Finding a source for seed phrases
While I won’t disclose the exact source of my seed phrases I used for credential stuffing, I’ll leave it up to the reader to find their favorite source of leaked user credentials online. At the last check, there are about 100 data breaches daily that are publicly disclosed online, as well as about 550,000,000 passwords that have been breached. For proof of this number, and to see if your own password is vulnerable, check out .
For my test, I used a subset of about 4,000,000 passwords from a 420,000,000 password dataset.
Checking a million wallets overnight
The next challenge I had was creating and checking millions of wallets quickly — and cheaply.
My first attempt was a single-threaded NodeJS app to check balances. While this did work, it proved to take about 1 second round trip to read a seed phrase from a file, check the balance, and record the outcome.
This was just too slow. Enter AWS to the rescue.
Using a producer / consumer model, I created a Lambda script to take a seed phrase, create a private key from it, and then check the balance of the . It then output to CloudWatch Logs the result of the balance query.
For the producer, I multi-threaded a NodeJS application from the command line of my local machine, reading local files of passwords and batch sending SQS messages. This allowed me to upload a number of potential seed phrases each second, vastly increasing my processing speed.
For about $50, I checked 4,000,000 wallets within a day. This was all without hitting more than 100 concurrent Lambda invocations. In other words, this was very cheap and could be done via the Free Tier of an AWS account if I had throttled invocations a bit.
Finding my first vulnerable wallet
It was about 6 hours into my run that I found my first with a balance, proving that credential stuffing does theoretically work with . While the balance was not on the same scale as the unknown bandit, the mere existence of a balance shows that this attack vector had not yet been tried.
I then continued to find vulnerable wallets at a rate of 1 per million guesses. This proves that the total dataset of known breached passwords may yield a few hundred wallets with balances…on alone.
The existence of a with a balance means that neither the bandit nor any state-level actor is currently scanning chains using known breached credentials to steal funds.
Published at Mon, 29 Apr 2019 23:33:01 +0000