Ethereum Classic is once again the target of a 51% attack, but this time over $5 million was affected during the carefully orchestrated attack. 

In less than a week, Ethereum Classic, the network that separated from Ethereum In 2016, it is strongly shaken by a new 51% attack which reorganized 4000 blocks within the blockchain, which caused nodes to become desynchronized. With this new attack, the malicious actor managed to get hold of 807 ETC, which according to the current value of the cryptocurrency represents more than $260 million. 

BitflyBitfly, a company that provides high-quality blockchain mining and analytics services, announced the two attacks on the network. On its Twitter account, Bitfly reported on the recent 51% attack on ETC, alerting miners to switch to ETH and suspending all ETC-related activities. 

By August 1st, Bitfly reported of the first attack on the network, although at that time it was not certain whether it was an intentionally orchestrated attack or the result of an error. This attack was affecting the client nodes CoreGeth, who started experiencing longer block times and a sync time of up to 30 minutes. As this was unusual, Bitfly also decided to suspend payments and block distribution until the situation with ETC was resolved.  

It may interest you: OpenEthereum withdraws from Ethereum Classic What does this mean for the project?

51% attack on the Ethereum Classic network

As previously reported on Bit2Me News, the data shown by Crypto51, a portal dedicated to publicizing the costs of executing a 51% attack on the different blockchain networks, revealed that to attack Ethereum Classic only about $4000 per hour was needed, considering that the network had lost support for almost 70% of its nodes and that it has one of the hash rate lowest in its history. 

Although the total amount of funds stolen so far in both attacks is unknown, a report published by the blockchain company Bitqueries The report notes that the August 1 attacker managed to obtain over $97 in bounties alone, and that during the initial attack he managed to spend 000 ETC. The report also notes that the attacker used resources equivalent to about 807 BTC, which represents just over $260, to rent the hash power needed to execute the attack on Ethereum Classic. 

“In total, the attacker mined 4280 blocks over four days.”

The report also notes that the attacker has a deep understanding of the Ethereum Classic network, which is why he managed to keep the attack undetected for the first few days.

How was the attack carried out?

Bitquery's research indicates that during July 29 and July 31, the attacker withdrew 807 ETC from an exchange under his control to several wallets. Then, on July 000, the attacker began mining blocks on the network using hash power purchased from NiceHash y Dagger Hashimoto, created several private transactions, sent money to his own wallets, and inserted the created transactions into the blocks he was mining. No one noticed these transactions because the attacker had not yet published the mined blocks within the blockchain. 

Line of attack on Ethereum Classic.
Source: Bitquery 

After this, Bitquery notes that the attacker returned the transactions to the exchange, but this time he used wallets controlled by himself on the non-reorganized chain, which allowed him to remain unnoticed by everyone. Since the transactions were executed for more than 12 hours, the attacker had enough time to send the money, exchange it for BTC or USD, and withdraw it. Also, thanks to the execution time, the attacker also had the opportunity to convert the transactions into smaller operations so as not to raise suspicions. After four days, on August 1, the attacker published the mined blocks with the transactions created by him and induced the reorganization of the blockchain.

Block reorganization: What does it involve and what are its consequences?

Now, reorganizing a blockchain means that the blocks were manipulated and therefore the records stored within these blocks as well. This attack, as described by Bitquery, involves the attacker creating his own transactions and including them in manipulated blocks within the chain, deleting the records and the previous transaction history, replacing it with others created at will, which allowed the attacker to do double-spending with the ETC funds recorded within the manipulated blocks. 

So far, Ethereum Classic developers have acknowledged the attack and are asking the user community, mining pools, and other service companies that operate with the cryptocurrency to significantly lengthen confirmation times for all deposits and transactions received, considering the recent attacks that the network is suffering. 

Finally, although Bitquery admits that they still do not know who is behind the address 0x63a8ab05ae4a3bed92580e05e7dce3b268b54a7f, from which the transactions that later led to the attack originated, are certain that it is an exchange address, due to the high volume of transactions they handle, and the movement pattern itself. Likewise, the company claims that the address may be related to the exchange OKEx.

Continue reading: Researcher discovers security vulnerability in ledger that allows spending Bitcoin with fully valid signatures