College Student Attacks Cryptocurrency

You would not think that a college freshman could be a threat to your cryptocurrency, but he proved us all wrong. This college student took to showing how easily accessible stealing cryptocurrency can be. You might be wondering why he is out to 51% attack your cryptocurrency? He stated that his main driving force was to show people how vulnerable your loot is.

A college freshman is coming after your cryptocurrency – but not to steal your coins, just to prove that someone could do so pretty easily.

According to a crypto enthusiast and security researcher going by the handle “geocold51,” most small-scale cryptocurrencies are at risk from the industry’s most feared vulnerability – the 51% attack. During this attack, a miner takes over more than half of a cryptocurrency’s mining power, which then allows them to erase a past transaction and replace it with another transaction – called a double spend.

While the ecosystem that’s been built up around bitcoin and other top-tier cryptos make them resistant to these kinds of attacks, other cryptocurrencies with less of a community of miners aren’t as secure.

Sure enough, on smaller coins, these kinds of attacks are getting more common. In a new report, Group-1B found $20 million worth of crypto theft accomplished with such attacks in 2018, as TNW reported.

On Saturday, October 13, geocold51 decided to display just how easy it was – livestreaming his attempt to 51% attack Bitcoin Private, a crypto with close to a $47 million market cap (at the time of writing).

Speaking to CoinDesk, geocold51 said, if a cryptocurrency can be so easily attacked, “it’s sort of a misvalue of a given currency by different investors.”

Geocold51 estimates he spent $100 to get to the point where he could have done a demonstration double spend on bitcoin private, but he stopped because his livestream got pulled.

Just to be clear, geocold51 wasn’t interested in stealing, and so he set up the demonstration where he’d send the bitcoin private he owned to two different wallets he owned. In that way, no user or exchange provider gets ripped off.

For him, it’s about displaying that many coins are vulnerable and, therefore, perhaps vastly over-valued.

That said, he estimates that to make a profit off a 51% attack, it would cost a malicious attacker roughly double – so around $200 – to buy some bitcoin on an exchange with his bitcoin private and then make another transaction on the longer chain that invalidates the first transaction, giving him his bitcoin private coins back and leaving the exchange coming up short.

While going through the exchange process costs more, the 51% attack has still become quite economical due to the rise of cloud computing. According to geocold51, without access to cloud mining, an attack like he did on bitcoin private would have cost him about $100,000 in hardware.

“Nicehash and the ability to rent hashing power fundamentally changes the landscape of 51% attacks,” geocold51 told CoinDesk, adding:

Because geocold51 announced the livestream on Reddit (the post got 1500 upvotes and 60,000 views, he said), the attempted attack got quite a bit of attention – even dogecoin creator Jackson Palmer tweeted about watching.

Still, the livestream didn’t work exactly as planned, and because of that, geocold51 said he would run a complete attack later. He told CoinDesk he will do it without a stream this week and release a recording of his demonstration on YouTube shortly after.

The inspiration

The young security researcher’s handle might remind some of another security guru.

According to geocold51, he was inspired by one of the most legendary hackers of recent years: geohot, who famously jailbroke the original iPhone, which means the restrictions on carriers and apps were removed.

These days, geohot likes to livestream himself searching for vulnerabilities.

And geocold51 figured he could start doing the same within the cryptocurrency ecosystem.

Geocold51 has a good knowledge of crypto. Back when GPU hardware was still lucrative for hobbyist miners, geocold51 mined quite a bit of bitcoin. He then began trading money on Cryptsy, before the exchange’s CEO allegedly walked away with millions of dollars in its user’s money.

In that, he lost nearly all his bitcoin.

But he still remained interested in the space, and continued to study up on how it all worked. And as the industry divided into hundreds and thousands of different cryptocurrencies, geocold51 thought he might be able to shine some light on the security pitfalls.

And others were interested in that too. His Reddit post about the challenge garnered 1500 upvotes and over Twitch, he received $888 in donations.

The day of the attack

What’s also interesting is that bitcoin private wasn’t his first target.

Instead, geocold51 had intended to go after einsteinium, a volunteer-run litecoin fork with a $19 million market cap and $598,000 in trading volume per day, at the time of this writing.

He announced his intent publicly, and as he got ready for the attack, commenters within his Twitch feed noted that the cryptocurrency’s hash rate was spiking.

Because he had announced the attack in advance, the einsteinium community boosted the hash rate because it was worried that such an attack could cause a chain split and create a second blockchain that people could get stuck on, according to Ben Kurland, one of the project’s board members. At that time, einsteinium was in the middle of a wallet upgrade. If users or exchanges did not upgrade their wallets in time, the blockchain split could have caused property loss.

Seeing the increased hash power, geocold51 decided to attack bitcoin private instead.

According to geocold51, he got over 600 views during the Twitch livestream, before Twitch shut the stream down. The team at Twitch, he said, temporarily suspended him under the “attempts of threats of harm” section of its community guidelines.

He got another livestream up on Stream.Me a half-hour later.

Once broadcasting there, he was able to hire miners through Nicehash to mine bitcoin private. In fact, he almost immediately mined a block. And in very little time, he was controlling more than 50 percent of the hash power on the blockchain.

Pretty soon an account called “CommunityWatch” popped up in the stream and wrote: “Just a quick question: I’m assuming everything we are