keys. The simplest example of such a technique is finding an SQL injection in the web application and dumping the whole database.
Even local apps that get installed into your personal computer or your mobile phone, could be vulnerable and could put your keys in danger.
Some wallets are based on smart contracts, especially those that offer multi signatures to make a transfer. Therefore, if the attack was able to find a vulnerability in the smart contract that manages those wallets or that is part of the wallet logic. Then the attacker could either retrieve your funds or lock them in the contract forever.
Social engineering is one of the most popular attacks that is used by attackers to target basically any system they want to put their hands on. In this technique, the attacker tries to exploit a human social vulnerability to either give the attacker access to his own system or even send him credentials. This technique is usually used in combination with phishing techniques to trick users.
All the techniques that we have seen until now, were targeting the wallet directly to retrieve the private keys. However, the objective of targeting the wallet is stealing your money. Private keys are only a way to steal that money.
A malicious smart contract can also be used to hack wallets by pretending to be offering some awesome service like quick money or something similar to push users to send money to it and withdraw the rest. Sometimes, a malicious smart contract could pretend to be vulnerable to trick users to exploit those vulnerabilities. By doing so, the attacker blocks that money from getting withdrawn back to the sender.
For more details about how malicious smart contracts actually work, I highly encourage you to take a look at the blog post we have written lastly.
Some attackers actually used a whole different approach to attacking wallets. For some of them, try to change the address where you want to send your money. When you do a copy past the malware actually changes the destination address to his own address.
Parity multi-sig wallets are the most famous wallet hacks that happened in the history of cryptocurrency. An attacker exploited a vulnerability in one of the parity’s contracts which leads to executing a dangerous smart contract function. That function was able to destruct the whole library, leading to the lock of many tokens. For more details about this attack, I highly recommend taking a look at the following blog post.
Securing a crypto wallet is a must, as leaking your private key will be disastrous. However, using a hot or a cold wallet depends on how frequently you perform transactions and how fast you want them to be done. Having a cold wallet does not mean you are totally safe, it only means that your wallet has a very small probability to get hacked.
To keep your wallet safe try to avoid using unknown wallet apps both on your personal computer or smartphone. Try also to avoid opening your wallets on a public computer and public networks. Try also to keep a copy of your keys in a paper format to avoid being a victim of ransomware.
Getting your wallet hacked is not the only risk that you may encounter while using cryptocurrency technology. Losing your either passphrase or one of your private keys has the same results as a hack. Unfortunately, using a cold wallet makes you even more susceptible to such incidents and you should be very careful with them.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).