The Ethereum network has been undergoing a series of attacks since the Devcon2 Ethereum Developers Conference on Sep 18 2016.The Ethereum network activated a hard fork on Oct 19 2016 that successfully stopped the spam transaction attack.Less than a day after the hard fork, a new wave of attacks was executed by the attacker, but these attacks have had less impact on the Ethereum network.The attacks have , for the moment at least.The attacker may have given up as the second wave of attacks have had little impact on the network.The attacker’s transactions have been anonymous until now.The tracing of the transactions below eventually led to the transactions showing that the attacker has used the services of the and mining pools.These mining pool transactions could reveal the attacker’s IP address, assuming none of the accounts involved have had their private keys stolen.Whether anyone will pursue the attacker is unknown at this point in time.The attacker could be the same , or someone who wants us to think that.

Some of the attacking accounts donated a few Classic ethers (ETC) to the , the same account .And both attackers made the same measly order of donation to the Ethereum Classic development fund.One positive aspect of these attacks is the improvement of the security of the Ethereum network while still in it’s early phase.Overall, the Ethereum network kept on chugging along despite the repeated attacks.Many nodes crashed in the first attack, but due to the diversity in node clients, the network continued running.ethereum radeonWith the spam transaction attacks, node clients were slowed down especially nodes with limited RAM and non-solid state storage.mit bitcoin geld verdienenWith the many millions of empty account attack, node clients were slowed down further.litecoin price btc-e

Users had trouble syncing their full node wallets.Transactions could not be submitted with normal fees – some transactions fees were raised up to 45x the normal fee as this prioritises the transactions.Large smart contracts could not be deployed as the miners were advised to lower the gasLimit to reduce the effects of the spam transactions.Some miners started mining blocks with zero transactions for fear of slowing down their nodes.bitcoin ireland atmBut the network kept on chugging along and hopefully will .bitcoin gorillaA very nice resilient network decentralised over nodes.instant bitcoin redditUpdate 13:48 Oct 25 2016 UTC – User on the reddit post writes: Following the quick I made on the way back from Shanghai I was pointing to an address almost empty now and was initially funded by a tx from shapeshift among other tx from shapeshift: I have been harassing the customer service of shapeshift and obtained this two BTC tx used to fund some of the attackers address If you care to carry on investigating let me know if I can be of any help.btc king bitcoin

Hope it helps, I had great fun in Shanghai with you guys… The contract involved : edit bis: looks like the attack is now (2315287) slowing down last tx to the contract involved was made 1 hours ago .Some the adresses listed below also interacted with what looks like a copy of the attacking contract edit bis bis Tx to the contract are now (2318227) going fast and with low fees (0.006) but multiple attacking transactions get included in blocks see The current fee for the DoS tx seems to be settled now at 0.027 eth.buy bitcoin tunisiaIf a tx is included in a block every 15 sec, this attack is costing 6.48 eth per hour or 155.52 eth per day.bitcoin web browser minerAt 2312624, the sum of the balances of the addresses calling the contract (see below) is 150 eth, so expect at least 24 hours of trouble.edit: I guess due to the pools and miners adapting their gaslimit and gasprice the tx fee of the attacker is now up to 0.03465 (+28%) The Contract creator: Note that this address has created a lot of similar contracts 6 days ago between block 2271721 and block 2272038 and resumed creating contract 4 days ago at 2282288 to 2283381 This address is almost empty now and was initially funded by a tx from shapeshift: There are 15 addresses related to the contract so far (analysis done at 2312453 ) and 1 address (a contract) that received a transaction from it.

You can watch it on : There are 10 address calling the contract that have the same pattern of creation, those addresses where all loaded from Poloniex between 2300996 and 2301016 : This address was funded multiple times (all initially from shapeshift) and is also calling the contract: There is only one address that received something from the contract: Note that this is a contract created by the same person (0x0c35a2… ) 5 days ago at 2282288 Furthermore those 3 addresses are also related to the contract and probably used for testing, receiving funds 6 days ago around bloc 2278648 : This “testing addresses” lead to this contract address : the address that created currently used contract (0x0c35a2e…) interacted with it.Update 21:47 Oct 25 2016 UTC – User on the reddit post writes: IP addresses are known a long time ago, I write also to ethcore-team ISP of attackers.But how can it help?Update 01:18 Oct 22 2016 UTC – A Perl script and the raw data for the 6 known offensive contracts is available in .

Posted on and .The first attack started on block at Sep-18-2016 06:04:56 PM +UTC (01:04:56 Sep 19 Shanghai time) and targeted the go-ethereum geth clients, causing a across the network.Part of the design of the Ethereum network is the diversity of node clients.While geth (implemented in Go) crashed, Parity (implemented in Rust) and EthereumJ (implemented in Java) kept the network running.was released on Sep 19 with the code change.The offensive transactions were both: The geth memory crash contract : The spam DoS transaction contract : Was created in in at Sep-18-2016 05:18:59 PM +UTC from Sent : First in at Sep-18-2016 06:04:56 PM +UTC Last in at Oct-04-2016 04:46:37 PM +UTC The list of MANY accounts sending the transaction include: .This was funded from ShapeShift2 in at Sep-08-2016 02:08:32 PM +UTC .This was funded from Poloniex in at Sep-21-2016 03:51:18 PM +UTC .This was funded from at Oct-01-2016 01:58:01 AM +UTC, which was funded from Poloniex in at Sep-21-2016 09:54:26 PM +UTC.

This was funded from ShapeShift in at Sep-17-2016 11:00:54 PM +UTC .This was funded from Poloniex in at Sep-21-2016 03:49:32 PM +UTC .This was funded from at Oct-01-2016 02:11:03 AM +UTC, which was funded from Poloniex in at Sep-21-2016 09:54:26 PM +UTC.This was funded from Poloniex in at Sep-21-2016 03:49:04 PM +UTC .This was funded from Poloniex in at Sep-21-2016 03:48:12 PM +UTC .This was funded from ShapeShift in at Sep-17-2016 10:45:54 PM +UTC .This was funded from ShapeShift in at Sep-17-2016 10:42:28 PM +UTC .This was funded from Poloniex in at Sep-21-2016 03:48:29 PM +UTC .This was funded from Poloniex in at Sep-21-2016 03:51:04 PM +UTC Has the following opcodes (only the beginning shown), showing the offensive EXTCODECOPY opcode: The attacker sent low cost transactions to create many millions of empty accounts on the Ethereum blockchain, slowing down the processing of the Ethereum node clients.Update 05:55 Oct 23 2016 UTC – First estimate of the number of accounts created by the SUICIDE opcode is 19,041,840 by retrieving the information from Parity.

The original estimate was manually computed by viewing the transactions in etherscan.io, which did not pick up most of the empty accounts.Compare to 777,647 real accounts.That’s why your syncing has been taking such a long time.User on the reddit post provided two address involved in the creation of the many millions of empty accounts: , activated a Gas Reprice hard fork on at Oct-18-2016 01:19:31 PM +UTC rendering the spam DoS transactions above obsolete.As reported in , a new wave of attacks commenced less than a day after the Gas Reprice hard fork involving the two following contracts: Was created in in at Oct-19-2016 11:36:21 AM +UTC from .The ethers from this account were over 434 days ago.Sent : First in at Oct-19-2016 11:41:53 AM +UTC Last in at Oct-20-2016 12:27:05 PM +UTC The reason why this stopped ?temporarily is because all the accounts including , , and ran out of ethers, and the attacker must be asleep.The account was funded in at Oct-12-2016 11:07:27 PM +UTC from : Account was funded in at Oct-12-2016 07:26:30 PM +UTC from : Account was funded from Ethpool in at Aug-09-2015 12:17:46 AM +UTC and DwarfPool1 in at Mar-08-2016 03:36:49 AM +UTC many times until at May-26-2016 06:06:47 PM +UTC: Some of these pools require IP addresses that the miner is mining from to confirm the miner’s credentials.

requires IP address confirmation for change in account setting, and stores the miner’s IP address and would therefore have an association between the miner’s account and IP address: And here is the attacker’s : The attacker earned around 26 ETH mining at DwarfPool in April 2016.This is the equivalent of about 125 Mhs, or 4 x R9 390X GPUs (my 125 Mhs solo miner earned 5 blocks or ~ 25 ETH in the same period): User asked on “How could the ip be used?Couldn’t be using a proxy or vpn?”.The attacker could use a proxy, VPN or ?TOR to hide their IP address, but it is highly unlikely they would have done so.It is far easier to hide the association between your IP address and your Ethereum mining rewards account just by solo mining.And this pool mining was conducted before the idea of The DAO was floated, with the juicy USD 50 million bug in the code.The attacker could have planned these attacks well in advance, but why would they bother pool mining if they could just solo mine anonymously with higher profitability compared to pool mining via a proxy/VPN/?TOR that adds some latency in the pool mining process?

I think it was a slip up using a traceable account to mount the attacks.So my guess would be – a C, C++, Java, Assembly Language developer, mid 30s to mid 40s, male, small time miner with the rig small enough to fit in the unit or house, basement or garage, 5 foot 8 inches, long hair :-).And the IP address will point directly to the attacker’s home, but someone will have to get the IP address from DwarfPool and then find out the physical address or owner from the ISP.I don’t know whether the three-letter-acronym agencies would bother.We could set up a prediction event on or and place our bets.User on the reddit post wrote: It hasn’t come up yet in the thread, but 15 hrs after the attacks finished they dumped into account .This is our public etc dev account, and is not involved with the attack.The funds received will be frozen, same as the dao funds received as far as I’m concerned.As traced on , The DAO hacker donated 1000 ETCs out from their 3642408.5276 ETC (~ USD 3.7 million) The DAO hack booty to the same in at Sep-05-2016 22:34:13 UTC.