A study into potential vulnerabilities affecting the security of cryptocurrency Ethereum (ETH) has uncovered a heist by a ‘blockchain bandit’, who was able to exploit weak private keys and empty accounts.

The loss was discovered accidentally by security experts at the firm Independent Security Evaluators (ISE) while performing an assessment for a cryptocurrency client. They examined several weak private keys—beginning with the overly simple key of 0x01—and discovered on the blockchain that its associated wallet had been emptied, as had happened with hundreds of similarly simple keys. The hacker, they found, had been funnelling ETH from these keys.

To test how quickly their blockchain bandit was working, the ISE team sent the equivalent of a dollar’s worth of the cryptocurrency to the address associated with one of these weak private keys and found that the bandit instantly sent it to another account. By managing to steal ETH using these guessable weak keys, the bandit—possibly a group rather than an individual—managed to amass a fortune.

“We discovered that funds from these weak-key addresses are being pilfered and sent to a destination address belonging to an individual or group that is running active campaigns to compromise/gather private keys and obtain these funds,” the ISE researchers wrote in a just-published paper on their findings.

“On January 13, 2018, this ‘blockchain bandit’ held a balance of 37,926 ETH valued at $54,343,407.”

Unknown perpetrator

The ISE researchers suggest a couple of ways that the weak keys could have been generated. One possibility is that a coding error truncated what should have been a longer key, or as ISE senior security analyst Adrian Bednarek explained to Wired magazine, possibly by a wallet that let users choose their own keys.

“While it is improbable that a weak key would ever be generated under legitimate circumstances using the appropriate code paths, we hypothesised that weak private keys may still be generated by coding mistakes, or operating system, device, and execution environment errors, and that these issues are common,” ISE researchers wrote in their paper.

Bednarek told Wired magazine he does not know the identity of the mastermind behind this Ethereum-looting operation, but said he “wouldn’t be surprised if it’s a state actor, like North Korea, but that’s all just speculation.” Likewise, the ISE team cannot identify which wallets are associated with the weak keys –  only that they are being robbed.

Bednarek added that the losses should act as  a wake-up call for both wallet developers as well as their users, who should ensure they use a trusted wallet.