Rob Behnke
June 25th, 2024
The security of your blockchain account depends on the security of your private keys. Anyone with access to your private key can generate a digital signature for a transaction that steals the crypto from a blockchain account or exploits its permissions to hurt a project and its users.
Individuals and blockchain projects alike are at risk of cybercriminals targeting them to steal their private keys.
Below is a list of the 7 most common ways that blockchain private keys are hacked:
Phishing attacks are by far the most common way that blockchain private keys are compromised. These attacks can occur in various ways, including emails pretending to be from legitimate projects, hacked social media accounts (Discord, Twitter/X, etc.), and fake airdrops
Typically, these phishing messages direct users to a malicious website that requires them to connect a wallet to receive an airdrop or take some other action. Once they enter their private key into the page, the phisher can use it to generate transactions draining the user’s account.
Malware is commonly spread via phishing attacks; however, this isn’t the only way to get infected by malware. Cybercriminals have also used paid ads on Google to spread malware and may use more targeted social engineering attacks to hook a high-value target.
Once installed on a user’s device, malware can steal private keys in various ways. They might search the filesystem for files and data likely to contain these keys. Alternatively, they could monitor the keyboard and clipboard for users entering seed phrases or copy-pasting a private key.
Malware can also be used to redirect transactions without access to the private key. For example, clipboard hijacking malware might monitor for a copied blockchain address on the system clipboard and replace it with the attacker’s address, sending the crypto to them instead.
Many blockchain users don’t practice self-custody. Instead, they use a third-party service to manage their private keys and generate transactions on their behalf.
This means that users need to remember and enter a password rather than a private key. Since people commonly use weak and reused passwords, this can be an easier target for an attacker to guess or steal via a phishing attack. With access to the user’s password, the attacker can log into their custodial provider to access private keys or generate malicious transactions.
Private keys are sensitive information that need to be protected. However, they also need to be relatively accessible — at least for hot wallets — to allow users to generate and digitally sign transactions on the blockchain.
Often, blockchain users opt for ease of access over security. Private keys may be stored in a file on a computer. Or the user might save a printed copy of a seed phrase used to access a blockchain account. Some proud new crypto owners have even posted pictures of their Bitcoin ATM receipts or partial seed phrases on social media. All of these errors in private key storage may lead to an attacker gaining access to the user’s wallet and stealing the crypto within.
Private keys are supposed to be a randomly generated value. With a length of 256 bits, the probability of an attacker guessing the key is astronomically low. However, there have been cases, such as the Blockchain Bandit, who stole funds from 10,000+ user wallets in 2015 and 2016.
These types of hacks are made possible by weak private key generation. In some cases, programs designed to generate blockchain keys used a weak source of randomness to do so. As a result, they generated private keys in a small, easily searchable range of values. This is the mistake that likely enabled the Blockchain Bandit and was the issue behind the Profanity Address hacks.
Another common issue is users generating weak keys to make them easier to remember. The length of a blockchain private key — 256 bits — is also the output length of many widely-used hash functions. While using the hash of a memorable word or phrase seems like an easy way to remember a private key, it also makes these keys easily guessable for an attacker who tries the same scheme.
In addition to phishing attacks, some cybercriminals perform highly targeted social engineering attacks designed to steal private keys. One common pretext used by the Lazarus Group is pretending to make an enticing job offer to a developer or other team member of a target project.
As part of the interview process, the attacker will send the developer a document or tell them to download and run some program for an assessment. When they do so, malware will be installed on their system that steals their private keys and those of the project that they work for.
Cloud storage might seem like an odd place to store private keys, but it’s a surprising common source of breaches for blockchain projects. One example is the Mixin Network, which lost $200 million due to a hack of its cloud service provider.
These projects might have been using the cloud provider’s secret management provider or storing backups and other files in the cloud. If their cloud infrastructure is compromised by an attacker due to weak/compromised passwords, insecure configurations, or other issues, then attackers can get inside and access these secrets as well.
Private key security is essential to protecting your blockchain account. Anyone with your key can steal your crypto, so implementing best practices such as multi-sig wallets and cold storage is always a good idea. For more information about how to protect yourself and your digital assets, check out our blog on how to keep your keys safe.
However, private key theft isn’t the only security risk that you face. If you sign a malicious transaction without verifying it, then the attacker doesn’t need your private key to steal your crypto. For more information on developing a security program to protect your blockchain project, get in touch with Halborn.