In late October 2016, the Ethereum network was locked in an extraordinary battle against a sophisticated attacker who had been spamming the blockchain since mid-September. Despite an emergency hard fork deployed on October 19 to address the vulnerabilities, a second wave of attacks began less than 24 hours later. But this time, researchers were closing in on the perpetrator’s identity.
TL;DR
- Ethereum had been under sustained DoS attacks since Devcon2 on September 18, 2016
- Emergency gas repricing hard fork activated on October 19 successfully stopped the first wave
- A second wave of attacks launched less than a day after the fork, with reduced impact
- Attacker created approximately 19 million empty accounts using the SUICIDE opcode, compared to just 777,647 real accounts
- Transaction fees surged up to 45x normal levels during the height of the attacks
- Researchers traced attacker transactions to EthPool and DwarfPool mining pools, potentially revealing IP addresses
- Possible connection to the $50 million DAO hacker who exploited Ethereum in June 2016
The Attack Timeline
The assault on Ethereum began during Devcon2, the Ethereum Developers Conference held in Shanghai on September 18, 2016. The attacker exploited weaknesses in the Ethereum Virtual Machine’s operation code pricing, launching computationally intensive transactions that overwhelmed the network. Multiple attack vectors were deployed in succession, each targeting different vulnerabilities in the protocol.
The first wave included spam transactions designed to consume excessive computational resources, a memory crash contract targeting the geth client, and an account bloat attack that created millions of empty accounts. The diversity of attack vectors suggested a highly sophisticated adversary with deep technical knowledge of Ethereum’s architecture.
The Ethereum development community responded with remarkable speed. On October 19, a gas repricing hard fork was activated that recalibrated the computational cost of various Ethereum operations, effectively neutralizing the attacker’s primary weapons. The fork was a success — the spam transactions that had been clogging the network suddenly became too expensive to execute at scale.
The Second Wave and Its Limited Impact
Within hours of the hard fork going live, the attacker launched a second campaign. New contracts were deployed targeting different weaknesses in the protocol. However, the October 19 hard fork had fundamentally shifted the economics of the attack. While the first wave had brought the network to a crawl — with transaction fees spiking to 45 times their normal levels and full node wallets unable to sync — the second wave had comparatively modest impact.
The Ethereum network continued processing transactions throughout, a testament to the resilience provided by its diverse ecosystem of node clients. When one client crashed, others kept the chain alive. The attacks ultimately served as an unexpected stress test, hardening the network’s defenses while still in its relatively early phase.
Tracing the Attacker
By October 22, blockchain analysts had made significant progress in identifying the attacker. While the attacking transactions themselves were anonymous, careful tracing of the funding pathways revealed that the attacker had used the services of EthPool and DwarfPool, two Ethereum mining pools. These mining pool transactions could potentially reveal the attacker’s IP address, assuming the associated accounts had not been compromised from other victims.
Perhaps most intriguingly, researchers uncovered tantalizing connections to the infamous DAO hack of June 2016, which saw approximately $50 million in ether stolen from The DAO, a decentralized autonomous organization built on Ethereum. Some of the accounts used in the October attacks had donated small amounts of Ethereum Classic (ETC) to the Ethereum Classic development fund — the same address that the DAO hacker had contributed 1,000 ETC to when accessing their stolen funds. Both donations were described as suspiciously small, suggesting either the same actor or someone attempting to frame them.
Princeton Research Raises Longer-Term Concerns
The timing of the attacks coincided with a provocative academic paper from Princeton University’s Center for Information Technology Policy. Published on October 21 by researchers Miles Carlsten, Harry Kalodner, Matt Weinberg, and Arvind Narayanan, the paper titled “On the Instability of Bitcoin Without the Block Reward” warned that Bitcoin’s security model would face fundamental challenges as mining rewards shifted from block subsidies to transaction fees.
The researchers identified a strategy they called “undercutting,” where miners would deliberately capture minimal transaction fees, leaving the rest as an incentive for the next miner to extend their block rather than competing blocks. They also demonstrated that selfish mining — a previously known attack vector — would become more profitable as block rewards diminished. The paper was scheduled for presentation at the ACM CCS conference, one of the top academic security venues.
For a network like Ethereum, already grappling with real-world attacks on its transaction processing infrastructure, the Princeton findings underscored the broader challenges facing blockchain security design. The Ethereum attack had demonstrated that pricing of computational resources was a critical and ongoing concern, while Bitcoin’s longer-term incentive structures remained an open research question.
Why This Matters
The October 2016 Ethereum attacks represented one of the first major real-world stress tests of a live blockchain network. The incident demonstrated both the vulnerability of early blockchain systems to sophisticated adversaries and the resilience of decentralized networks under sustained assault. The rapid development and deployment of a hard fork within weeks of the initial attack showcased the Ethereum community’s ability to respond to crises.
The potential link to the DAO hacker added another layer of drama to an already tumultuous year for Ethereum, which had already executed one controversial hard fork to reverse the DAO theft. Meanwhile, academic research from Princeton was raising fundamental questions about the long-term security of proof-of-work systems — questions that would become increasingly relevant as Bitcoin’s block reward halvings continued to reduce the subsidy for miners. Ethereum traded at approximately $12 during this period, with Bitcoin at $657, far from the heights both would eventually reach.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency markets are highly volatile. Always conduct your own research before making investment decisions.
tracing through mining pools shows the blockchain transparency working exactly as intended you cant hide on a public ledger
Second wave of DoS attacks on Ethereum back in 2016 was brutal. Really tested the resilience of the young network.
This is why decentralization matters. A centralized network would have just gone down completely.