73 comments

[ 166 ms ] story [ 1692 ms ] thread
Would it be possible to frontrun the hacker's transaction by quickly broadcasting an extremely high fee transaction from the bait address? They would not only reveal their intrusion, but they'd actually lose money, and some of the bait could be recovered
Sort of. If using Ethereum for example, you could run your own ETH node and frontrun any transactions trying to transfer ETH out of one of your wallets.

The attacker wouldn't lose money because they're using that wallet to pay the fees, so you'd be the only one paying the transaction fee. Also, if this became a standard, it's possible that attackers would find ways around it (it kind of becomes an arms race to see who can bribe miners the most).

If your wallet contains no ETH, but contains for example, USDC, then they have to transfer their own ETH in to make a transaction to extract the USDC. This would work in theory, but it's such a common way to scam/hack people already that most attackers would be able to sniff out the honeypot.

The typical scam is "leaking" the private key for a wallet that has, say, $30 of some valuable token in it (e.g. on reddit, discord, anywhere that less technical users congregate). When users import the key and realize they can transfer the token out, they only need to deposit some ETH to the wallet first to pay for gas fees. But when they do that, a script automatically sends the ETH somewhere else.

Personally I see this being a potentially valuable way to manage servers, and also pay a non-critical bug bounty to black-hats. Each server can have its own crypto wallet, and the amount you fund it with varies based on how critical it is. If a compromise of one system occurs, you know immediately where the compromise occurred based on the address.

The attacker gets a payday, and you get a lead on something you need to patch.

Interesting, thank you. And to avoid most risk, maybe the hackers could just mine the thieving transaction themselves?

The hackers could operate a miner which privately adds that transaction every time it tries to solve a block, but broadcasts it only when they successfully got the block. It could be running for days before it succeeds, because there's probably no urgency. They can take all the fees, and it's difficult to frontrun because nobody knows the theft is happening until the block is already solved and it's almost too late.

I mean it's not like they're risking a massive amount of ETH on the first try, but if they saw it get stolen the first time, sure, they might try sniping the token by running/bribing a miner if the payout was great enough (there are networks of miners that let you include transactions without getting front-run by paying them a fee)
You are correct. Actually in practice it is far less complicated to achieve this, at least for Ethereum. You can simply use the Flashbots RPC to bundle your transaction and have it sent straight to a miner. No exposure to the public mempool = no frontrunning possible, and no need to run your own miner/validator.
>but they'd actually lose money

What do you mean? The only outcome is that the company loses money due to giving it to miners.

You're right. As sibling comment says, in many cases, the attacker would attempt to pay the fee with funds from the address they were robbing. Though some token transfers might require the attacker to add their own funds. I was mistaken about that part.
(comment deleted)
The point of this type of honeypots is to entice the blackhats to just take the crypto and walk away. Making it harder for them to walk away with the money would be counter-productive.

Old situation: blackhats sticks around for weeks or even months, exfiltrate data, blackmail, install crypto miners, etc.

With crypto honeypot: blackhats take the crypto and leaves.

With rigged crypto honeypots that are actually not redeemable:

>on the hacker forums:

>Guy A: "I tried to take the bitcoins from Corp A's honeypot wallet, but they broadcasted a high fee transaction and beat me to it."

>Guy B: "Funny, same thing happened to me last week with Corp B's wallet."

>Guy A: "Guess it's back to the old blackmail method then."

Yes, all correct. But if you offer a CEO the option of a defense that is just as effective, but also steals part of the bait money back? If the potential long-term cost is only hurting the corporation's reputation with a shadowy hacking group, and reducing the effectiveness of the defensive technique for everyone?

Bottom line: I think we can guess which option a CEO would usually choose

Remember that this method works best when it's not obvious that it is a tripwire, and may be best of all when it acts as a bribe to a greedy individual within a group of hackers.

I don't know, it seems like if the corporation sent a high fee transaction they have already been alerted that their defenses need to be raised. so your attack vector has limited efficacy as it might be closed. the hackers need to have the foresight to sit in the server and accumulate other blackmail, but also not lose the chance to take the bitcoin bounty based on another hacker finding it.
For ETH currently you could just use flashbots for front running protection
Could also be the bounty for disclosing the hack at the same time.
Being able to efficiently support extremely large accountable multisignatures, e.g. a 1 of 1024 multi-signature for compromise detecting wallets was an explicit goal of the most recent bitcoin signature system.

The cost of using bitcoin for compromise detection is much lower when you can just have one moderate value coin and then have a different key on each server.

You can have a wallet where a master key holder can spend from it at no additional cost than an ordinary single key wallet, but where any of thousands of detection wallets can also spend the coins but paying for 32*log2(wallets) additional weight in transaction fees, which is pretty modest for any realistic number of detection wallets... the resulting transaction will reveal which wallet was used to take the coins.

It's a relatively cost effective approach-- if you're not compromised you lose only the time value / volatility value of holding a modest amount of bitcoin. If you are compromised, you'll lose the coins but you gain a useful notification of the compromise.

You can also use stablecoins and avoid the volatility value.
Sure, but instead lose the entire value when the "stablecoin" provider inevitably walks off with the value or has it all seized (or collapses, as is the case for the automated stable coin ponzi schemes). You also now have to inject that the hacker has to value the asset and figure out how to spend it.
(comment deleted)
stablecoin value so dubious, even the attacker won't touch them :)
USDC is managed by Blackrock, one of the largest asset managers in America, and audited by the Big 4.
Anybody else noticing how much of a fever dream this website is? There are no usernames, only unnerving AI-generated portraits? I can upvote things by using a currency I earn by listening to music that randomly starts playing backwards?

  > Two digital people can mate and produce a child inside of Celody.
  > This process occurs through music - where the parents' data is compared and generates an infinite stream. 
  > If the humans listening to this stream like the music, they can have the digital people reproduce.
  > The digital child then inherits a mix of data of their parents.
Way more interesting than the article.
The OP's first submission was a "Show HN" for Celody, and since then they've submitted a bunch of these. I'm just trying to figure out if the "author" of this post has had any digital music babies yet.

e: Wow, stumbled on this:

> Once a post has been staked and is live, it is open to judgment. Every post has a binary agree/disagree (or like/dislike) set of buttons. If you agree with the post, you send tokens with the "agree" button. If you disagree, you send tokens after pressing the "disagree" button. Critically, the quantity of tokens sent matters. The more tokens, the more impact it has on the Stakedy algorithm. These tokens also act as a reward to the poster.

Sounds like web3 will be algorithmically provoking outrage even more effectively than web2!

I think I'm gonna just take a pause on the discussion side of the internet for a long long time now. This website was just too uncanny, and now I can't help but imagine there isn't anything actually genuine left on the web that I'd be able to discover at least. Why rely on actual users when you can just generate posts that cater to whatever product you intend to market? Eventually its going to just make too much sense to cut the users out and remove the possibilities of edge cases of them posting disagreeable stuff that undermines your business in some way. The race to the bottom is here. We have arrived. Back to real life I go.
Is this where I'm actually allowed to say "I regret that I have only one upvote to give"?
I wonder if there is a German word for "realizing that everyone in the forum is a robot except for you".
Honestly I love it. It seems like some kind of surreal cyberpunk art project. The only thing a little disappointing is the blasé rounded rectangle web design
I think this misses the "punk" aspect of cyberpunk tho. The point of cyberpunk isn't the dystopia it is set in but the rejection of that dystopia from within it.
(comment deleted)
(comment deleted)
This is really funny, this article itself might have been AI generated and an actual viable thing for humans and robots to implement alike.
The term here is a canary, it is a useful deception technique for sure but current approaches to advanced adversaries focus on purple teaming + threat hunting. They are not mutually exclusive, just pointing out deception tech has been around for a very long time.

In a windows network, I highly recommend using honey hashes: https://github.com/EmpireProject/Empire/blob/master/data/mod... that is if you don't have windows defender credential guard on.

My question for the OP is, what happens when acutal users start using the wallet? I wonder if these approaches work at small companies though. In large companies (50k+ endpoints and users) this would be an almost regular source of false positive alerts.

I keep an eye out for any new process connecting to a mining pool domain for example, there is always some guy somewhere runing a python trading bot or something.

Another thought: you can be reasonably sure SHA-256 isn't broken because Bitcoin essentially put out a bounty for it.
hard to say, because attempting to cash in on your new-found SHA-256 exploit by mining a ton of blocks could quickly tip off others and tank the price of Bitcoin.

Better to sit on the exploit and wait until you can break ECDSA too, run off with Satoshi's private key 8-).

hard to say, because attempting to cash in on your new-found SHA-256 exploit by mining a ton of blocks could quickly tip off others and tank the price of Bitcoin

So short BTC rather than invest in it, and then do it.

Besides, there are plenty of people who would tank BTC just for fun, or to prove its bad somehow, or just to annoy the Winklevoss twins...

Good point, but there could be even more money in calmly 'mining' away at a realistic rate.

Definitely more excitement in upsetting some major stakeholders, though.

But the issue is we know who the main top 6 miners are, and they're all known farms and pools. We know that's not true otherwise there would be some little guy with giga hashrate suspiciously still mining blocks. It wouldn't be hard to spot from a mile away.
(comment deleted)
> run off with Satoshi's private key

I'm pretty sure ANY movement on that stash would lead to an amazing drop in price too.

sort of, its a prisoner's dilemma

even if you had the theoretical quantum computer with enough qubits to derive private keys, you would be better off just taking some people's coins or transactions so that people will victim blame them based on assuming they have poor OPSEC instead of tipping off that the system is compromised

I saw a pitch for a security startup (the name escapes me) that did exactly this. They put like ten thousand dollars in a bitcoin wallet and hide it on all your end users machines. The idea being that an attacker will cash out the wallet giving you a heads up you are breached before they move on to ransomware or whatever.
I remember that startup too, but they apparently have awful SEO because I have been trying to find them for like 10 minutes and can't. There's a lesson for founders here.
That key word being _before_. A savvy attacker could be taking note of the private keys as they went; cashing out the Bitcoin only when the customer data has been fully pilfered and the ransomware installed.

I suppose the balancing act here is in ensuring the Bitcoin amount is enticingly large enough to get an attacker to jump on it first?

It’s not worth it, because there’s a risk of the money being moved to another wallet if the intrusion is discovered. You want to take the money the instant you can.
If someone or a group is going to hit businesses with ransomware, they're looking to get more than $10k.
That's 100% guaranteed $10k now vs. ransom maybe (how do you know if they have backup) paid some time later.
There's a pretty high payout rate.
At least to me, it's like putting a $100 bill under a business' doormat to ward off burglars who know that there's 3 to 4 orders of magnitude more money and assets inside if they break in.

It's a nice bonus, but if they're working with other people for high stakes payouts, a small amount of money like that isn't going to be worth it for them to move on. $10k is nothing when split between other people and when you can demand hundreds of thousands to millions otherwise.

I do not think literally hundreds of people work on these hacks.

But besides, in remote environment it is easier to be that guy who grabs the money and runs. $10k is $10k for a single person.

You could also just rotate the private keys every week or month by policy, and make sure attackers know it's at least likely you're doing this.
Even better, rotate at random intervals.
I don't want to be the Hacker who as to go to Putin to explain that their nation-state sponsored hack was caught and failed because they were trying to make 10 grand on the side. So, this won't help much against nation-state attacks.
Not everyone has the sole aim of protecting themselves from nation-state attacks. And for the ones that do have the aim, few things will actually protect you, as they basically have infinitive ways of getting in and failing technical vectors, they have legal ones too.
> They put like ten thousand dollars in a bitcoin wallet and hide it on all your end users machines. The idea being that an attacker will cash out the wallet giving you a heads up you are breached before they move on to ransomware or whatever.

wow that is the craziest justification i have heard so far for sustaining a planet-eating, nightmare 'currency'

we’ve been offering a similar service for the past year at: bittrap.com
Hi everyone… just a quick intro, we are BitTrap, the company you are referring to in multiple posts of this thread…. Criticism on SEO is noted and acknowledged…we’ll fix that.

Regarding the Stakedy article, that is exactly what we do: BitTrap is a blockchain-based intrusion detection system that provides alarms when a system was compromised. We do so by granting hackers an economic incentive (bounty) in crypto to reveal their position within the organization's network and dissuade them to continue the attack therefore minimizing their dwell time in the system.

We calculate the right economic incentive by running tests in our Lab to replicate possible outcomes in diverse situations and we also protect pretty much any device you can think of (even offline devices) becoming a real Universal Intrusion Detection System.

As we don’t want to get pitchy here, we’ll just leave some reference links to let you find out more about us: www.bittrap.com

We have a few whitepapers and articles you may also find interesting: https://www.bittrap.com/resource/articles-whitepapers

Let us know if you’d like more info or detail. Thanks for the (indirect) mention :)

Jony BitTrap CEO

If you want to have alarms for successful intrusions, there are much cheaper ways of doing it than this :)

you can either set-up your own honeypots or, if you want a turn-key solution there's great tools like https://canary.tools/

How does one prevent an employee stealing it anonymously?
Great question, though I suppose we already have "how does one prevent an employee installing ransomware himself?"
Why not a more traditional honeypot? Setup a machine to look like is holding valuable information, but since no real information is on there during normal activity there is no connection to the machine. When something tries to connect to the machine, raise an alert.
From experience, seen hackers who hack for some other reasons than to just steal some money from one machine.

Even hear stories, people hack providers, to fix some things, constantly not fixed by official support.

Or just put the password to a normal bank account? Or leave some credit card numbers and the answers to security questions around? I again can't see what reason is to use cryptocurrency here.
Bank accounts often trigger SMS validation, bank transfers can be reverted by the banks, and the recipient of the transaction is known, at least for the “Know your customer” act.
Yes and crypto exchanges following "Know your customer" will also refuse to withdraw funds without those things. It's no different.
ICYMI @grugq has been talking about this type of canary for years.
Some attackers are not financially motivated (think state actors).

And even if they are, they bait crypto needs to be valuable enough. If the attacker expects to extract $1 mil of value from the hack, you will not deter with a $10k crypto bounty.

Some sanctioned countries are financially motivated. But they also tend to sit on zero-day exploits worth billions so they probably don’t want to be detected before evidence is destroyed completely. They will be very careful what to do.
Seems like one challenge to this would be keeping people with legit access away from it. Ie if you hide it in the billing folder, and sue in accounting knows, then tells her boyfriend who “hacks” her laptop that she left open for a bit to get the keys.
(comment deleted)