A group of hackers stole more than $ 20 million in Ethereum from wallets and applications for mining based on the Ethereum blockchain. The attackers used Ethereum software applications that were configured to provide access to the RPC (remote procedure call) interface on port 8545.
This interface is used to access a software API through which approved third-party services or applications can request the receipt of data from the source service, for example, applications for storing funds received from mining.
The RPC interface is able to provide access to some important functions, allowing a third-party application to view private keys and personal user data, and conduct transactions.
By default, it is disabled in most applications, and developers warn of the potential danger of launching it if it is not properly protected by the ACL (access control list), firewall, or other authentication systems.
Now almost all software based on Ethereum has an RPC interface. In most cases, even when powered on, it is configured to query only through the local interface (127.0.0.1), that is, from applications running on the same machine as the original application for the mining (purse).
Despite the warning of official developers, users continued to use misconfigured Ethereum clients for years. Many of them reported a loss of funds through an open RPC interface.
The scanning of these interfaces lasted for many years, but intensified with the rise in prices for cryptocurrencies. One of the biggest surges of scanning activity was registered in November last year.
The attacks were successful, as the victims soon discovered that the version of the Electrum Wallet application comes with RPC JSON, enabled by default, which makes it easy to access user tools.