U.S. authorities have indicted two scammers who hacked the EtherDelta cryptocurrency exchange in 2017. One of the two suspects is Elliott Gunton, also known as Glubz, a 20-year-old Briton who previously participated in TalkTalk hacking. Another is Anthony Tyler Nashatka, a New Yorker, also known as psycho.
Two years ago, scammers changed DNS settings and redirected EtherDelta traffic to a clone site, from which user credentials were then stolen, and then their funds.
According to judicial documents, the attack began on December 13, 2017, when Nashatka acquired on the black market the personal data of an EtherDelta employee for cryptocurrency. This information included a phone number and email address. Although only this employee appears in documents only under the initials ZC, most likely this person was Zachary Coburn, the head of the company. The fact is that only access to his accounts would allow hackers to do what happened next.
It is not known whether the fraudster specifically looked for Coburn's data, since he was the CEO of EtherDelta, or accidentally discovered the information in a large data pool and realized who it was. However, using the information purchased, Nashakta set out to seize the EtherDelta Cloudflare and Dreamhost accounts.
A few days later, on December 19, 2017, Ganton somehow managed to convince the representative of the mobile operator to link the call forwarding number to the Coburn account. In fact, any incoming calls to Coburn’s phone were automatically forwarded to the Google Voice number that the scammers controlled.
Ganton and Nashatka did not waste time and used the call forwarding function to bypass two-factor authentication on the administrator account that belonged to Koburn in EtherDelta. A day later, on December 20, they changed the DNS settings on the company’s G Suite portal and redirected Gmail traffic to their British server, which allowed them to intercept and hide certain emails.
Then, the attackers performed a password recovery for the EtherDelta account in Cloudflare, because they received links to reset the password from intercepted Coburn letters. Having gained access to the Cloudflare account, scammers changed their password and blocked other employees of the company. After that, the EtherDelta DNS settings inside the Cloudflare account were finally changed. New values have linked the official EtherDelta website with a web server controlled by cybercriminals. It hosted a clone of the exchange website, which was engaged in collecting user credentials.
When the attack was noticed, Ganton and Nashatka went on to “monetize” the stolen credentials and began to withdraw user funds. Although the court documents do not say how much the scammers “earned” in this way, it is known that one of the victims of the attack reported a loss of more than $ 800,000.
Accusers were charged on August 13 this year in San Francisco. Three days later, Ganton was sentenced to 20 months in prison in the UK for trading cryptocurrency personal data after his arrest in 2018. Most likely, the American case is also based on information found on Ganton’s devices after his arrest.
In the United States, each of the fraudsters is facing five charges, with a maximum sentence of imprisonment of up to 20 years, as well as fines of up to $ 250,000.