Cyber Incident Victim: EOS Cryptocurrency
Date:
Feb 2019
Location:
China
Summary
A hacker exploited a vulnerability in the EOS blockchain's blacklist mechanism, stealing approximately $7.7 million worth of cryptocurrency by transferring funds from a compromised account. The breach occurred because one of the top 21 block producers responsible for maintaining the blacklist, identified as games.eos, failed to update its list, enabling the attacker to bypass security protocols and move stolen coins to multiple exchange accounts. While some exchanges like Huobi froze associated funds, others did not intervene, allowing partial theft. The incident highlighted systemic flaws in the consensus-dependent blacklisting process, where unanimous updates among block producers were required to prevent such exploits. EOS community members subsequently proposed revising the mechanism to allow faster account freezes with majority approval rather than full consensus.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 23, 2019, the EOS42 community publicly disclosed a theft of approximately 2.09 million EOS tokens (valued at $7.7 million at the time) via a Telegram post. The hack exploited a vulnerability in the EOS blockchain's security protocol, which relied on a consensus-based blacklisting system maintained by the network's top 21 block producers (BPs). These BPs were responsible for maintaining and synchronizing a shared blacklist of malicious EOS addresses, which cryptocurrency exchanges used to freeze stolen funds. The procedure required all 21 BPs to update their blacklists uniformly to effectively block transactions from compromised accounts. However, one BP—games.eos, a recently promoted block producer focused on EOS-based gaming—failed to implement the updated blacklist. This lapse allowed the attacker to bypass the security measure and transfer stolen funds from the hacked account to multiple exchange wallets.
The incident unfolded after the hacker successfully moved the stolen EOS tokens across several cryptocurrency exchanges. Huobi, one of the targeted platforms, froze accounts receiving the illicit funds following EOS42's alert, but other exchanges did not enact similar freezes, enabling the hacker to retain a portion of the stolen assets. In response, EOS42 criticized the existing blacklist mechanism as fundamentally flawed due to its requirement for unanimous compliance among all 21 BPs, arguing that a single non-compliant BP could undermine the entire system. They proposed a revised protocol requiring only 15 of 21 BPs to agree on blacklisting an account, which would automatically nullify the account's keys and prevent fund movement. This change aimed to reduce the risk of corruption or negligence by individual BPs, as the original system allowed attackers to potentially bribe a single BP to circumvent security measures. The theft highlighted operational vulnerabilities in EOS's governance model, particularly the reliance on decentralized but inconsistently implemented security controls among block producers.