It’s been more than four years since Summer 2017 when three ICO-funded projects got hit by a hacker and lost 153,000 ETH. The victims think they have a way to be made whole again now.
It would be an enormous windfall if it works.
At current prices, the stolen ETH would be worth approximately $600M. At the time of the hack, it was more like $30M. If the funds were returned under this plan, it could be an important turning point in cybercrime, where criminals learn that stealing digital assets is a tough hustle in the current state of blockchain forensics.
Today, the victims — Aeternity (a smart contracts startup), Edgeless (gaming) and Swarm City (decentralized e-commerce) — are offering their adversary amnesty if nearly all the funds are returned to a specific wallet address. They are putting out a call on a group Medium blog today, the Defiant has learned.
“We are inviting the Parity Multisig Wallet Hacker to return the ETH they stole to earn a 10% bounty for their troubles, as well as receive acknowledgement for the exploit they found,” Yanislav Malahov, founder of Aeternity, told The Defiant via email.
To recap: The end of 2017 was a a boom time of initial coin offerings (ICOs), in which a blockchain startup would create a new “utility token” on Ethereum and sell it, usually for ETH, in order to fund their operations. Projects collectively raised billions of dollars this way. Many projects kept the funds raised in a multisig wallet made by Parity Technologies, the same company that’s done most of the development work behind the Polkadot blockchain and Ethereum’s Parity client.
A flaw in that software made it feasible for a cybercriminal to siphon off millions in funds held by three ICO-funded projects. The flaw was quickly fixed, but in an only-in-crypto turn, white hat hackers used the flaw to pre-emptively drain funds from dozens and dozens of other projects’ wallets in order to secure those assets safely against the attacker.
The 2017 white hats were assembled at the behest of the three projects who got hit first.
“We have not remained idle. Our three projects have been monitoring every transaction made from the hacker’s account,” the three victims wrote in a statement that they will release today.
Their cause has been aided by third-party companies that have become adept at blockchain forensics. Their partners are helping the three victims put on the pressure to get their funds back.
The stolen ETH has mostly sat idle in seven different Ethereum addresses, but the victims were alerted in June that the attacker was on the move when some of the stolen funds moved onto eight cryptocurrency exchanges.
The July 2017 Parity wallet hack should not be confused with the November Parity wallet bug that same year, where many times more in ETH was lost. In that case, the funds weren’t stolen but locked forever.
The three companies have been emboldened by the successful return of most of the $600M stolen from the Layer 2 project Polygon in August, once those attackers realized they would not be able to move stolen funds.
Two Separate Actors
So here’s the plan to resolve the Parity wallet hack: The three projects have put out an announcement today calling in two separate actors to help make the projects whole.
“The Parity hack happened right after our project launched in 2017, crippling our scale potential since then,” a co-founder of Edgeless Gaming, Tomas Draksas, said in an email to The Defiant. “It’s the last resort if we want to reach any meaningful milestones in the blockchain gaming industry while it’s booming.”
First, the three ICO-projects are asking the eight exchanges who are holding stolen funds to freeze the funds and then return them to the victims.
Second, they are offering amnesty to the cybercriminal. Whomever it is, if they return 90% of the funds collected to a designated Ethereum address, the coalition won’t push the matter further.
At current prices, 10% of the stolen assets would still be worth $58M.
The coalition has identified 11,488 ETH on exchanges from the attack, which would be worth roughly $45.8M, half-again more, in dollar terms, than the companies lost in 2017, due to the dramatic appreciation in ETH prices.
The three exchanges with the most stolen ETH are Changelly, ShapeShift (now a DAO) and Binance. Changelly has by far the most, at 4,605 ETH.
“All of them know that the hack funds came from the account of the hacker. So they are freezing the funds. This is a pretty recent development, because the hacker is trying to wash these funds,” Matthew Carano, formerly of Swarm City’s team, told The Defiant in an interview.
Some exchanges have already tentatively agreed to return funds, but are working through careful legal and identity checks to make sure the stolen assets are going to the appropriate parties.
The three projects are also calling on the Ethereum community and all crypto users to help them by supporting their bid to get all the funds returned. They are specifically asking that blockchain users tweet out support for their bid to have the funds returned.
This could be a fraught issue for many in the community, many of which are opposed to blockchain forensics.
While declining to name the exact partners that the three companies are working with to press for the return, Carano explained that the principle is basically the same. They are using the ever improving technology for tracking blockchain transactions to identify the specific funds stolen, follow it and to build a profile of the cybercriminal.
In the Polygon case, Slowmist and Chainalysis were key partners in tracking down the attacker.
In a statement shared with The Defiant in advance, the coalition wrote, “With regards to the Parity Hack, we have been able to piece together a considerable amount of information on the hacker, their wallets, and their transaction history.”
“I would rather encourage them to do the right thing,” Carano said, but he noted: “They’re always going to be at risk from serious penalties from law enforcement.”
They hope the growing frustration the hacker might be having making use of the funds will be enough to convince their adversary to accept a small portion of the stolen assets in exchange for amnesty.
“Due to the nature of blockchain’s traceability, we understand that the hacker has nowhere to run. Technically the hacked funds are frozen in time forever without any use-case,” Draksas said.
This could be instrumental for Swarm City, which has shut down operations since the attack. Edgeless and Aeternity have carried on despite the setback, but access to another $600M in assets would make a difference for any company.
And the attacker would still get to keep 10% from the exploit. Whomever it is, they now have over 60M reasons to give up and walk away.