Last week we reported about the EtherDelta DNS hack that saw attackers compromise the DNS servers of the exchange and take users to a malicious server.
At the time, the guidance was to avoid logging into the site. Users were told that their funds were safe if they did not enter the private keys.
However, after one week of the exchanged being compromised, users are still getting their coins stolen. This is happening irrespective if they are inserting their details or not.
False Sense of Security
The hack was initially disclosed by EtherDelta as a DNS hack that had being able to snag at least 308 ETH from unfortunate users.
This was no doubt quite a sophisticated scam as the attacker was able to set up a fake address and site that looked nearly identical to the real EtherDelta site.
For those users who only accessed the site through MyEtherWallet and Metamask, they were told that they were not affected by the hack.
However, this appears to have been misleading information.
According to a number of users on twitter, the attack may have been much more damaging than was initially suspected. One of those people who raised the alarm was “Tommy World Power”.
If you have funds on @Etherdelta I would move them off now! I just had a large amount stolen from my account a few hours ago. Do not use the same accounts you have used before the hack, even with metamask (which I thought I was safe beause that's was using).
— Tommy World Power ? (@TommyWorldPower) December 26, 2017
This tweet happened six days after the hack and he claimed that he was not worried because he thought that using Metamask was safe.
Tommy has since been really busy trying to track down the hacker who was able to snatch his coins. He has reached out to Binance and has also placed a bounty of $100,000 for information.
More Victims Come Forward
After Tommy was able to disclose the theft of his coins, numerous other users started reporting similar thefts.
The Twitter account of EtherDelta was inundated with angry users who could not believe that they were initially told that their funds were safe on the exchange.
For example, there was this user who responded to the tweet by Etherdelta. He claims that his funds were stolen even though he did not use the site when the hack took place.
I lost all my tokens from myetherwallet inspite of not using etherdelta when it was hacked and it was only today the hacker has stolen most of the tokens which were in the money. Do not know how he got my private key when metamask is also on
— balaji (@balajisi63) December 25, 2017
This can either mean one of two things. It could mean that the site was compromised much earlier than initially thought or it could mean that the hackers have access to private keys.
Both of these scenarios are quite terrifying.
An Active Hacker
The address that the funds were sent to has been flagged previously as a “Fake_Phishing306” address. This means that the hacker was taking part in a number of phishing scams previously.
Phishing scams are really common in cryptocurrencies as they rely on the sloppiness of the user not to pick up that a domain is off or a page looks suspicious.
In this case, the hackers controlled the domain so were likely to make an extremely convincing phishing site. At last count, the hackers address had over $4.9m.
Another Lesson in Security
Many were of the view that a decentralised exchange would have numerous security benefits over their centralised counterparts and were much less likely to be hacked.
This is clearly an unfortunate occurrence for the adherents.
In this case, the hacker was able to take advantage of another centralised attack target, the DNS servers. The hope is that when Ethereum Name Service domains are released, this could be prevented.
Keeping money on an exchange exposes the trader to a number of risks that they may end up regretting.
Featured Image via Fotolia