Hacker Learn the Hard Way after Spending Whole Day Hacking Pigeoncoin
As ZDNet reports how a hacker who spends an entire day trying to find a vulnerability in the source code of the Pigeoncoin cryptocurrency to steal 235 million PGN tokens and ended up realizing that it worth a mere $15,000.
According to users of the BitcoinTalk forums, the hack took place on September 27, and they spotted the suspicious blockchain activity, and later traced it to a user named “mrsandman1.”
The attacker didn’t exploit a Pigeoncoin vulnerability, but a bug in the Bitcoin code found and fixed eight days before, on September 19. That bug –CVE-2018-17144– was one of the most critical bugs in the history of the Bitcoin network.
The bug, if it would have been exploited, would have allowed an attacker to crash Bitcoin network nodes and create a situation of a “51% attack,” which, in turn, could have allowed an attacker to perform a double-spend attack that would have generated unmerited funds for the assailant.
The ZDNet reports, while the bug was fixed with urgency in the Bitcoin code, it would take some time before all the smaller Bitcoin-based cryptocurrencies would be in a position to apply the fix to their own code.
“Copycat currencies are at risk. By definition, there’s always a group upstream that knows their vulnerabilities,” said, at the time, Emin Gün Sirer, a professor at Cornell University and a renowned cryptographer and cryptocurrency expert.
This is exactly what appears to have happened with Pigeoncoin, whose developers failed to integrate the upstream fix for the CVE-2018-17144 Bitcoin bug.
They only patched the bug after the hacker had already gained access to 235 million PGN coins, just over 25 percent of all the PGN coins on the market –923 million.
The only reason why this hack didn’t yield more money for the hacker was that Pigeoncoin is one of the least traded and least known cryptocurrencies on the market, with one PGN being valued at a lowly $0.000066 and Pigeoncoin’s entire market cap being a laughable $60,000
If the hacker would have paid attention to these details, he wouldn’t have wasted a day hacking a cryptocurrency that nobody uses and is barely traded anywhere.
All the major Bitcoin-offshoot cryptocurrencies, like Litecoin, have already ported the fix to codebases, but there are many more that have not yet applied the CVE-2018-17144 patch and are likely vulnerable.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.