Bitcoin is a virtual currency that makes use of cryptography to create and transfer bitcoins. Users make use of digital wallets to store bitcoin addresses from which bitcoins are received or sent. Bitcoin uses public-key cryptography so that each address is associated with a pair of mathematically linked public and private keys that are held in the wallet.
Researchers at Dell SecureWorks Counter Threat Unit (CTU), a cyber intelligence company, have discovered a series of malicious activities in which a cryptocurrency thief used bogus Border Gateway Protocol (BGP) broadcasts to hijack networks belonging to no less than 19 Internet service providers, including Amazon and other hosting services like DigitalOcean and OVH, in order to steal cryptocurrency from a group of bitcoin users.
"In total, CTU researchers documented 51 compromised networks from 19 different Internet service providers (ISPs)," the Dell team wrote in a blog post on Thursday.
By broadcasting malicious network routes through BGP, the Bitcoin thief was able to redirect a portion of online traffic from legitimate currency-mining servers on one network to bogus servers on another network that masqueraded as the genuine one.
According to the team of researchers, the hacker specially targeted a collection of Bitcoin mining “pools” – bitcoin producing cooperatives in which users contribute the computing power of their systems to gain their own percentage of the resulting cryptocurrency the pool produces.
The bogus mining servers allowed miners to continue mining cryptocurrency but that spoofed servers never issued any payouts to the miners. Instead, all payouts from the overall mining activity went straight into the pockets of the attacker. In just a period of four months, the attacker generated approximately $83,000 in cryptocurrency.
"The threat actor hijacked the mining pool, so many cryptocurrencies were impacted," the researchers write. "The protocols make it impossible to identify exactly which ones, but CTU researchers have mapped activity to certain addresses."
Not just Bitcoins, the hacker also stole mining power to release other cryptocurrencies, such as Dogecoin, HoboNickels and WorldCoin. According to the researchers, a small-time miner lost as many as 8,000 Dogecoins, which is equivalent to $1.53 in today's real-world dollars, as a result of the hack.
The team identified the activity after noticing that some of their own mining power were stolen, and traced the malicious activity back to an internet service provider (ISP) in Canada, which remains anonymous. However, it is still unclear exactly how the hacker managed to gain access to the ISP’s infrastructure to re-route users’ mining power to their own pool.
"Unlike network routing protocols that can automatically initiate a connection from one network, both ends of BGP-connected networks (also known as a 'peers') must be manually configured to communicate," the researchers write. "This requirement ensures malicious networks cannot hijack traffic without human intervention from a legitimate network."
To prevent similar attacks in the future, only opt in to the Resource Public Key Infrastructure (RPKI) service that uses cryptographic certificates to verify the origins of network messages, says the researchers.
Also, researchers recommended cryptocurrency miner that their mining pool servers use Secure Socket Layer (SSL) encryption protocol, which prevents connections from being re-routed to another server, even if that server has the same IP address as the legitimate one.