The Independent Security Evaluators has released the analysis covering the recent heist of about 45,000 ETH. A hacker managed to steal the funds making use of weak protection of private keys in Ethereum blockchain.
According to the report, the company experts applied the mix of wrong code detection and random data generator rather than a random symbol generation. As commented the senior security analyst at ISE Adrian Bednarek, it was assumed that the combination of private key symbols should be statistically improbable and Bednarek managed to disclose 732 private keys using the above-mentioned method. As a result, he got access to wallets and could make transactions.
At the same time, the hacker called Blockchain Bandit was actually detected accidentally. During the research, the analyst discovered that some wallets connected with disclosed keys recorded huge transactions that were destined to one and the same address. Adrian Bernard supposed that a hacker could use the same mixed method as they did.
Moreover, the ISE team decided to check their concept and send $1 in ETH to one of these wallets. It should be mentioned that the address was active last July, though the coins were transferred to hacker's address immediately.
According to the company's assessment, the Blockchain Bandit probably received about 45,000 ETH ($7.8 million at the current exchange rate).
There are opinions that the vulnerability of the private keys can be connected with coding errors in the software that generates keys. At the same time, another theory covers that crypto holders that receive keys via seed-phrase generate similar or too weak passwords or even refuse to make them at all.