Qihoo 360 Netlab in March tweeted about a group of cybercriminals who were scanning the Internet for port 8545 to find insecure geth clients running Ethereum nodes and, at that time, stole 3.96234 units of Ethereum cryptocurrency (Ether).
However, researchers now noticed that another cybercriminal group have managed to steal a total 38,642 Ether, worth more than $20,500,000 at the time of writing, in past few months by hijacking Ethereum wallets of users who had opened their JSON-RPC port 8545 to the outside world.
Geth is one of the most popular clients for running Ethereum node and enabling JSON-RPC interface on it allows users to remotely access the Ethereum blockchain and node functionalities, including the ability to send transactions from any account which has been unlocked before sending a transaction and will stay unlocked for the entire session.
address, where all the stolen funds have been collected:
By simply searching this address on the Internet, we found dozens of forums and websites where users have posted details of similar incidents happened with them, describing about the same account address hackers used to stole their funds from the insecurely configured Ethereum nodes.
According to an advisory issued by Ethereum Project three years ago, leaving the JSON-RPC interface on an internet-accessible machine without a firewall policy opens up your cryptocurrency wallet to theft "by anybody who knows your [wallet] address in combination with your IP."
NetLab researchers warned that not only the above-mentioned cybercriminal group but other attackers are also actively scanning the Internet for insecure JSON-RPC interface to steal funds from cryptocurrency wallets.
"If you have honeypot running on port 8545, you should be able to see the requests in the payload. Which has the wallet addresses. And there are quite a few ips scanning heavily on this port now," 360 Netlab tweeted.Users who have implemented Ethereum nodes are advised only to allow connections to the geth client originating from the local computer, or to implement user-authorization if remote RPC connections need to be enabled.