GOOD CYCLE

DESCRIPTION OF EVENTS

"Korean platform GoodCycle [was] a recently launched peer-to-peer exchange that provides “investment” opportunities to its users." "According to PeckShield, this platform shows all the signs of a Ponzi scheme, which would explain its rapid rise in popularity."

"According to Good Cycle officials, this is a small P2P exchange in South Korea that just launched on May 25. Since its launch for half a month, the exchange has 6,151 users, 6,399 transactions, and a total transaction volume of 63,187.9674 ETH. The reason why it is so popular is because of its low participation threshold, only a minimum of $100 is required to participate, and after participating, you can get a high return on investment."

"The report from PeckShield notes that the exchange does not even use the encrypted HTTPS protocol, which would make it trivial to hack the exchange through “man-in-the-middle” attacks." "Our analysis found that the Good Cycle exchange website is based on the HTTP protocol and does not support HTTPS encrypted protocol access. Therefore, all kinds of sensitive information are transmitted in clear text, which can easily be attacked by hackers such as phishing and man-in-the-middle hijacking."

"A chain of Ether transactions with abnormally high fees took place between June 10 and 11, in which someone appears to have paid $2.6 million to transfer ETH, which normally would cost around $0.50 to a few dollars even for extremely large transactions."

"Earlier in the week, someone sent out two Ethereum transactions with fees of $2.5 million each. The hunt began to find the entity behind the address as experts offered their take on why this happened." "The mysterious account just emptied all the ETH to a new account. And sent transactions to @etherchain_org and @sparkpool_eth." "Sparkpool mined the first transaction on Jun. 10." "Instead of opting for a fee that could be as low as $0.5, the sender paid 10,668.73 ETH, worth $2.59 million, to send 0.55 ETH, worth $133.85 at press time." "Ethermine mined the second transaction on Jun. 11. That was a transaction of 350 ETH for over 10,000 ETH in fees, also around $2.5 million."

"The ridiculously high transaction fees were first pointed out by ZenGo researcher Alex Manuskin on Twitter." "Manuskin’s explanation for the freak Ethereum transaction fees was that there was a bug in the script used to automate payments out of the wallet. Other analysts agreed with this theory, including Ethereum developer FollowTheChain." "Various crypto outlets picked up Manuskin’s tweet soon after, with the crypto community’s curiosity stoked even further when Manuskin detected another insanely high transaction fee one day later from the same wallet."

In total, two "sky-high transaction fee transfers occurred on the Ethereum chain in a row, triggering extensive discussions and speculations in the industry." "After Peckshield’s findings were published, a whopping of 18,006 ETH was seen transferred out from the address, and there’s now only 1.34 ETH balance left."

Blockchain security company "PeckShield speculates that the hacker might have stolen the credentials to access the funds of a crypto exchange by luring them to a phishing website." PeckShield "identified the victim [as] a small P2P exchange in Korea called Good Cycle, which appears to be a Ponzi Scheme project. [Thei]r investigation [also] found that their security [was] really lacking, e.g., using HTTP instead of HTTPS, and could be easily hacked." "Per this theory, the exchange didn’t comply, and the hackers executed these Ethereum transactions. If this was the work of a hacker, their plan seems to have backfired."

"A communication from GoodCycle itself seems to confirm that the platform is suffering a hack, subsequently blocking withdrawals and performing a “security upgrade.”

"Good Cycle Announcement: Good Cycle system hacker attacks are repeated. Members are being confused to mark their assets. Withdrawals are restricted until the member's asset label is completed. We will notify you later that the withdrawal will be made. Ethereum deposit of 90% is completed. Those who are not reflected will be reflected after confirming by entering the sent history (txid) on the Good Cycle main screen. Security-enchancing defense walls are rising in 5 levels. Good Cycle will go global without being influenced by external influences. In addition, we will be with members until the day we live well. - Good Cycle Management."

"There are cases where Good Cycle members impersonate double withdrawals and withdrawals from some community sites. We ask for your special attention. On June 18, 2020, we will upgrade the system to enhance security. We will announce this in advance. Scheduled from 10 AM to 12 PM on June 18th."

"The Bitfly team have said they will work with the sender to resolve the issue as they believe it was a mistake." "Today our Ethermine ETH pool mined a transaction with a ~10.000 ETH fee. We believe that this was an accident and in order to resolve this issue the tx sender should contact us at via DM or our support portal immediately!"

"Good Cycle has, however, [initially] failed to contact the miners who validated the blocks with those transactions. As a result, the miners who initially decided to return the fee if the sender [contacted] them ended up disbursing the proceeds to the participants of its mining pool."

"[T]he exchange [later] sent two transactions to Ethermine and SparkPool with a message that says: “I am the sender.”" "On June 15, Ethermine distributed the fees to miners. SparkPool had said it would do the same once a deadline of June 17 at 15:30 (GMT+8) had passed. Since Good Cycle contacted SparkPool via the new transaction before this time limit, it remains unclear what the mining pool would decide now. The Block has reached out to both SparkPool and Ethermine and will update this story should we hear back." "It is unclear if SparkPool and Good Cycle have begun their conversation about resolution, but SparkPool will most likely refund Good Cycle in some capacity." "Sparkpool [apparently] made the same decisions and distributed the proceeds to the miners that submitted hash to SparkPool on that day." "To be responsible for both miners of SparkPool and the transaction sender, we decided to distribute the proceeds seven days after the transaction was mined, aka 15:30 June 17th (GMT+8)."

"Things I don't understand about the theory: Was the whitelisting supposed to be on a centralized front-end? If so, wouldn't it be weird that they could choose the gas amount? If not, why aren't we seeing contracts sending monies? Why didn't the owners empty to a WL earlier?" "The analysts argue that due to GoodCycle relying on a pyramid scheme, it makes sense why it has not come forward to claim the money, as that would erode trust in the platform from its users and subsequently collapse the venture."

"Jeff Liu, a co-founder of PeckShield, told Cointelegraph that GoodCycle is likely to be the victim of an attack, though he added that “there are still other possibilities, such [as] internal operation errors.”"

"As we guessed above, the hacker's ransomware attack process is likely to have been completed, and the code loopholes in this website have also been upgraded. We have to continue to use technical reasoning to reproduce the possible implementation process of this attack."

"A new upgrade to the client introduces a feature where the software rejects transactions with a fee higher than one ETH." "In order to prevent sending txs with a very high fee by accident the Geth team just introduced a new safety feature that will block sending txs with a fee > 1 ETH" "There are still ways a hacker could blackmail exchanges with fees. For instance, if the hacker were to spam the blockchain with multiple one ETH transactions, rather than a single huge transaction, it would still have the same net effect."

"For the project party, it is now the best choice to stand up and admit the mistake, seek help from the mining pool party to return the assets, and return the assets of the investment user . Relying on the support of the snowballing user Fomo will only delay the death, and sooner or later they will face legal trial one day."

"But in any case, such a project with the nature of a Ponzi scheme will have a thunderous day sooner or later. The PeckShield security team has exposed dozens of similar financial wallet scams including PlusToken, TokenStore, EOS ecosystem, etc., which all confirm this."

"But whether it is "internal trouble" or "foreign trouble", damage to user assets has become an established fact. PeckShield hereby reminds users that they should be cautious in participating in such projects with extremely low security levels. Even if their marketing model is attractive, it is likely to suffer disaster due to insufficient security and risk control, and it is not the project that will pay the price[, b]ut the [investors] who did not know the truth and were kept in the dark."

Good Cycle was a peer-to-peer cryptocurrency exchange based in South Korea. The platform appeared to be operating a ponzi scheme on the side. The website had notably weak security.

According to official reports, hackers blackmailed the operators of the website to send them money. When they refused, they exploited the website to send transactions with very high transaction fees. It may be that they may not have been able to change the amount withdrawn or the address of withdrawal (as those were secured), but instead could set the fees by modifying the packet. As a result, at least 2 high fee transactions were sent. Many sources reported a third transaction with high fees, however this could not be located on the blockchain. There was, however, one additional transaction to send 18,006 ETH, which appears to be moving the remaining wallet funds to a new wallet. There don't appear to be any further high fee transactions.

While Good Cycle did ultimately sent "I am the sender" messages to both mining pools, they failed to request the funds in time or this wasn't sufficient communication, and funds were distributed to miners. It's likely that making a formal request would have brought additional scrutiny to their ponzi scheme, and the funds lost were only a portion of what they held. Further information on the Good Cycle ponzi and outcome were very challenging to locate. Internet Archive did not show any record of the website continuing to operate past August 4th, 2020, and blockchain transactions stop shortly thereafter as well.

HOW COULD THIS HAVE BEEN PREVENTED?

Platform funds should be stored offline in a multi-signature wallet. Any hot wallet should be kept small to minimize potential losses. The security setup should be reviewed by 2 separate security experts, with a third after 6 months.

Backing of funds should also be analyzed periodically to ensure that platforms are not operating fractionally.

Check Our Framework For Safe Secure Exchange Platforms

Ethereum Transaction Hash (Txhash) Details | Etherscan (Jun 10)
Highest Ethereum Transaction Fee Ever? Someone Accidentally Paid a $2.5 Million Fee | Crypto Briefing (Jun 11)
Those Million Dollar Ethereum Transactions? Could Be a Hacked Exchange | Crypto Briefing (Jun 12)
Ethermine Accepts Mystery $2.5 Million Dollar Ethereum Transaction Fee | Crypto Briefing (Jun 15)
$5 Million ETH Transaction Sender Identified, Go Ethereum Offers Solution | Crypto Briefing (Jun 17)
How to lose $2.5M, twice (Jul 24)
https://etherscan.io/address/0x262e03ca0711d512a4fecb9f8f3c6c5e2c126c2c (Jul 24)
https://etherscan.io/address/0xcdd6a2b9dd3e386c8cd4a7ada5cab2f1c561182d (Jul 24)
https://etherscan.io/tx/0xe1b0cc5051a5cb5a0591dc0dccbeb065dc955a1670bbee1f6105238e38614e4e (Jul 24)
@amanusk_ Twitter (Jul 24)
@amanusk_ Twitter (Jul 24)
@amanusk_ Twitter (Jul 24)
@amanusk_ Twitter (Jul 24)
@amanusk_ Twitter (Jul 24)
@amanusk_ Twitter (Jul 24)
@amanusk_ Twitter (Jul 24)
@amanusk_ Twitter (Jul 24)
@Timccopeland Twitter (Jul 24)
Someone just made a $2.6 million mistake on Ethereum - Decrypt (Jul 24)
Alleged Ponzi Scheme Sent the $5 Million in Ether Gas Fees (Jul 25)
A Multi-Million Mystery: Likely ETH Fee ‘Victim’ Steps Into Spotlight (Jul 25)
Experts Divided on Second Ether Transaction With $2.6M Fee (Jul 25)
@etherchain_org Twitter (Jul 25)
@JohnNejamin Twitter (Jul 25)
Tx 0xc215b9356db58ce05412439f49a842f8a3abe6c1792ff8f2c3ee425c3501023c - etherchain.org - 2022 (Jul 25)
Account 0xcdd6a2b9dd3e386c8cd4a7ada5cab2f1c561182d - etherchain.org - 2022 (Jul 25)
https://mp.weixin.qq.com/s/OYSo0UxbTGalVTiZQzhS2Q (Jul 25)
https://coinmarketcap.com/currencies/ethereum/historical-data/ (Dec 21)
https://www.theblock.co/linked/68593/the-sender-of-5-million-ethereum-transaction-fees-has-revealed-itself (Jul 25)
Good Cycle (Jul 25)
Good Cycle (Jul 25)
Good Cycle (Jul 25)
Good Cycle (Jul 25)
Biggest Ponzi Schemes in the History of Crypto - AMBCrypto (Jul 25)
@peckshield Twitter (Jul 25)
Were Last Week's $5m Ethereum Transactions a Ransom Attempt? (Jul 25)
@etherchain_org Twitter (Jul 25)
cmd, eth, internal, les: add gasprice cap by rjl493456442 · Pull Request #21212 · ethereum/go-ethereum · GitHub (Jul 25)
https://cryptonews.com/news/sender-of-usd-5-3-million-eth-transactions-reportedly-reveal-6870.htm (Jul 25)
@sparkpool_eth Twitter (Jul 25)
@VitalikButerin Twitter (Jul 25)
$5.3 Million Ethereum Fees Sent by Korean “Ponzi Scheme” (Jul 25)
@0xminion Twitter (Jul 25)
Good Cycle is allegedly victim of Ethereum transactions at $5.2 million fees and is Ponzi scheme - AZCoin News (Jul 25)
The Mystery Unveiled: The Exchange That Sent The $5 Million Ethereum Fees Transactions (Jul 25)
ETH $2.6M transaction fee sender comes clean - CoinGeek (Jul 25)
P2P 'Ponzi Scheme' Exchange, Good Crypto, Is Behind the M Transaction Fees on Ethereum (Jul 25)
@sparkpool_eth Twitter (Jul 25)
https://etherscan.io/exportData?type=address&a=0x262e03ca0711d512a4fecb9f8f3c6c5e2c126c2c (Aug 31)
https://etherscan.io/txs?a=0x262e03ca0711d512a4fecb9f8f3c6c5e2c126c2c&p=83 (Aug 31)

More case studies

DeversiFi
Launch Exploit

HyperCapital
Ponzi Scheme