MyEtherWallet Hack Executed by Native Russian Speaker, Analyst Confirms

Security research firm RiskIQ published some of the code from MyEtherWallet's fake site and found that the hacker responsible for the $150,000 loss in the most recent incident is a native Russian speaker.

The sun never sets on the MyEtherWallet hack that broke the internet as analysts attempt to understand how the breach happened and how it could be prevented. Rather than compromise the website itself, this ambitious hacker decided to take a stroll through the internet’s backbone and rip it apart, all to collect some Ether because… reasons.

Now, we’re finding out through a report from RiskIQ that the attack was perpetrated by native Russian speakers, a strong indication that they could have come from the country. It also dubbed the fake website’s code and surrounding utilities “MEWKit.”

“Going through the script, we can find more evidence of experimentation in the form of comments written in Russian. We’ve translated all the comments, and based on the wording used, they were likely written by a native Russian speaker who is familiar with financial terms,” the company said in its report.

While code itself is generally written using operators in the English language (“if”, “for”, “end”, “while”, “function”, “int [integer]”, etc.), the comments that programmers add right next to their lines of code can be written in any language whatsoever.

To write a comment on code, all you have to do is attach a special “commenting” symbol specific to the programming language. In C—and in many operating languages that base their syntax on it—comments are usually preceded by a double slash (“//”) for single-line comments and a slash-asterisk combination (“/*” and “*/”) for the beginnings and endings of multi-line comments.

In the body of the comment, a programmer can insert any character.

RiskIQ found several instances of comments within the MEWKit code written in plain Russian.

“The first comment, ‘поставить кошелек получателя,’ translates to ‘set the wallet of the recipient,’ which is related to the function that sets the receiving wallet of the transaction to which to transfer funds from the phished victim’s wallet. The second comment, ‘отправить весь баланс в эмаунт,’ translates to ‘send the entire balance to the amount.’ The last word in this sentence, ‘эмаунт’’ is a non-Russian word spelled in Cyrillic.

For us, the presence of these comments means the author is a native Russian speaker with at least some knowledge of financial terms,” the company wrote.

The fact that the hacker was able to execute such a sophisticated attack flawlessly raises a few eyebrows.

However, that’s still not as suspicious as the fact that this shifty little hacker brazenly made off with $150,000 in Ether despite the fact that they already had $17 million of it in the wallet that was siphoning the cash.

Where did the $17 million come from? Was it some sort of external funding mechanism and the hacker is actually part of a larger organization? Possibly government?

Or did we actually find the wallet behind a long series of Ether-related attacks that accumulated such an enormous sum over time?

The MyEtherWallet incident is going to be one of those where the pieces of the puzzle that analysts put together bring with them more questions than they answer.