Connect with us

Cryptocurrency News

MyEtherWallet DNS and BGP hijack – Network visualisations and analysis

Ameet Naik



With any cryptographic system, one way to compromise it is to be a man in the middle (MITM) when a transaction is taking place. Both ends of the transaction believe they’re talking to a legitimate party at the other end, but in reality, a malicious actor sits in the middle and alters the information being passed through to their advantage. In case of cryptocurrency, it could be the public key of the transfer recipient. So instead of your coins going to the intended party, they get diverted to another wallet, and once that transaction is confirmed in the blockchain, it is irreversible. There are no safeguards or central authorities that can override this. That’s the reality of cryptocurrencies, but that’s a topic for another day. So how can a malicious actor become a man in the middle? By hijacking a couple of the cornerstone protocols governing the Internet: DNS and BGP. This is exactly what unfolded on the morning of April 24th, around 5:00 am PST. The ultimate target, in this case, is believed to be a popular crypto wallet app—MyEtherWallet—as reported by security researcher Kevin Beaumont. The collateral damage victims of this attack were customers of Amazon’s Route 53 DNS Service like Instagram (as seen in Figure 1, Further analysis can be found here) and CNN.

The attackers, in this case, found their target in a small ISP in Columbus, OH—eNet, also known as XLHost. This ISP is connected to the Equinix fabric, peering at two densely connected exchanges points in Ashburn, VA and Chicago, IL. This gave them access to a large number of ISPs, two of which propagated their spoofed prefixes across the Internet. While Amazon continued to announce, a more specific prefix——was now available across parts of the Internet. In the world of IP routing, the longer prefix wins, hence traffic meant for Amazon’s DNS servers started flowing into the XLHost network.

Sitting in the XLHost data center was a fake DNS server that selectively answered queries for All other requests were silently discarded. Figure 3 (also Further analysis can be found here) shows a ThousandEyes Path Visualization illustrating how some Cloud Agents are unable to reach the actual Amazon Route 53 DNS servers. However, several other Cloud Agents were able to reach and resolve domains from Route 53 just fine.

Amazon Route 53 was able to detect and resolve this issue within a couple hours and restore their DNS Service well before any major cascading impacts occurred. However, some users of MyEtherWallet were not so lucky. Reports indicate that over $150,000 in Ethereum was stolen as part of this attack.

Continue Reading



Pin It on Pinterest

Share This