Finder makes money from featured partners, but editorial opinions are our own.

EtherDelta December 2017 hack suspects identified, charged with fraud


Picture not described

Decentralised exchanges may have decentralised orderbooks, but the site itself is still a distinct, centralised thing.

The EtherDelta hack of December 2017 resulted in the loss of a moderate-sized fortune in crypto. It made waves in part because decentralised exchanges such as EtherDelta were supposedly unhackable.

But this particular hack involved accessing the EtherDelta site and replacing it with a very convincing fake. When users went to trade on it, they would then unwittingly hand over their private keys to the hackers, who would then steal their funds.

Now we know who allegedly did it and how they allegedly did it, following the release of an indictment from a California district court against Elliott Gunton (aka "Gubz" or "Planet") and Anthony Tyler Nashatka (aka "Psycho").

The short version is that they broke into EtherDelta's Cloudflare account and redirected it

How it allegedly happened

It all began on about 13 December, when the hackers purchased the phone number and email address of an EtherDelta employee, who is identified in the indictment as "Z.C." It seems reasonable to assume that this is Zachary Coburn, founder and operator of EtherDelta.

With those contact details in hand, they went to the phone company's help desk, and convinced an employee to set up automatic call forwarding, without ZC's permission. Now calls and messages to ZC's number would be forwarded to Gunton and Nashatka, which allowed them to bypass the 2-factor authentication on ZC's other accounts.

With this in hand, they next gained access to the settings for ZC's email account and redirected emails to another account also under their control. Now ZC wouldn't receive any warning or confirmation emails.

Then on 20 December, about a week after buying that email address and phone number, Gunton and Nashatka gained access to the EtherDelta Cloudflare account and reset the password, preventing ZC from accessing it. On the same day, they replaced the real EtherDelta website with their fake facade, started harvesting user private keys and wallet addresses and started draining user wallets.

Opinion: Takeaways

There are a few interesting takeaways.

One is that the security of decentralisation is still, to a large extent, more theoretical than actual. The decentralised world still touches the ground at centralised points like web hosting services, phone companies, GitHub repos and ZenDesk logins. Individuals like ZC are also a centralised point of failure as they can experience personal misadventures like having their contact details sold online or being charged with unregistered securities trading by the SEC.

It also highlights how hackers of all stripes tend to follow the money and as a whole quickly shift to whatever's most profitable at any given time. This can be seen in the ebbs and flows of cryptojacking vs ransomware popularity. Throughout 2017, the popularity of ransomware diminished and cryptojackers grew in line with cryptocurrency price rises.

In this case, Elliott Gunton is also believed to have been involved in the 2015 TalkTalk data breach, which saw a few hundred thousand people's data stolen, and the British telco being held for ransom – potentially by a completely unrelated, opportunistic entity. But in December 2017, cryptocurrency was where the money was.

That factor, combined with a multi-year law enforcement lag, has seen the charges for crypto crimes perpetrated in late 2017 come trickling in.

This case, and a great many others, also shows just how insecure phone numbers are. Here, Gunton and Nashatka managed to forward someone else's calls to themselves, seemingly just by asking nicely. And in another curious case last year, a SIM swapping (phone number hijacking) ring would do the same, and then coerce patsies in online games into stealing crypto on their behalf.

These days, phone companies are disappointed to find out that the rise of 2-factor authentication has thrust them into an expensive and unwanted position of great security responsibility. As the EtherDelta hack shows, many of them really haven't adjusted to that responsibility particularly well.

This is one curious side effect of crypto crime in particular. Crimes related to phone number hijacking aren't unique to cryptocurrency, but in most other cases, there will be someone else to blame. When a bank is robbed by SIM swapping, the bank is typically liable. And when customer data is stolen en masse, the holder of that data is typically considered at fault.

But with crypto heists, you get an interesting combination: gargantuan amounts of money being stolen and phone companies themselves being more liable than anyone else. This combination is driving genuine change in the cryptocurrency and cybersecurity landscape.

In this context, the EtherDelta hack is part of a rich tapestry of educational precedent.

Also watch

Disclosure: The author holds BNB and BTC at the time of writing.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get started with crypto

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and 6. Finder Group Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Go to site