How Much 3 Hours of Amazon Inaction Cost Cryptocurrency Holders $235,000

How Much 3 Hours of Amazon Inaction Cost Cryptocurrency Holders $235,000

Amazon recently lost control of the IP addresses it uses to host its cloud services and took more than three hours to regain control, a period that allowed hackers to steal $235,000 in cryptocurrencies from users of one of affected customers, an analysis shows.

The hackers took control of approximately 256 IP addresses by hijacking BGP, a form of attack that exploits known weaknesses in a core Internet protocol. Short for border gateway protocol, BGP is a technical specification that traffic routing organizations, known as autonomous system networks, use to interoperate with other ASNs. Despite its essential function of routing wholesale amounts of data around the globe in real time, BGP still relies heavily on the Internet equivalent of word of mouth for organizations to track the IP addresses to which ASNs belong.

A case of mistaken identity

Last month, autonomous system 209243, which belongs to the UK network operator Quickhost.uk, suddenly started announcing that its infrastructure was the right way for other ASNs to access what is known as the /24 block of addresses IP belonging to AS16509, one of at least three ASNs operated by Amazon. The hijacked block included 44.235.216.69, an IP address that hosts cbridge-prod2.celer.network, a subdomain responsible for serving a critical smart contract user interface for the Celer Bridge cryptocurrency exchange.

On August 17th, the attackers used the hijack to first obtain a TLS certificate for cbridge-prod2.celer.network, as they were able to demonstrate to the GoGetSSL certificate authority in Latvia that they were in control of the subdomain. Once in possession of the certificate, the attackers then hosted their own smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge cbridge-prod2.celer.network page.

In total, the malicious contract leaked a total of $234,866.65 from 32 accounts, according to this article by the Coinbase Threat Intelligence Team.

Coinbase TI analysis

Coinbase team members explained:

The phishing contract closely resembles the official Celer Bridge contract, mimicking many of its attributes. For any method not explicitly defined in the phishing contract, it implements a proxy structure that forwards calls to the legitimate Celer Bridge contract. The proxy contract is unique to each chain and is configured at initialization. The command below illustrates the contents of the storage slot responsible for the phishing contract proxy configuration:

Proxy storage for phishing smart contracts
Zoom in / Proxy storage for phishing smart contracts

Coinbase TI analysis

The phishing contract steals users’ funds using two approaches:

  • Any tokens accepted by phishing victims are leaked using a custom method with a 4-byte value 0x9c307de6()
  • The phishing contract nullifies the following methods designed to immediately steal a victim’s tokens:
  • send() – used to steal tokens (eg USDC)
  • sendNative() — used to steal native assets (eg ETH)
  • addLiquidity() – used to steal tokens (eg USDC)
  • addNativeLiquidity() — used to steal native assets (eg ETH)

Below is an example of a reverse-engineered fragment that redirects assets to the attacker’s wallet:

Phishing smart contract fragment
Zoom in / Phishing smart contract fragment

Coinbase TI analysis

Leave a Comment

Your email address will not be published.