Were Last Week’s $5m Ethereum Transactions Connected to a Ransom Attempt?

The Initial $2.5 Million to Move 0.55 in ETH

The ridiculously high transaction fees were first pointed out by ZenGo researcher Alex Manuskin on Twitter.

Source: Twitter

Various crypto outlets picked up Manuskin’s tweet soon after, with the crypto community’s curiosity stoked even further when Manuskin detected another insanely high transaction fee one day later from the same wallet.

Manuskin’s explanation for the freak Ethereum transaction fees was that there was a bug in the script used to automate payments out of the wallet. Other analysts agreed with this theory, including Ethereum developer FollowTheChain.

For others, the high fees were simply an accident. According to Cornell University’s Emin Gün Sirer, the sender of the transaction had simply mixed up the amount to send with the fee to pay.

Source: Twitter

Other people on crypto Twitter also highlighted money laundering as a possible explanation. Basically, this theory implies that the address holder wanted to send ETH ‘by mistake’ in the form of fees, so that they could receive ‘clean’ ETH or some other form of money at a later date.

Similarly, others suggested tax evasion, implying that the sender wanted to offload some funds in order to claim a loss, before regaining the ETH in the future.

Meanwhile, some commentators even combined explanations, with Ethereum developer Sebastian Bürgel claiming the fees resulted from a bug in a money-laundering bot.

Source: Twitter

However, the likeliest explanation for the fees is a hack, along with an attempted ransom.

This was the theory proposed by China-based analytics company PeckShield, which claimed that cybercriminals were able to partially hack into a then-unnamed exchange. Rather than having complete control over the exchange’s funds, they were able only to send transactions to white-listed addresses. As such, they sent transactions with excessive transaction fees, in order to blackmail the exchange into sending them money.

Bug vs Hack

Of course, not everyone buys this theory. Alex Manuskin himself disputes it in a blog post, claiming that, even if hacked, the affected exchange should be able to shut off transactions somehow.

That said, there are numerous reasons to think that the hack and ransom theory is the closest to the actual truth.

First of all, the other theories don’t stand up to closer scrutiny, or at least, don’t stand up to scrutiny as well as the hack theory.

For example, if the $5 million Ethereum transaction fees were the result of a bug, why did this bug produce only two abnormal transactions? After the first high-fee transaction, why didn’t all the other outgoing transactions feature unusually high fees?

Also, if the high fees were entirely innocent, and resulted simply from a bug, why didn’t the owner of the wallet come forward? Ethermine and SparkPool, the two Ethereum mining pools responsible for processing the two biggest fees, are now giving the excessive fees away to miners.

In other words, the wallet’s owner failed to come forward in time. Given that the wallet was sending and receiving an awful amount of Ethereum, you’d think its owners would be aware enough of Ethereum-related news to hear about the freak fees and come forward.

Likewise, the money-laundering and tax evasion theories aren’t credible. That is, if the senders of the two transactions wanted to launder money or evade tax, they’ve likely failed. With the fees now being distributed to Ethermine and SparkPool miners, it would seem that they’ve been fragmented to an extent where they’re no longer retrievable.

Admittedly, the hack theory has its own questions to answer. Most notably, how is it that there was a second high-fee transaction? Why didn’t the hacked exchange stop all outgoing transactions?

Well, according to Vitalik Buterin, the exchange may have lost control of its wallet or funds.

Further evidence has emerged more recently which provides further support for the hack theory. PeckShield posted an update on June 16, saying that it had identified the owner of the affected wallet. It named this owner as Good Cycle, a Korea-based P2P exchange “which appears to be a Ponzi Scheme [sic] project.” It had even confirmed this by depositing ETH with the exchange, which turned up in the same wallet from which the high-fee transactions had been sent.

PeckShield also found that Good Cycle’s “security is really lacking,” in that it uses HTTP rather than the much more secure HTTPS. Basically, it’s a sitting duck for a hack, while the apparent ransom may be attempted revenge by a victim of the scheme. What’s more, the fact that it’s allegedly a Ponzi scheme may account for why it was reluctant to come forward.

However, in a final twist of the tale, Good Cycle admitted on its website on June 17 to being hacked. In addition, its wallet sent transactions to SparkPool and Ethermine on the same day, with the message, “I am the sender”.

It would therefore seem that the mystery has now been solved. Still, cryptocurrency traders and holders should always keep in mind the moral of this strange story: always be careful when choosing an exchange to deal with, and keep your funds stored in your own wallets. Otherwise, you may end up getting burnt.