Wallet users are still lagging behind in security as an April 23, 2019 report reveals that millions of dollars worth of ether has been stolen from wallets after a criminal guessed their private keys.
Private keys, by their very nature, are designed to make the process of using a crypto wallet easier for the user. However, it needs to be acknowledged that a lot can go wrong with private keys as can be seen in the recent QuadrigaCX situation and also the fact that wallet providers have been allowing users to backup their private keys due to previous incidents.
These actions action sends a strong message of protecting private keys and taking all the necessary precautions. Despite all of this, it is known that users are not always keeping their private keys safe and this is reiterated by an April 23, 2019, report by Independent Security Evaluators which shows that a ‘blockchain bandit’ has been able to steal 45000 ether simply by guessing private keys.
Just like passwords for email accounts and debit card PINs, users are advised to use phrases that are not very common and easily guessable as their private keys. It seems that not everyone has gotten the message, unfortunately, as Adrian Bednarek, a senior security analyst, discovered this criminal entirely by accident. While conducting his research on this phenomenon, he was able to guess 732 private keys and, as such, would have been able to remove funds from the wallets of those wallets.
The private keys were found by looking for faulty code and also by making use of a random number generator. Some of the wallets that Eric and his team were able to break into had seen funds be moved out of the wallet but not back in, indicating that someone else had exploited this flaw for malicious reasons.
“There was a guy who had an address who was going around and siphoning money from some of the keys we had access to. We found 735 private keys, he happened to take money from 12 of those keys we also had access to. It’s statistically improbable he would guess those keys by chance, so he was probably doing the same thing,”
It is estimated that the thief has stolen millions of dollars worth of ether and as of now, it should be valued at $7.8 million.
As for what caused this flaw, Bednarek has stated that coding errors on the part of the software could be responsible for generating them. However, it is also possible that the fault is on the part of the users who use weak phrases and entries for their passphrases or leaving them blank altogether.