EtherDelta December 2017 hack suspects identified, charged with fraud
Decentralised exchanges may have decentralised orderbooks, but the site itself is still a distinct, centralised thing.
The EtherDelta hack of December 2017 resulted in the loss of a moderate-sized fortune in crypto. It made waves in part because decentralised exchanges such as EtherDelta were supposedly unhackable.
But this particular hack involved accessing the EtherDelta site and replacing it with a very convincing fake. When users went to trade on it, they would then unwittingly hand over their private keys to the hackers, who would then steal their funds.
Now we know who allegedly did it and how they allegedly did it, following the release of an indictment from a California district court against Elliott Gunton (aka "Gubz" or "Planet") and Anthony Tyler Nashatka (aka "Psycho").
The short version is that they broke into EtherDelta's Cloudflare account and redirected it
How it allegedly happened
It all began on about 13 December, when the hackers purchased the phone number and email address of an EtherDelta employee, who is identified in the indictment as "Z.C." It seems reasonable to assume that this is Zachary Coburn, founder and operator of EtherDelta.
With those contact details in hand, they went to the phone company's help desk, and convinced an employee to set up automatic call forwarding, without ZC's permission. Now calls and messages to ZC's number would be forwarded to Gunton and Nashatka, which allowed them to bypass the 2-factor authentication on ZC's other accounts.
With this in hand, they next gained access to the settings for ZC's email account and redirected emails to another account also under their control. Now ZC wouldn't receive any warning or confirmation emails.
Then on 20 December, about a week after buying that email address and phone number, Gunton and Nashatka gained access to the EtherDelta Cloudflare account and reset the password, preventing ZC from accessing it. On the same day, they replaced the real EtherDelta website with their fake facade, started harvesting user private keys and wallet addresses and started draining user wallets.
There are a few interesting takeaways.
One is that the security of decentralisation is still, to a large extent, more theoretical than actual. The decentralised world still touches the ground at centralised points like web hosting services, phone companies, GitHub repos and ZenDesk logins. Individuals like ZC are also a centralised point of failure as they can experience personal misadventures like having their contact details sold online or being charged with unregistered securities trading by the SEC.
It also highlights how hackers of all stripes tend to follow the money and as a whole quickly shift to whatever's most profitable at any given time. This can be seen in the ebbs and flows of cryptojacking vs ransomware popularity. Throughout 2017, the popularity of ransomware diminished and cryptojackers grew in line with cryptocurrency price rises.
In this case, Elliott Gunton is also believed to have been involved in the 2015 TalkTalk data breach, which saw a few hundred thousand people's data stolen, and the British telco being held for ransom – potentially by a completely unrelated, opportunistic entity. But in December 2017, cryptocurrency was where the money was.
This case, and a great many others, also shows just how insecure phone numbers are. Here, Gunton and Nashatka managed to forward someone else's calls to themselves, seemingly just by asking nicely. And in another curious case last year, a SIM swapping (phone number hijacking) ring would do the same, and then coerce patsies in online games into stealing crypto on their behalf.
These days, phone companies are disappointed to find out that the rise of 2-factor authentication has thrust them into an expensive and unwanted position of great security responsibility. As the EtherDelta hack shows, many of them really haven't adjusted to that responsibility particularly well.
This is one curious side effect of crypto crime in particular. Crimes related to phone number hijacking aren't unique to cryptocurrency, but in most other cases, there will be someone else to blame. When a bank is robbed by SIM swapping, the bank is typically liable. And when customer data is stolen en masse, the holder of that data is typically considered at fault.
But with crypto heists, you get an interesting combination: gargantuan amounts of money being stolen and phone companies themselves being more liable than anyone else. This combination is driving genuine change in the cryptocurrency and cybersecurity landscape.
In this context, the EtherDelta hack is part of a rich tapestry of educational precedent.
Disclosure: The author holds BNB and BTC at the time of writing.