ETC 51% attacker returns funds amid abnormal transaction fees
The 51% attack itself is the least weird thing to happen to Ethereum Classic in the last week.
- Gate.io has announced that the 51% attacker has returned $100,000 in stolen ETC.
- The Ethereum Classic network is experiencing wildly elevated transaction fees.
- Evidence suggests that the attacker might be laundering stolen funds through mining.
Ethereum Classic was struck with a 51% attack a week ago, and the targeted exchanges are believed to have suffered about $1.1 million in lost ETC all up.
The now-familiar "blatantly vulnerable coin finally gets hit with a 51% attack" story has some fresh twists though. Firstly, a security firm has said it will be able to identify the attackers if the targeted exchanges offer some assistance.
And now, the Gate.io exchange has announced that the attacker has returned about $100,000 of ETC. At the same time, Ethereum Classic's block rewards have gone off the chain, so to speak, with someone apparently adding whopping transaction fees of almost $2,000 per transaction to their ETC transactions.
Here's a frankly unnecessary chart of what it's done to the average network transaction fee over the last day.
Right about now ETC watchers are asking themselves questions like "what?".
Given the timing and relative equivalence in sheer bizarreness, it seems likely that the attack, the returned funds and the peculiar block rewards are all connected.
Gate.io has suggested no explanations for the returned funds except that the attacker is potentially an altruistic whitehat hacker who just wanted to remind everyone how vulnerable ETC is. Efforts to contact them, it said, have been unsuccessful.
It's worth noting that some $1.1 million is estimated to have been lost, while Gate.io by itself previously said it lost $200,000. Even taking into account the crypto market drops of recent days it's still far from a full refund. Unless more comes back to all the exchanges, the attacker is still keeping a tidy payday for themselves.
It's still a sizable net gain for the attacker once you factor in a crude but generous estimate of the total attack cost. Assuming the attacker used rented hashpower only, that they carried out the attack for two days straight and that the cost was $5,500 per hour, that's still only $264,000. It's not a bad investment for $1.1 million in returns. Basically, there's still a lot of money unaccounted for.
As for the network activity, TrustNodes suggests that it might be someone trying to ensure that their transactions are less likely to be reversed by a 51% attacking miner. The reason this might work is because a 51% attacker would presumably have majority hashrate during an attack, and so would therefore be picking up the lion's share of mining rewards.
If they wanted to fork and rollback the network as per a 51% attack, they would have to forego those extra-big mining rewards, and essentially add that to the cost of the attack. For the person sending those super-sized transactions, it might be a safe bit of insurance. If the network is attacked while sending it, those costs are rolled back. If it's not, then the transactions go through as intended and it's all good. In this context, it's still super weird but might make some sense.
But for an alternate explanation, one can look at some mining pool oddities going on at the same time. The chart below shows mining pool activity on the ETC network for the last week or so.
The pink bulge on the left is the perpetrator of the 51% attack and their at-the-time majority hashrate. Of more interest now, though, is the inflation of the orange-coloured bulge on the right-hand side.
That's a mining pool called 2miners.com. As you can see, it hasn't been pulling too much overall hashrate except during the times when ETC transaction fees were going through the roof. Coincidence? Doubtful.
At a cursory glance, it looks like 2miners.com is distinguished by the fact that it gives all 100% of the usually-negligible transaction fees to its miners. Not all pools do that. The Ethermine and Nanopool ETC mining pools for example (the big light green and light blue on the bottom respectively) both seem not to.
What to make of this
So, it looks an awful lot like someone with a lot of hashing power joined the 2miners pool at exactly the same time as the network transaction fees went through the roof. And it just so happens that 2miners is distinguished by its solo mining functionality and that it gives all transaction fees to the miners. Both of these might make 2miners a suitable choice for someone with a lot of hashrate looking to maximise their take of the haywire transaction fees.
At a cursory glance, it doesn't look like a bunch of people joining, either, because of the transaction fees. The total ETC hashrate increased during that time so the hashrate must have come from outside the network, and there doesn't seem to have been a major drop on other Ethash mining networks at the time.
In short, it looks an awful lot like someone with a lot of Ethash hashrate knew transaction fees would be going bonkers on ETC, and made sure they were in the right place at the right time to catch those transaction fees.
This is just a hypothetical theory, not an accusation, but it looks like the ETC stolen in the 51% attack is being laundered through elevated transaction fees and the 2miners pool. Note that 2miners doesn't necessarily have anything to do with this. Anyone can join the pool as desired.
It would have been expensive, but perhaps also a quite effective way to muddy the waters and re-distribute the double-spent funds among the culprits as well as some lucky bystanders.
This squares with the suggestions of the SlowMist cybersecurity firm that it can track down the attackers with the help of the exchanges. The $100,000 returned to Gate.io might have been more trackable, it may have been a mea culpa or it may have been the first plan before the attackers changed tack and tried to launder it rather than giving up.
Basically, the theory is that the 51% attackers put their hashpower into the 2miners pool at the same time they started sending around transactions to themselves with huge transaction fees. With enough hashrate they have a significant chance of picking up the anomalous transaction fees, but a lot of other people would also get some. It would probably be quite difficult to separate the culprit miners from the bystanders, making it an expensive but potentially decent way of mixing up and laundering funds, and covering your tracks.
And if you look at some of the anomalous transactions, the fees often far outpace the value of the actual transaction.
Whatever's going on here, it's clearly about getting the transaction fees out there more than the transactions themselves.
The initial explanation, based on the funds returned to Gate.io, might be that the attacker is white-hattedly distributing the stolen funds back into the ecosystem via transaction fees. But when considered alongside the distinct 2miners.com hashrate increase, it looks much more like an exotic form of money laundering.
It would still be an exceptionally expensive way of going about it, but it might still be profitable in the end. Assuming this theory holds, the attackers themselves were holding about 40% of ETC hashrate during the wild transaction fee times, so they get about 40% of the laundered funds while everyone else gets 60%.
So – assuming any of this is remotely correct – if the total amount stolen was $1.1 million, you subtract the $100,000 returned to Gate.io and then divide the remaining million 60/40, the attackers are still walking away with $400,000 in potentially laundered ETC funds before costs.
Those costs will vary widely depending on whether they're using just rented hashing power, their own machines or a combination of the two for the attack itself and the subsequent laundering efforts. Roughly eyeballing the numbers, it looks like the attackers could have made a profit in the end even if it was all done with expensive completely-rented hashing power.
The evidence seems to suggest that this might be what happened. Or maybe it's just one of those crypto mysteries that will never be publicly answered.
Disclosure: At the time of writing the author holds ETH
- Bitcoin market cap hits new all time high as prices top US$18,000
- Axie Infinity integrates Chainlink oracles for prices and VRF
- Cryptocurrency security: End to end guide on keeping your crypto safe
- Chainlink price oracles are now available for PARSIQ data streams
- Bitcoin psychotically rips to almost US$16,000