Blockchain security firm presents the full report on Ethereum Classic’s 51% attack

Yesterday, blockchain security research firm Slowmist released an analytical report on the full implications of the recent 51% attack against Ethereum Classic. The report claims that several exchanges were affected by the attack.

According to Slowmist, the attack – which occurred at 19:58:15 UTC on January 5, 2019 – went unnoticed for several days. Numerous exchanges, including Coinbase, Bitrue, and, lost funds to the attacker in the process. Slowmist’s investigative analysis, which focused largely on Bitrue, found that the initial attack had originated from the following address: 0x24fdd25367e4a7ae25eef779652d5f1b336e31da.

Attack initiated with coins from Binance

Some 5,000 ETC coins were transferred from Binance to the same address and then moved to a mining node. The mining node in block 7254430 initiated a deposit to Bitrue of 4,000 ETC coins. However, this transaction is no longer available in the longest chain of the network. Slowmist did find that the funds were sent to the Bitrue address 0x2c9a81a120d11a4c2db041d4ec377a4c6c401e69.

Bitrue tweeted that an Ethereum Classic (ETC) 51% Attack was detected. The attacker tried to withdraw 13,000 ETC from our platform, but was stopped. The tweet additionally shared an image containing details of the transactions.

Following a similar pattern, another 9,000 ETC coins were transferred to Bitrue. Following the initial move, the hacker later transferred the funds to safe addresses. The attack was simple. By harnessing enough hashpower, the attacker was able to create and erase a number of transactions from the chain. In so doing, the hacker was able to double his funds by moving the coins to other addresses before transferring the original coins to safety.

Coinbase one of the victims of the attack

According to Slowmist, Coinbase and the other affected cryptocurrency exchanges started blacklisting the attacker’s addresses once they became aware of the attack. Upon blacklisting the addresses, the attacks finally came to a stop on January 8, 2019.

Slowmist listed two addresses that were involved in the attack:



At the time of writing, the two addresses now have over 53,000 ETC combined. However, the attacker will find it hard to liquidate these tokens, as most exchanges have banned any transactions originating from these accounts.

On January 8th, Marshall Long made the bold claim that he possesses information concerning the attacker’s identity.

Exchanges need to boost their security policies

In their conclusion, Slowmist warned that exchanges will have to adapt their securities to chains with smaller hashrates. They further state that the recent decline in blockchain funding has contributed to reduced hashpower.

According to the report, Slowmist recommends “that all digital asset services platform block transfers from the above malicious wallet addresses. And strengthen the risk control, maintain a high degree of attention, and be alert to double spend attacks that may erupt at any time”.

The recent attack offers yet another lesson for crypto and blockchain companies. Exchanges should boost their security and increase the number of confirmations required.

Read more on hacking:

Despite low prices, hackers still target Ethereum wallets and mining rigs

Crypto Destroyer

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.