Would it be possible to frontrun the hacker's transaction by quickly broadcasting an extremely high fee transaction from the bait address? They would not only reveal their intrusion, but they'd actually lose money, and some of the bait could be recovered
Sort of. If using Ethereum for example, you could run your own ETH node and frontrun any transactions trying to transfer ETH out of one of your wallets.
The attacker wouldn't lose money because they're using that wallet to pay the fees, so you'd be the only one paying the transaction fee. Also, if this became a standard, it's possible that attackers would find ways around it (it kind of becomes an arms race to see who can bribe miners the most).
If your wallet contains no ETH, but contains for example, USDC, then they have to transfer their own ETH in to make a transaction to extract the USDC. This would work in theory, but it's such a common way to scam/hack people already that most attackers would be able to sniff out the honeypot.
The typical scam is "leaking" the private key for a wallet that has, say, $30 of some valuable token in it (e.g. on reddit, discord, anywhere that less technical users congregate). When users import the key and realize they can transfer the token out, they only need to deposit some ETH to the wallet first to pay for gas fees. But when they do that, a script automatically sends the ETH somewhere else.
Personally I see this being a potentially valuable way to manage servers, and also pay a non-critical bug bounty to black-hats. Each server can have its own crypto wallet, and the amount you fund it with varies based on how critical it is. If a compromise of one system occurs, you know immediately where the compromise occurred based on the address.
The attacker gets a payday, and you get a lead on something you need to patch.
Interesting, thank you. And to avoid most risk, maybe the hackers could just mine the thieving transaction themselves?
The hackers could operate a miner which privately adds that transaction every time it tries to solve a block, but broadcasts it only when they successfully got the block. It could be running for days before it succeeds, because there's probably no urgency. They can take all the fees, and it's difficult to frontrun because nobody knows the theft is happening until the block is already solved and it's almost too late.
I mean it's not like they're risking a massive amount of ETH on the first try, but if they saw it get stolen the first time, sure, they might try sniping the token by running/bribing a miner if the payout was great enough (there are networks of miners that let you include transactions without getting front-run by paying them a fee)
You are correct. Actually in practice it is far less complicated to achieve this, at least for Ethereum. You can simply use the Flashbots RPC to bundle your transaction and have it sent straight to a miner. No exposure to the public mempool = no frontrunning possible, and no need to run your own miner/validator.
You're right. As sibling comment says, in many cases, the attacker would attempt to pay the fee with funds from the address they were robbing. Though some token transfers might require the attacker to add their own funds. I was mistaken about that part.
The point of this type of honeypots is to entice the blackhats to just take the crypto and walk away. Making it harder for them to walk away with the money would be counter-productive.
Old situation: blackhats sticks around for weeks or even months, exfiltrate data, blackmail, install crypto miners, etc.
With crypto honeypot: blackhats take the crypto and leaves.
With rigged crypto honeypots that are actually not redeemable:
>on the hacker forums:
>Guy A: "I tried to take the bitcoins from Corp A's honeypot wallet, but they broadcasted a high fee transaction and beat me to it."
>Guy B: "Funny, same thing happened to me last week with Corp B's wallet."
>Guy A: "Guess it's back to the old blackmail method then."
Yes, all correct. But if you offer a CEO the option of a defense that is just as effective, but also steals part of the bait money back? If the potential long-term cost is only hurting the corporation's reputation with a shadowy hacking group, and reducing the effectiveness of the defensive technique for everyone?
Bottom line: I think we can guess which option a CEO would usually choose
Remember that this method works best when it's not obvious that it is a tripwire, and may be best of all when it acts as a bribe to a greedy individual within a group of hackers.
I don't know, it seems like if the corporation sent a high fee transaction they have already been alerted that their defenses need to be raised. so your attack vector has limited efficacy as it might be closed. the hackers need to have the foresight to sit in the server and accumulate other blackmail, but also not lose the chance to take the bitcoin bounty based on another hacker finding it.
Being able to efficiently support extremely large accountable multisignatures, e.g. a 1 of 1024 multi-signature for compromise detecting wallets was an explicit goal of the most recent bitcoin signature system.
The cost of using bitcoin for compromise detection is much lower when you can just have one moderate value coin and then have a different key on each server.
You can have a wallet where a master key holder can spend from it at no additional cost than an ordinary single key wallet, but where any of thousands of detection wallets can also spend the coins but paying for 32*log2(wallets) additional weight in transaction fees, which is pretty modest for any realistic number of detection wallets... the resulting transaction will reveal which wallet was used to take the coins.
It's a relatively cost effective approach-- if you're not compromised you lose only the time value / volatility value of holding a modest amount of bitcoin. If you are compromised, you'll lose the coins but you gain a useful notification of the compromise.
Sure, but instead lose the entire value when the "stablecoin" provider inevitably walks off with the value or has it all seized (or collapses, as is the case for the automated stable coin ponzi schemes). You also now have to inject that the hacker has to value the asset and figure out how to spend it.
Anybody else noticing how much of a fever dream this website is?
There are no usernames, only unnerving AI-generated portraits?
I can upvote things by using a currency I earn by listening to music that randomly starts playing backwards?
> Two digital people can mate and produce a child inside of Celody.
> This process occurs through music - where the parents' data is compared and generates an infinite stream.
> If the humans listening to this stream like the music, they can have the digital people reproduce.
> The digital child then inherits a mix of data of their parents.
The OP's first submission was a "Show HN" for Celody, and since then they've submitted a bunch of these. I'm just trying to figure out if the "author" of this post has had any digital music babies yet.
e: Wow, stumbled on this:
> Once a post has been staked and is live, it is open to judgment. Every post has a binary agree/disagree (or like/dislike) set of buttons. If you agree with the post, you send tokens with the "agree" button. If you disagree, you send tokens after pressing the "disagree" button. Critically, the quantity of tokens sent matters. The more tokens, the more impact it has on the Stakedy algorithm. These tokens also act as a reward to the poster.
Sounds like web3 will be algorithmically provoking outrage even more effectively than web2!
I think I'm gonna just take a pause on the discussion side of the internet for a long long time now. This website was just too uncanny, and now I can't help but imagine there isn't anything actually genuine left on the web that I'd be able to discover at least. Why rely on actual users when you can just generate posts that cater to whatever product you intend to market? Eventually its going to just make too much sense to cut the users out and remove the possibilities of edge cases of them posting disagreeable stuff that undermines your business in some way. The race to the bottom is here. We have arrived. Back to real life I go.
Honestly I love it. It seems like some kind of surreal cyberpunk art project. The only thing a little disappointing is the blasé rounded rectangle web design
I think this misses the "punk" aspect of cyberpunk tho. The point of cyberpunk isn't the dystopia it is set in but the rejection of that dystopia from within it.
The term here is a canary, it is a useful deception technique for sure but current approaches to advanced adversaries focus on purple teaming + threat hunting. They are not mutually exclusive, just pointing out deception tech has been around for a very long time.
My question for the OP is, what happens when acutal users start using the wallet? I wonder if these approaches work at small companies though. In large companies (50k+ endpoints and users) this would be an almost regular source of false positive alerts.
I keep an eye out for any new process connecting to a mining pool domain for example, there is always some guy somewhere runing a python trading bot or something.
hard to say, because attempting to cash in on your new-found SHA-256 exploit by mining a ton of blocks could quickly tip off others and tank the price of Bitcoin.
Better to sit on the exploit and wait until you can break ECDSA too, run off with Satoshi's private key 8-).
hard to say, because attempting to cash in on your new-found SHA-256 exploit by mining a ton of blocks could quickly tip off others and tank the price of Bitcoin
So short BTC rather than invest in it, and then do it.
Besides, there are plenty of people who would tank BTC just for fun, or to prove its bad somehow, or just to annoy the Winklevoss twins...
But the issue is we know who the main top 6 miners are, and they're all known farms and pools. We know that's not true otherwise there would be some little guy with giga hashrate suspiciously still mining blocks. It wouldn't be hard to spot from a mile away.
even if you had the theoretical quantum computer with enough qubits to derive private keys, you would be better off just taking some people's coins or transactions so that people will victim blame them based on assuming they have poor OPSEC instead of tipping off that the system is compromised
I saw a pitch for a security startup (the name escapes me) that did exactly this. They put like ten thousand dollars in a bitcoin wallet and hide it on all your end users machines. The idea being that an attacker will cash out the wallet giving you a heads up you are breached before they move on to ransomware or whatever.
I remember that startup too, but they apparently have awful SEO because I have been trying to find them for like 10 minutes and can't. There's a lesson for founders here.
That key word being _before_. A savvy attacker could be taking note of the private keys as they went; cashing out the Bitcoin only when the customer data has been fully pilfered and the ransomware installed.
I suppose the balancing act here is in ensuring the Bitcoin amount is enticingly large enough to get an attacker to jump on it first?
It’s not worth it, because there’s a risk of the money being moved to another wallet if the intrusion is discovered. You want to take the money the instant you can.
At least to me, it's like putting a $100 bill under a business' doormat to ward off burglars who know that there's 3 to 4 orders of magnitude more money and assets inside if they break in.
It's a nice bonus, but if they're working with other people for high stakes payouts, a small amount of money like that isn't going to be worth it for them to move on. $10k is nothing when split between other people and when you can demand hundreds of thousands to millions otherwise.
I don't want to be the Hacker who as to go to Putin to explain that their nation-state sponsored hack was caught and failed because they were trying to make 10 grand on the side.
So, this won't help much against nation-state attacks.
Not everyone has the sole aim of protecting themselves from nation-state attacks. And for the ones that do have the aim, few things will actually protect you, as they basically have infinitive ways of getting in and failing technical vectors, they have legal ones too.
> They put like ten thousand dollars in a bitcoin wallet and hide it on all your end users machines. The idea being that an attacker will cash out the wallet giving you a heads up you are breached before they move on to ransomware or whatever.
wow that is the craziest justification i have heard so far for sustaining a planet-eating, nightmare 'currency'
Hi everyone… just a quick intro, we are BitTrap, the company you are referring to in multiple posts of this thread…. Criticism on SEO is noted and acknowledged…we’ll fix that.
Regarding the Stakedy article, that is exactly what we do: BitTrap is a blockchain-based intrusion detection system that provides alarms when a system was compromised. We do so by granting hackers an economic incentive (bounty) in crypto to reveal their position within the organization's network and dissuade them to continue the attack therefore minimizing their dwell time in the system.
We calculate the right economic incentive by running tests in our Lab to replicate possible outcomes in diverse situations and we also protect pretty much any device you can think of (even offline devices) becoming a real Universal Intrusion Detection System.
As we don’t want to get pitchy here, we’ll just leave some reference links to let you find out more about us: www.bittrap.com
Why not a more traditional honeypot? Setup a machine to look like is holding valuable information, but since no real information is on there during normal activity there is no connection to the machine. When something tries to connect to the machine, raise an alert.
Or just put the password to a normal bank account? Or leave some credit card numbers and the answers to security questions around? I again can't see what reason is to use cryptocurrency here.
Bank accounts often trigger SMS validation, bank transfers can be reverted by the banks, and the recipient of the transaction is known, at least for the “Know your customer” act.
Some attackers are not financially motivated (think state actors).
And even if they are, they bait crypto needs to be valuable enough. If the attacker expects to extract $1 mil of value from the hack, you will not deter with a $10k crypto bounty.
Some sanctioned countries are financially motivated. But they also tend to sit on zero-day exploits worth billions so they probably don’t want to be detected before evidence is destroyed completely. They will be very careful what to do.
Seems like one challenge to this would be keeping people with legit access away from it. Ie if you hide it in the billing folder, and sue in accounting knows, then tells her boyfriend who “hacks” her laptop that she left open for a bit to get the keys.
73 comments
[ 166 ms ] story [ 1692 ms ] threadThe attacker wouldn't lose money because they're using that wallet to pay the fees, so you'd be the only one paying the transaction fee. Also, if this became a standard, it's possible that attackers would find ways around it (it kind of becomes an arms race to see who can bribe miners the most).
If your wallet contains no ETH, but contains for example, USDC, then they have to transfer their own ETH in to make a transaction to extract the USDC. This would work in theory, but it's such a common way to scam/hack people already that most attackers would be able to sniff out the honeypot.
The typical scam is "leaking" the private key for a wallet that has, say, $30 of some valuable token in it (e.g. on reddit, discord, anywhere that less technical users congregate). When users import the key and realize they can transfer the token out, they only need to deposit some ETH to the wallet first to pay for gas fees. But when they do that, a script automatically sends the ETH somewhere else.
Personally I see this being a potentially valuable way to manage servers, and also pay a non-critical bug bounty to black-hats. Each server can have its own crypto wallet, and the amount you fund it with varies based on how critical it is. If a compromise of one system occurs, you know immediately where the compromise occurred based on the address.
The attacker gets a payday, and you get a lead on something you need to patch.
The hackers could operate a miner which privately adds that transaction every time it tries to solve a block, but broadcasts it only when they successfully got the block. It could be running for days before it succeeds, because there's probably no urgency. They can take all the fees, and it's difficult to frontrun because nobody knows the theft is happening until the block is already solved and it's almost too late.
What do you mean? The only outcome is that the company loses money due to giving it to miners.
Old situation: blackhats sticks around for weeks or even months, exfiltrate data, blackmail, install crypto miners, etc.
With crypto honeypot: blackhats take the crypto and leaves.
With rigged crypto honeypots that are actually not redeemable:
>on the hacker forums:
>Guy A: "I tried to take the bitcoins from Corp A's honeypot wallet, but they broadcasted a high fee transaction and beat me to it."
>Guy B: "Funny, same thing happened to me last week with Corp B's wallet."
>Guy A: "Guess it's back to the old blackmail method then."
Bottom line: I think we can guess which option a CEO would usually choose
Remember that this method works best when it's not obvious that it is a tripwire, and may be best of all when it acts as a bribe to a greedy individual within a group of hackers.
The cost of using bitcoin for compromise detection is much lower when you can just have one moderate value coin and then have a different key on each server.
You can have a wallet where a master key holder can spend from it at no additional cost than an ordinary single key wallet, but where any of thousands of detection wallets can also spend the coins but paying for 32*log2(wallets) additional weight in transaction fees, which is pretty modest for any realistic number of detection wallets... the resulting transaction will reveal which wallet was used to take the coins.
It's a relatively cost effective approach-- if you're not compromised you lose only the time value / volatility value of holding a modest amount of bitcoin. If you are compromised, you'll lose the coins but you gain a useful notification of the compromise.
Articles from this site have been posted on here before, lots of commenters don't even notice.
e: Wow, stumbled on this:
> Once a post has been staked and is live, it is open to judgment. Every post has a binary agree/disagree (or like/dislike) set of buttons. If you agree with the post, you send tokens with the "agree" button. If you disagree, you send tokens after pressing the "disagree" button. Critically, the quantity of tokens sent matters. The more tokens, the more impact it has on the Stakedy algorithm. These tokens also act as a reward to the poster.
Sounds like web3 will be algorithmically provoking outrage even more effectively than web2!
In a windows network, I highly recommend using honey hashes: https://github.com/EmpireProject/Empire/blob/master/data/mod... that is if you don't have windows defender credential guard on.
My question for the OP is, what happens when acutal users start using the wallet? I wonder if these approaches work at small companies though. In large companies (50k+ endpoints and users) this would be an almost regular source of false positive alerts.
I keep an eye out for any new process connecting to a mining pool domain for example, there is always some guy somewhere runing a python trading bot or something.
Better to sit on the exploit and wait until you can break ECDSA too, run off with Satoshi's private key 8-).
So short BTC rather than invest in it, and then do it.
Besides, there are plenty of people who would tank BTC just for fun, or to prove its bad somehow, or just to annoy the Winklevoss twins...
Definitely more excitement in upsetting some major stakeholders, though.
I'm pretty sure ANY movement on that stash would lead to an amazing drop in price too.
even if you had the theoretical quantum computer with enough qubits to derive private keys, you would be better off just taking some people's coins or transactions so that people will victim blame them based on assuming they have poor OPSEC instead of tipping off that the system is compromised
I suppose the balancing act here is in ensuring the Bitcoin amount is enticingly large enough to get an attacker to jump on it first?
It's a nice bonus, but if they're working with other people for high stakes payouts, a small amount of money like that isn't going to be worth it for them to move on. $10k is nothing when split between other people and when you can demand hundreds of thousands to millions otherwise.
But besides, in remote environment it is easier to be that guy who grabs the money and runs. $10k is $10k for a single person.
wow that is the craziest justification i have heard so far for sustaining a planet-eating, nightmare 'currency'
Regarding the Stakedy article, that is exactly what we do: BitTrap is a blockchain-based intrusion detection system that provides alarms when a system was compromised. We do so by granting hackers an economic incentive (bounty) in crypto to reveal their position within the organization's network and dissuade them to continue the attack therefore minimizing their dwell time in the system.
We calculate the right economic incentive by running tests in our Lab to replicate possible outcomes in diverse situations and we also protect pretty much any device you can think of (even offline devices) becoming a real Universal Intrusion Detection System.
As we don’t want to get pitchy here, we’ll just leave some reference links to let you find out more about us: www.bittrap.com
We have a few whitepapers and articles you may also find interesting: https://www.bittrap.com/resource/articles-whitepapers
Let us know if you’d like more info or detail. Thanks for the (indirect) mention :)
Jony BitTrap CEO
you can either set-up your own honeypots or, if you want a turn-key solution there's great tools like https://canary.tools/
Even hear stories, people hack providers, to fix some things, constantly not fixed by official support.
And even if they are, they bait crypto needs to be valuable enough. If the attacker expects to extract $1 mil of value from the hack, you will not deter with a $10k crypto bounty.