Wasabi Wallet coordinator experienced a DDoS (Distributed Denial of Service) attack on June 6th, 2021, resulting in a backend downtime of roughly 4 hours. It also caused some difficulties accessing certain software services.

The Wasabi Wallet team’s timeline as well as explanations given to address the issue are detailed in this post.

The problem has been resolved, and the system servers are back online.

What happened?

Wasabi Wallet team received an alert email from the hosting server on June 6th, 2021, or approximately 16 UTC, informing us that we were experiencing a massive DDoS attack and that, for security reasons, traffic will be analysed to assess the extent of the attack.

In a Distributed Denial of Service attack, the incoming traffic flooding the victim originates from many different sources (like a botnet). This effectively makes it impossible to stop the attack simply by blocking a single source or IP.

Graphical Timeline for the Actions During the Attack

Timeline (UTC)

  • About 16:00:00 – DDoS attack started
  • 16:02:17 – We received a message from our server host regarding Denial of Service Notification
  • About 16:04:00 – Due to the size and scale of the DDoS, network connectivity of the server was automatically and temporarily suspended for 3 hours in an effort to mitigate the attack
  • 16:05:31 – Received a “Connection timeout” alert about a period of downtime from Uptime Robot
  • 16:08:26 – Wasabi team detects DDoS attack and starts communication in a private channel
  • 16:13:13 – Server shutdown
  • 17:23:28 – Wasabi team started an Emergency meeting
  • 19:03:18 – Server goes back online after 3 hours as scheduled – Wasabi Wallet team starts to implement security measures to mitigate the DDoS and cut off the attacker
  • 19:04:02 – Received alert about partial restoration of services from Uptime Robot
  • Between 19:04:02 and 20:45:38 – Wasabi Wallet team heroically defends the server by implementing security measures while still being attacked by the botnets of zombie computers
  • 20:46:03 – The security measures seemed to stop the attack, but later investigation found no causal relationship between the attack stopping and the hotfixes

Some data about the DDoS attack:

Attack intensity: several million packets per second (Mpps)
Bandwidth involved: several Gigabits per second (Gbps)
Total downtime: 4 hours and 42 minutes

Conclusion

Wasabi Wallet is a well known non-custodial wallet. This means that the users are always in control of their private keys and thus, their funds. When running Wasabi for the first time, the user is given a piece of information called a “seed” and is instructed to write it down to recover their funds in case of an emergency. Also, the user can always export single private keys belonging to single addresses to recover specific UTXOs (Unspent Transaction Outputs). Users always have complete control over their funds through their private keys.

Hence, Wasabi Wallet users’ funds were always safe throughout the entire attack,. The downtime only affected Wasabi Wallet backend services like:

DDoS attacks are a serious thing and it’s really difficult to fully defend against this type of attack.
Satoshi Nakamoto left the Bitcoin community ten years ago on December 12, 2010, with his final message about adding some DoS (Denial of Service) features saying that “there’s more work to do on DoS”.

Cyber attacks are an inevitability. They will always exist and sadly, no one has the ability to halt or control them. There is still a lot of work to be done to continue maintaining the security of Wasabi Wallet. Wasabi Wallet makes it a top priority to protect users from similar threats and thus, Wasabi Wallet’s team is constantly working to provide the highest level of security and privacy.