The bitcoin blockchain has been hacked. But don't worry, there's no danger to the currency itself (at least, there doesn't seem to be at this stage).
In fact, 'hacking' may be a bit melodramatic as what has been happening is a bit more akin to digital graffiti. Let me explain.
The first person to make their mark on the Bitcoin blockchain was Satoshi Nakamoto, the name used by the cryptocurrencies founder (or founders). In a seemingly political statement, Nakamoto encoded a news headline in the Coinbase data field within the very first (or 'genesis') block. It simply read, “The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.' The beauty of the blockchain is that, if you don't believe me, you can go and look it up on Blockchain or something similar and read it in black and white.
Four More Ways to Create a Permanent Message on the Blockchain
There are apparently six ways to add messages to the blockchain but we will focus on four of them (five if you count the Coinbase example above which is restricted to miners).
- Creating a Vanity Address
A Bitcoin vanity address is similar to a vanity plate on a car. It is a way to personalize your address by including meaningful strings of letters and numbers in place of some of the randomly generated characters in a standard Bitcoin address (e.g. 1LvBcoin). To generate a vanity address you can either download the software yourself (or use cloud computing resources) and – just like Bitcoin mining – set your PC the task of hashing your private and public keys until the address you want is produced. The more characters you want to personalize, the more resources this will require.
You can also use online services to generate the vanity address on your behalf but this can be risky, especially if you are required to divulge your private key (this should never be done!)
However, a vanity address is one way of sending very small messages – such as I love Bitcoin – on the blockchain for everyone to see whenever you make a transaction.
- Manually Add a Message to your Transaction
Obviously, a vanity address is a very limited tool for sending messages on the Bitcoin blockchain. For anything more than a few characters, the next method is better.
First, a disclaimer. This method requires paying a transaction fee. Furthermore, if you forget to add an amount into the 'change' field, you will be basically donating your remaining wallet funds to the miners.
To manually add a message to your Bitcoin transactions, you will first need to open up your client's console window (look under help and debug).
Full instructions are below, in the 'On the Web' section but the steps you have to follow are:
- List any unspent outputs
- Convert these into a hex value
- Create a transaction, adding a message of your choosing between the output hex and your address
- Add a change amount (your balance minus enough to cover the transaction fee)
- Sign the transaction
- Send the transaction
The string created will look meaningless on the outside but, when viewed using a block explorer, will reveal your hidden message.
- Use the OP_RETURN command
Many people in the blockchain community (especially miners) regard the above method as an irresponsible use of the blockchain since it bloats the network, destroys (burns) the currency and has to be monitored by mining software.
The OP_RETURN script was added as a response to these issues. It essentially allows users to include 40 bytes of arbitrary data (reduced from 80 bytes originally) but requires no 'non-dust' transaction fee and provides proof that the transactions are unspendable. These will then be ignored by miner nodes.
- Use an external site like Eternity Wall
The good news is that you don't have to do any of the above work to get a message onto the Bitcoin blockchain. Sites such as Eternity Wall provide online IT support to do it for you (using the OP_RETURN method).
For example, 'Heavy Metal never dies', 'Michael loves his girls forever – Christina, Evie, Minnie, Gigi & Livie!' and '20180521 love forever' were the latest additions to the wall at the time of writing this post.
As the name suggests, these messages will last as long as the Bitcoin blockchain does.
What about Adding Images and Artwork?
What if messages are not enough for you and you want to add some actual artwork onto the blockchain? Contrary to some of the media scare stories, there are no hidden illegal images on the blockchain. However, it is possible to send multiple fake transactions using the OP_RETURN method and to encode the hex values of image URLs there.
Simple images can also be directly encoded using ASCII art techniques. These both require processing to extract either the URL string or ASCII image but there is software that scans for information in the OP_RETURN field and returns what it finds there.
Dangers of Cross-Site Scripting
Up to this point, you would be forgiven for thinking that there is nothing to worry the casual cryptocurrency trader. After all, it's not as if you have to go running hexadecimal code strings through software programs. Or do you? In essence, this is exactly what you are doing whenever you use a cryptocurrency exchange via a browser window.
One such exchange left its users' private keys unwittingly exposed when it tried to add some user-friendly functionality into its smart contract code. The EtherDelta exchange used the risky technique of web injection to display the name of unlisted ERC20 altcoins rather than a meaningless contract address. Unfortunately, they failed to protect their code from XSS (cross-site scripting), a hacking technique which uses web injection to pull executable code from one site to another. A hacker, posing as an altcoin creator, convinced investors to visit a link which then caused the browser to execute a script which located and harvested their private keys.
Although the loophole has now been patched, it provides a useful warning to cryptocurrency users to be always on their toes when it comes to securing their transactions.
To summarize, there is a lot more on the Bitcoin blockchain than (we assume) was originally intended. Along with genuine transactions we have messages of love, news headlines, poems and more than a few profanities. Some transactions are sent to and from addresses that are, of themselves, messages – just like vanity plates. There are also links to images and even embedded ASCII images. While scare stories about the presence of illegal images seem to be vastly exaggerated, there is a real danger from cross-site scripting when using insecure cryptocurrency exchanges.
Brent Whitfield is the CEO of Los Angeles IT Service provider DCG Technical Solutions Inc. DCG offer hosting for Bitcoin mining operations among other services. DCG provides specialist advice and IT Consulting Los Angeles area businesses need to remain competitive and productive while being sensitive to limited IT budgets. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters and Yahoo Business. https://www.dcgla.com was recognized among the Top 10 Fastest Growing MSPs in North America by MSP mentor. Follow on Twitter at @DCGCloud.
On The Web
- Demonstration of manual addition of a message to a Bitcoin transaction https://medium.com/blockchain-education-network/how-to-write-stuff-on-the-blockchain-bdae1704f24d
- Academic study of data injection techniques on the blockchain https://digitalcommons.augustana.edu/cgi/viewcontent.cgi?article=1000&context=cscfaculty
- EtherDelta XSS Case Study https://hackernoon.com/how-one-hacker-stole-thousands-of-dollars-worth-of-cryptocurrency-with-a-classic-code-injection-a3aba5d2bff0
- Blockchair blockchain explorer https://blockchair.com
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky