The Blockchain Bandit is Back After 5 Years, Moves $172 Million in Ethereum

Wallets linked to the infamous ‘Blockchain Bandit’ attacker have reportedly become active after being dormant for over five years. According to crypto investigator ZachXBT, the attacker consolidated 51,000 ETH worth over $172 million from 10 different wallets to a single multi-sig wallet.

Who is the Blockchain Bandit Hacker? 

ZachXBT’s analysis showed that all 10 wallet addresses used in today’s transfer were last active in 2018. This means the attacker has decided to access these funds for the first time in over five years.So, who is this Blockchain Bandit? For those new to crypto, it’s likely to be an unfamiliar name. However, for long-term crypto enthusiasts, it was one of the most gripping and concerning names back in 2018. 

The infamous “Blockchain Bandit“ is a pseudonym for an attacker who systematically exploited weak private keys on the Ethereum blockchain to steal cryptocurrency. He became popular by simply guessing the private keys of several vulnerable wallets and stealing millions in funds. 

The attacker scanned the Ethereum network for wallets secured by weak, non-random, or poorly generated private keys. These keys were often the result of programming errors or faulty implementations of cryptographic libraries.

The Blockchain Bandit used automated scripts to search the blockchain for vulnerable addresses. When a weak key was identified, the attacker quickly transferred funds from the wallet to their own address. In most cases, it would be days before the owner became aware of the theft. 

Overall, the hacker was able to steal more than 50,000 ETH using this simple technique from over 10,000 wallets. The name ‘Blockchain Bandit’ came from a WIRED feature back in 2019 that revealed the pattern of this attack.During that time, a security analyst named Adrian Bednarek identified how the bandit used a pre-generated list of keys to automate scanning and withdraw funds from vulnerable wallets in seconds.

“You see, on Ethereum, private keys are 256-bit numbers. Brute-forcing one is basically impossible. But some wallets were using terrible random number generators, creating weak private keys. Think: password123 or an empty recovery phrase. One key was literally… ‘1’. The Bandit didn’t just target bad private keys. He also exploited: Weak passphrase-based wallets (like “Brainwallets”) and Misconfigured Ethereum nodes. His approach made him nearly unstoppable,” wrote Web3 analyst Pix. 

Why is the Attacker Active again After Five years? 

Although these particular wallets became active today for the first time since 2018, some of the other wallets were used to move funds back in January 2023 and purchase Bitcoins.Nonetheless, today’s transfer marked the biggest consolidation of all the stolen ETH funds from the attacker. This could indicate several things. 

Firstly, moving funds into a multi-signature wallet could indicate the attacker is preparing for a large transaction or series of transactions. This might include laundering the funds through mixers, decentralized exchanges, or other tools to obscure their origins.

Also, consolidating funds could be a prelude to liquidating some or all of the ETH. Notably, liquidating such large amounts of ETH in the current market could raise concerns about Ethereum’s short-term price. 

On the other hand, the attacker may anticipate favorable market conditions, such as a surge in ETH prices, to maximize the value of their stolen holdings during liquidation.

However, most concerningly, The consolidated ETH could be used to finance further exploits. For instance, funding transaction fees for a new series of attacks or enabling operations on other blockchain networks.

Overall, the possibility of such an infamous hacker becoming active again could be a concern for the crypto space. We’ve already seen the industry lose $2.3 billion in 2023, a massive 40% increase from 2023. Ethereum was also the hardest hit network among these attacks.