Hacker wastes entire day hacking Pigeoncoin cryptocurrency only to make $15,000

Pigeoncoin hack confirms that the CVE-2018-17144 vulnerability fixed in the Bitcoin source code in mid-September was, indeed, as bad as it gets.
Written by Catalin Cimpanu, Contributor

A hacker has spent an entire day exploiting a vulnerability in the source code of the Pigeoncoin cryptocurrency to steal 235 million PGN tokens, which ended up being worth only a mere $15,000 after all the day's work.

The hack took place on September 27, according to users of the BitcoinTalk forums, who first spotted the suspicious blockchain activity, and later traced it to a user named "mrsandman1."

The attacker didn't exploit a Pigeoncoin vulnerability, but a bug in the Bitcoin code found and fixed eight days before, on September 19. That bug --CVE-2018-17144-- was one of the most critical bugs in the history of the Bitcoin network.

The bug, if it would have been exploited, would have allowed an attacker to crash Bitcoin network nodes and create a situation of a "51% attack," which, in turn, could have allowed an attacker to perform a double-spend attack that would have generated unmerited funds for the assailant.

As ZDNet reported at the time, while the bug was fixed with urgency in the Bitcoin code, it would take some time before all the smaller Bitcoin-based cryptocurrencies would be in a position to apply the fix to their own code.

"Copycat currencies are at risk. By definition, there's always a group upstream that knows their vulnerabilities," said, at the time, Emin Gün Sirer, a professor at Cornell University and a renowned cryptographer and cryptocurrency expert.

This is exactly what appears to have happened with Pigeoncoin, whose developers failed to integrate the upstream fix for the CVE-2018-17144 Bitcoin bug.

They only patched the bug after the hacker had already gained access to 235 million PGN coins, just over 25 percent of all the PGN coins on the market --923 million.

The only reason why this hack didn't yield more money for the hacker was because Pigeoncoin is one of the least traded and least known cryptocurrencies on the market, with one PGN being valued at a lowly $0.000066 and Pigeoncoin's entire market cap being a laughable $60,000.

If the hacker would have paid attention to these details, he wouldn't have wasted a day hacking a cryptocurrency that nobody uses and is barely traded anywhere.

All the major Bitcoin-offshoot cryptocurrencies, like Litecoin, have already ported the fix to their codebases, but there are many more that have not yet applied the CVE-2018-17144 patch, and are likely vulnerable.

Top tips for investing in cryptocurrency

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Editorial standards