A college freshman is coming after your cryptocurrency – but not to steal your coins, just to prove that someone could do so pretty easily.
According to a crypto enthusiast and security researcher going by the handle “geocold51,” most small-scale cryptocurrencies are at risk from the industry’s most feared vulnerability – the 51% attack. During this attack, a miner takes over more than half of a cryptocurrency’s mining power, which then allows them to erase a past transaction and replace it with another transaction – called a double spend.
While the ecosystem that’s been built up around bitcoin and other top-tier cryptos make them resistant to these kinds of attacks, other cryptocurrencies with less of a community of miners aren’t as secure.
Sure enough, on smaller coins, these kinds of attacks are getting more common. In a new report, Group-1B found $20 million worth of crypto theft accomplished with such attacks in 2018, as TNW reported.
On Saturday, October 13, geocold51 decided to display just how easy it was – livestreaming his attempt to 51% attack Bitcoin Private, a crypto with close to a $47 million market cap (at the time of writing).
Speaking to CoinDesk, geocold51 said, if a cryptocurrency can be so easily attacked, “it’s sort of a misvalue of a given currency by different investors.”
Geocold51 estimates he spent $100 to get to the point where he could have done a demonstration double spend on bitcoin private, but he stopped because his livestream got pulled.
Just to be clear, geocold51 wasn’t interested in stealing, and so he set up the demonstration where he’d send the bitcoin private he owned to two different wallets he owned. In that way, no user or exchange provider gets ripped off.
For him, it’s about displaying that many coins are vulnerable and, therefore, perhaps vastly over-valued.
That said, he estimates that to make a profit off a 51% attack, it would cost a malicious attacker roughly double – so around $200 – to buy some bitcoin on an exchange with his bitcoin private and then make another transaction on the longer chain that invalidates the first transaction, giving him his bitcoin private coins back and leaving the exchange coming up short.
While going through the exchange process costs more, the 51% attack has still become quite economical due to the rise of cloud computing. According to geocold51, without access to cloud mining, an attack like he did on bitcoin private would have cost him about $100,000 in hardware.
“Nicehash and the ability to rent hashing power fundamentally changes the landscape of 51% attacks,” geocold51 told CoinDesk, adding:
“If there’s not a lot of hashing power to secure it, but there is a lot of value associated with it, that’s where you can do a 51% attack.”
Because geocold51 announced the livestream on Reddit (the post got 1500 upvotes and 60,000 views, he said), the attempted attack got quite a bit of attention – even dogecoin creator Jackson Palmer tweeted about watching.
Still, the livestream didn’t work exactly as planned, and because of that, geocold51 said he would run a complete attack later. He told CoinDesk he will do it without a stream this week and release a recording of his demonstration on YouTube shortly after.
The young security researcher’s handle might remind some of another security guru.
According to geocold51, he was inspired by one of the most legendary hackers of recent years: geohot, who famously jailbroke the original iPhone, which means the restrictions on carriers and apps were removed.
These days, geohot likes to livestream himself searching for vulnerabilities.
And geocold51 figured he could start doing the same within the cryptocurrency ecosystem.
Geocold51 has a good knowledge of crypto. Back when GPU hardware was still lucrative for hobbyist miners, geocold51 mined quite a bit of bitcoin. He then began trading money on Cryptsy, before the exchange’s CEO allegedly walked away with millions of dollars in its user’s money.
In that, he lost nearly all his bitcoin.
But he still remained interested in the space, and continued to study up on how it all worked. And as the industry divided into hundreds and thousands of different cryptocurrencies, geocold51 thought he might be able to shine some light on the security pitfalls.
And others were interested in that too. His Reddit post about the challenge garnered 1500 upvotes and over Twitch, he received $888 in donations.
What’s also interesting is that bitcoin private wasn’t his first target.
Instead, geocold51 had intended to go after einsteinium, a volunteer-run litecoin fork with a $19 million market cap and $598,000 in trading volume per day, at the time of this writing.
He announced his intent publicly, and as he got ready for the attack, commenters within his Twitch feed noted that the cryptocurrency’s hash rate was spiking.
Because he had announced the attack in advance, the einsteinium community boosted the hash rate because it was worried that such an attack could cause a chain split and create a second blockchain that people could get stuck on, according to Ben Kurland, one of the project’s board members. At that time, einsteinium was in the middle of a wallet upgrade. If users or exchanges did not upgrade their wallets in time, the blockchain split could have caused property loss.
Seeing the increased hash power, geocold51 decided to attack bitcoin private instead.
According to geocold51, he got over 600 views during the Twitch livestream, before Twitch shut the stream down. The team at Twitch, he said, temporarily suspended him under the “attempts of threats of harm” section of its community guidelines.
He got another livestream up on Stream.Me a half-hour later.
Once broadcasting there, he was able to hire miners through Nicehash to mine bitcoin private. In fact, he almost immediately mined a block. And in very little time, he was controlling more than 50 percent of the hash power on the blockchain.
Pretty soon an account called “CommunityWatch” popped up in the stream and wrote: “Just a quick question: I’m assuming everything we are doing here is legal?”
Minutes later, geocold51’s video feed on Stream.Me cut out.
Geocold51 told CoinDesk that he had already gotten about two-thirds of the hash rate on bitcoin private. He’d transmitted his first transaction to a second wallet he controlled. And he had written another transaction onto an offline chain that went to a third wallet he controlled.
He was about to send this longer chain to the network, but since the whole point was to show people the attack could be done easily, he stopped once the livestreams shut off.
Still, geocold51 is determined to follow through with his mission, and so will record his next attack to share on YouTube soon.
And while this vulnerability is likely to be worrying to many in the community, geocold51 noted that there is another way these coins are protected based on cryptocurrency game theory.
If someone tried to sell any significant volume of the coins, their price would likely plummet, since the community isn’t robust enough and doesn’t have huge amounts of liquidity. As such, geocold51 argued, even if it is easy to buy hash power and take over a network, it might not be feasible to make a lot of money from an attack.
Nevertheless, geocold51 is committed to continuing, using the donations he received to maybe even try to 51% attack more cryptocurrencies as well.
In fact, he told CoinDesk, he may intentionally attack some cryptocurrencies that have set up preventative measures for 51% attacks, to test them in production. For instance, the team developing Horizen (formerly zencash) believes it’s found a way to disincentivize 51% attacks by introducing certain miner penalties.
Geocold51 said he would be happy to fail against some of these measures.
Running the demonstrations privately and adding some production value on the final recording will likely make for more edifying content, according to geocold51, but he’s still a bit disappointed that his original plan didn’t pan out.
To CoinDesk, he concluded:
“There is something kind of neat about it being live.”
Twitch, Stream.Me and bitcoin private’s teams did not reply to a request for comment for this story.
UPDATE (25 October 14:46 UTC): This story has corrected the number of views on the Twitch stream.
Hand shadow on keyboard image via Shutterstock