Pierluigi Paganini June 07, 2019

Cyber criminals stole 3.2 million Ripple coins (XRP), worth nearly $10 million, from the users of the GateHub cryptocurrency wallet service.

A new cyber heist made the headlines, crooks stole 3.2 million Ripple coins (XRP), worth nearly $10 million, from the users of the GateHub cryptocurrency wallet service.

“Recently, we have been notified by our customers and community members about funds on their XRP Ledger wallets being stolen and immediately started monitoring network activity and conducted an extensive internal investigation.” reads a preliminary statement published by GateHub.

“Although we have not identified any action or omission by GateHub that may have facilitated or allowed this apparent theft to occur, we apologize deeply to all of our customers for this issue and pledge to get to the bottom of it.”

The company pointed speculate the attackers might have abused API to steal the funds. GateHub explained that each API requests to the victim’s accounts were authorized with a valid access token. The company did not observe suspicious logins or evidence of brute force attacks, however, its staff noticed an increased amount of API calls using valid access tokens.

The suspicious requests were originated from a limited number of IP addresses likely compromised by the attackers. At the time, it is still unclear how the attackers have decrypted the secret keys. The company disabled all the access tokens on June 1st.

“We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys,” continues the statement.

“That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys. All access tokens were disabled on June 1st after which the suspicious API calls were stopped,”

The community member Thomas Silkjær who, one of members who warned GateHub about the theft, published a report on incident. that:

“On June 1 we were made aware of a theft of 201,000 XRP … and immediately started investigation. It turned out that the account robbed was managed through Gatehub.net, and that the offending account (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) had stolen substantial amounts from several other XRP accounts, likely to be or have been managed through Gatehub.net.” reads the report.

The experts identified several other accounts connected to the cyber heists, for a total of 12 primary suspect accounts.

“From analysing access logs by victims and transactions made on the XRP ledger, it does not appear that any accounts were breached on gatehub.net directly, using client login credentials.” states the researcher.

The community member was not able to discover the root cause of the hack, it explored various options including repeating nonces, a bad practice in handling RippleTrade migration of user accounts, Browser client hacking, and also the leak of an old data base containing encrypted private keys.

GateHub immediately notified law enforcement, an investigation is still ongoing.

Pierluigi Paganini

(SecurityAffairs – hacking, GateHub)

[adrotate banner=”5″]

[adrotate banner=”13″]