📈 Get daily crypto insights that make you smarter about your money

Ethereum Attacker Traced Through Mining Pools After Second Wave of Network DoS Assaults

In late October 2016, the Ethereum network was locked in an extraordinary battle against a sophisticated attacker who had been spamming the blockchain since mid-September. Despite an emergency hard fork deployed on October 19 to address the vulnerabilities, a second wave of attacks began less than 24 hours later. But this time, researchers were closing in on the perpetrator’s identity.

TL;DR

  • Ethereum had been under sustained DoS attacks since Devcon2 on September 18, 2016
  • Emergency gas repricing hard fork activated on October 19 successfully stopped the first wave
  • A second wave of attacks launched less than a day after the fork, with reduced impact
  • Attacker created approximately 19 million empty accounts using the SUICIDE opcode, compared to just 777,647 real accounts
  • Transaction fees surged up to 45x normal levels during the height of the attacks
  • Researchers traced attacker transactions to EthPool and DwarfPool mining pools, potentially revealing IP addresses
  • Possible connection to the $50 million DAO hacker who exploited Ethereum in June 2016

The Attack Timeline

The assault on Ethereum began during Devcon2, the Ethereum Developers Conference held in Shanghai on September 18, 2016. The attacker exploited weaknesses in the Ethereum Virtual Machine’s operation code pricing, launching computationally intensive transactions that overwhelmed the network. Multiple attack vectors were deployed in succession, each targeting different vulnerabilities in the protocol.

The first wave included spam transactions designed to consume excessive computational resources, a memory crash contract targeting the geth client, and an account bloat attack that created millions of empty accounts. The diversity of attack vectors suggested a highly sophisticated adversary with deep technical knowledge of Ethereum’s architecture.

The Ethereum development community responded with remarkable speed. On October 19, a gas repricing hard fork was activated that recalibrated the computational cost of various Ethereum operations, effectively neutralizing the attacker’s primary weapons. The fork was a success — the spam transactions that had been clogging the network suddenly became too expensive to execute at scale.

The Second Wave and Its Limited Impact

Within hours of the hard fork going live, the attacker launched a second campaign. New contracts were deployed targeting different weaknesses in the protocol. However, the October 19 hard fork had fundamentally shifted the economics of the attack. While the first wave had brought the network to a crawl — with transaction fees spiking to 45 times their normal levels and full node wallets unable to sync — the second wave had comparatively modest impact.

The Ethereum network continued processing transactions throughout, a testament to the resilience provided by its diverse ecosystem of node clients. When one client crashed, others kept the chain alive. The attacks ultimately served as an unexpected stress test, hardening the network’s defenses while still in its relatively early phase.

Tracing the Attacker

By October 22, blockchain analysts had made significant progress in identifying the attacker. While the attacking transactions themselves were anonymous, careful tracing of the funding pathways revealed that the attacker had used the services of EthPool and DwarfPool, two Ethereum mining pools. These mining pool transactions could potentially reveal the attacker’s IP address, assuming the associated accounts had not been compromised from other victims.

Perhaps most intriguingly, researchers uncovered tantalizing connections to the infamous DAO hack of June 2016, which saw approximately $50 million in ether stolen from The DAO, a decentralized autonomous organization built on Ethereum. Some of the accounts used in the October attacks had donated small amounts of Ethereum Classic (ETC) to the Ethereum Classic development fund — the same address that the DAO hacker had contributed 1,000 ETC to when accessing their stolen funds. Both donations were described as suspiciously small, suggesting either the same actor or someone attempting to frame them.

Princeton Research Raises Longer-Term Concerns

The timing of the attacks coincided with a provocative academic paper from Princeton University’s Center for Information Technology Policy. Published on October 21 by researchers Miles Carlsten, Harry Kalodner, Matt Weinberg, and Arvind Narayanan, the paper titled “On the Instability of Bitcoin Without the Block Reward” warned that Bitcoin’s security model would face fundamental challenges as mining rewards shifted from block subsidies to transaction fees.

The researchers identified a strategy they called “undercutting,” where miners would deliberately capture minimal transaction fees, leaving the rest as an incentive for the next miner to extend their block rather than competing blocks. They also demonstrated that selfish mining — a previously known attack vector — would become more profitable as block rewards diminished. The paper was scheduled for presentation at the ACM CCS conference, one of the top academic security venues.

For a network like Ethereum, already grappling with real-world attacks on its transaction processing infrastructure, the Princeton findings underscored the broader challenges facing blockchain security design. The Ethereum attack had demonstrated that pricing of computational resources was a critical and ongoing concern, while Bitcoin’s longer-term incentive structures remained an open research question.

Why This Matters

The October 2016 Ethereum attacks represented one of the first major real-world stress tests of a live blockchain network. The incident demonstrated both the vulnerability of early blockchain systems to sophisticated adversaries and the resilience of decentralized networks under sustained assault. The rapid development and deployment of a hard fork within weeks of the initial attack showcased the Ethereum community’s ability to respond to crises.

The potential link to the DAO hacker added another layer of drama to an already tumultuous year for Ethereum, which had already executed one controversial hard fork to reverse the DAO theft. Meanwhile, academic research from Princeton was raising fundamental questions about the long-term security of proof-of-work systems — questions that would become increasingly relevant as Bitcoin’s block reward halvings continued to reduce the subsidy for miners. Ethereum traded at approximately $12 during this period, with Bitcoin at $657, far from the heights both would eventually reach.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency markets are highly volatile. Always conduct your own research before making investment decisions.

🌱 FOR BUSINESSES BitcoinsNews.com
Reach 100K+ Crypto Readers
Sponsored content, press releases, banner ads, and newsletter placements. Put your brand in front of Bitcoin's most engaged audience.

10 thoughts on “Ethereum Attacker Traced Through Mining Pools After Second Wave of Network DoS Assaults”

    1. opcode_archaeologist

      19M empty accounts from SUICIDE opcode and the fix was just repricing gas. eth security model in 2016 was basically duct tape

    2. null_deref_ the SUICIDE opcode was documented behavior. the attacker just used it creatively. that is the whole problem with turing complete chains

    3. SUICIDE opcode creating 19M empty accounts is peak 2016 eth. they patched it and the attacker came back 24hrs later lol

    1. never caught publicly. the trail went cold after the mining pool trace. some speculate it was the DAO hacker but nothing confirmed

      1. the attacker was likely the DAO hacker based on timing. started right after Devcon2 when everyone was distracted. hard to call that coincidence

      2. eth_archaeologist

        Katrin W. the DAO hacker connection was never confirmed but the timing was suspicious. attack started right after Devcon2

    1. gitter_lurker

      45x fees and people blamed the users. the network was literally unusable for days, devs were firefighting in real time on gitter

Leave a Comment

Your email address will not be published. Required fields are marked *

BTC$62,065.00+0.3%ETH$1,746.97+2.3%SOL$81.53-0.1%BNB$566.09+0.2%XRP$1.11+0.3%ADA$0.1701+5.1%DOGE$0.0762+1.3%DOT$0.8733+1.3%AVAX$6.85-0.1%LINK$7.86-0.2%UNI$3.30+3.5%ATOM$1.60+1.7%LTC$43.65+0.1%ARB$0.0802+1.7%NEAR$2.07+6.6%FIL$0.7918+0.8%SUI$0.7554+0.8%BTC$62,065.00+0.3%ETH$1,746.97+2.3%SOL$81.53-0.1%BNB$566.09+0.2%XRP$1.11+0.3%ADA$0.1701+5.1%DOGE$0.0762+1.3%DOT$0.8733+1.3%AVAX$6.85-0.1%LINK$7.86-0.2%UNI$3.30+3.5%ATOM$1.60+1.7%LTC$43.65+0.1%ARB$0.0802+1.7%NEAR$2.07+6.6%FIL$0.7918+0.8%SUI$0.7554+0.8%
Scroll to Top