Using Graphistry and AnChain.ai to Uncover a Massive Ethereum Heist

Posted by Leo Meyerovich on September 5, 2018

 

Graph visualization has proven to be powerful for investigating almost any type of data, and most recently the team at Graphistry was able to help in uncovering a massive Ethereum heist on two of the world’s most popular DApps (distributed applications).

AnChain.ai and Graphistry recently partnered to investigate the world’s first publicly identified BAPT (Blockchain Advanced Persistent Threat). The investigation identified the BAPT-F3D hacker group, which was responsible for stealing 12,948 ETH (~ $4 million) between July and August 2018 from various vulnerable smart contract DApps. As of today, BAPT-F3D is still actively attacking.

 

Fomo3D and the Airdrop Vulnerability

AnChain.ai, which specializes in security for the blockchain ecosystem, analyzed the wildly popular game u201cFomo3Du201d ( the #1 DApp in July 2018) and its copycat u201cLast Winneru201d (the #5 DApp in August 2018). These games are DApps based on Ethereum Solidity smart contract and operate quite openly as Ponzi schemes or exit scams. At high level the game works as a lottery with players buying keys that reset the timer for a round. Keys continue to get more expensive over time, and eventually when the time runs out, the player who bought the last key wins the entire pot.

Additionally the game included another side-betting opportunity when a player buys their keys. When a player buys their keys they have a percentage chance to win an u201cairdropu201d to instantly win ETH from a growing sidepot. The more a player gambles on their chance, the more they stand to win. And this airdrop function is where things got interesting.The airdrop function contained a vulnerability, which allowed coordinated attackers to steal the equivalent of more than $4 million USD across both games in just a few days.

 

Finding the Industry’s First Blockchain APT

Combining Graphistry’s industry-leading GPU-powered investigation platform with AnChain.ai Situational Awareness Platform (SAP), AnChain.ai gained a holistic view of all millions of events and over 30,000 addresses related to the games. As a result, the AnChain team was able to identify the first known Blockchain Advanced Persistent Threat (BAPT), dubbed BAPT-F3D. This was the first known BAPT in blockchain history. Further bytecode artifacts similarity analysis by SECBIT Labs confirmed this BAPT group of 5+ addresses are strongly correlated, as likewise seen in the visualization.

inline_381_https://www.graphistry.com/hs-fs/hubfs/Anchain.gif?width=600&name=Anchain.gifFigure: Center white node – main contract; intermediate money sinks seen on path to APT accounts identified by anomalous high-volume behavior. Paths with many edges (transactions) are either killchain or benign use that are visually separated by their operational behavior.

The AnChain.ai SAP was able to identify the following traits related to BAPT-F3D:

  • Advanced: Leverages massive scale of sophisticated attack contracts to exploit a vulnerability in the u201cairdropu201d feature; Anti-Forensics capability that self-destructs the blockchain artifacts. Coordinated crime.

  • Persistent: Well planned, and operating continuously for weeks; Constantly upgrading attack contracts from V1 to V3. Moving from target to target

  • Threat: Financially motivated threat targeting specific smart contract DApps with similar vulnerabilities, stealing $4 millions worth of ETH and counting.

Impacts and Conclusions

Using knowledge graphs, AnChain.ai was able to document a new type of threat facing DApp owners, exchanges, and the growing blockchain ecosystem. For Graphistry, the analysis proved to be very similar to our work in anti-fraud and money-laundering investigations, although with very new and interesting twist. But most importantly, it shows the power of knowledge graphs and GPU-powered graph investigations to quickly expose the important connections and relationships across millions of pieces of data.

We think of this as the user interface for a world increasingly dependent on data, machine-learning, and AI. Analysts have similar needs whether investigating malware or phishing incidents, tracking the flow of illicit funds, fraud within a healthcare system, or hundreds of other data driven projects. Humans need to be able to see and understand what is in their data. They need AI and ML models to not be impenetrable black boxes. By bringing an interactive and investigative front end to these technologies, we hope to make them more accessible, usable, and ultimately deliver far more impactful analysis and applications.