ETC 51% attacker returns funds amid abnormal transaction fees

Posted: 14 January 2019 6:25 pm

The 51% attack itself is the least weird thing to happen to Ethereum Classic in the last week.

  • has announced that the 51% attacker has returned $100,000 in stolen ETC.
  • The Ethereum Classic network is experiencing wildly elevated transaction fees.
  • Evidence suggests that the attacker might be laundering stolen funds through mining.

Ethereum Classic was struck with a 51% attack a week ago, and the targeted exchanges are believed to have suffered about $1.1 million in lost ETC all up.

The now-familiar "blatantly vulnerable coin finally gets hit with a 51% attack" story has some fresh twists though. Firstly, a security firm has said it will be able to identify the attackers if the targeted exchanges offer some assistance.

And now, the exchange has announced that the attacker has returned about $100,000 of ETC. At the same time, Ethereum Classic's block rewards have gone off the chain, so to speak, with someone apparently adding whopping transaction fees of almost $2,000 per transaction to their ETC transactions.

Here's a frankly unnecessary chart of what it's done to the average network transaction fee over the last day.

Right about now ETC watchers are asking themselves questions like "what?".

Given the timing and relative equivalence in sheer bizarreness, it seems likely that the attack, the returned funds and the peculiar block rewards are all connected.

What? has suggested no explanations for the returned funds except that the attacker is potentially an altruistic whitehat hacker who just wanted to remind everyone how vulnerable ETC is. Efforts to contact them, it said, have been unsuccessful.

It's worth noting that some $1.1 million is estimated to have been lost, while by itself previously said it lost $200,000. Even taking into account the crypto market drops of recent days it's still far from a full refund. Unless more comes back to all the exchanges, the attacker is still keeping a tidy payday for themselves.

juicy crypto words

It's still a sizable net gain for the attacker once you factor in a crude but generous estimate of the total attack cost. Assuming the attacker used rented hashpower only, that they carried out the attack for two days straight and that the cost was $5,500 per hour, that's still only $264,000. It's not a bad investment for $1.1 million in returns. Basically, there's still a lot of money unaccounted for.

As for the network activity, TrustNodes suggests that it might be someone trying to ensure that their transactions are less likely to be reversed by a 51% attacking miner. The reason this might work is because a 51% attacker would presumably have majority hashrate during an attack, and so would therefore be picking up the lion's share of mining rewards.

If they wanted to fork and rollback the network as per a 51% attack, they would have to forego those extra-big mining rewards, and essentially add that to the cost of the attack. For the person sending those super-sized transactions, it might be a safe bit of insurance. If the network is attacked while sending it, those costs are rolled back. If it's not, then the transactions go through as intended and it's all good. In this context, it's still super weird but might make some sense.

But for an alternate explanation, one can look at some mining pool oddities going on at the same time. The chart below shows mining pool activity on the ETC network for the last week or so.

The pink bulge on the left is the perpetrator of the 51% attack and their at-the-time majority hashrate. Of more interest now, though, is the inflation of the orange-coloured bulge on the right-hand side.

That's a mining pool called As you can see, it hasn't been pulling too much overall hashrate except during the times when ETC transaction fees were going through the roof. Coincidence? Doubtful.

At a cursory glance, it looks like is distinguished by the fact that it gives all 100% of the usually-negligible transaction fees to its miners. Not all pools do that. The Ethermine and Nanopool ETC mining pools for example (the big light green and light blue on the bottom respectively) both seem not to.

What to make of this

So, it looks an awful lot like someone with a lot of hashing power joined the 2miners pool at exactly the same time as the network transaction fees went through the roof. And it just so happens that 2miners is distinguished by its solo mining functionality and that it gives all transaction fees to the miners. Both of these might make 2miners a suitable choice for someone with a lot of hashrate looking to maximise their take of the haywire transaction fees.

At a cursory glance, it doesn't look like a bunch of people joining, either, because of the transaction fees. The total ETC hashrate increased during that time so the hashrate must have come from outside the network, and there doesn't seem to have been a major drop on other Ethash mining networks at the time.

In short, it looks an awful lot like someone with a lot of Ethash hashrate knew transaction fees would be going bonkers on ETC, and made sure they were in the right place at the right time to catch those transaction fees.

A theory

This is just a hypothetical theory, not an accusation, but it looks like the ETC stolen in the 51% attack is being laundered through elevated transaction fees and the 2miners pool. Note that 2miners doesn't necessarily have anything to do with this. Anyone can join the pool as desired.

It would have been expensive, but perhaps also a quite effective way to muddy the waters and re-distribute the double-spent funds among the culprits as well as some lucky bystanders.

This squares with the suggestions of the SlowMist cybersecurity firm that it can track down the attackers with the help of the exchanges. The $100,000 returned to might have been more trackable, it may have been a mea culpa or it may have been the first plan before the attackers changed tack and tried to launder it rather than giving up.

Basically, the theory is that the 51% attackers put their hashpower into the 2miners pool at the same time they started sending around transactions to themselves with huge transaction fees. With enough hashrate they have a significant chance of picking up the anomalous transaction fees, but a lot of other people would also get some. It would probably be quite difficult to separate the culprit miners from the bystanders, making it an expensive but potentially decent way of mixing up and laundering funds, and covering your tracks.

And if you look at some of the anomalous transactions, the fees often far outpace the value of the actual transaction.

Whatever's going on here, it's clearly about getting the transaction fees out there more than the transactions themselves.

The initial explanation, based on the funds returned to, might be that the attacker is white-hattedly distributing the stolen funds back into the ecosystem via transaction fees. But when considered alongside the distinct hashrate increase, it looks much more like an exotic form of money laundering.

It would still be an exceptionally expensive way of going about it, but it might still be profitable in the end. Assuming this theory holds, the attackers themselves were holding about 40% of ETC hashrate during the wild transaction fee times, so they get about 40% of the laundered funds while everyone else gets 60%.

So – assuming any of this is remotely correct – if the total amount stolen was $1.1 million, you subtract the $100,000 returned to and then divide the remaining million 60/40, the attackers are still walking away with $400,000 in potentially laundered ETC funds before costs.

Those costs will vary widely depending on whether they're using just rented hashing power, their own machines or a combination of the two for the attack itself and the subsequent laundering efforts. Roughly eyeballing the numbers, it looks like the attackers could have made a profit in the end even if it was all done with expensive completely-rented hashing power.

The evidence seems to suggest that this might be what happened. Or maybe it's just one of those crypto mysteries that will never be publicly answered.

Disclosure: At the time of writing the author holds ETH

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Crypto explained

Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site