By following the transaction flows through the Bitcoin and Omni blockchains, the analysis lays out the timeline of the events leading up to and following the attack. It also manages to link the attacker to:
- the theft of 19,000 BTC from Bitstamp in 2015
- the creation of an Omni token called lioncoin (Ponzi scheme perhaps?)
- a series of transactions on LocalBitcoins.com
- a history of crypto-money laundering via the now-defunct BTC-e exchange.
The analysis is well explained and meticulously documented. However, written narratives of blockchain transactions don't make for easy reading. So, we've supplemented SpeedflyChris's commentary with a series of graphics visualizing the transactions.
The Tether hack, visualized
All blue text below has been reproduced from Reddit.
Italics are for comments we've added for clarification.
It actually starts with this wallet1 here:
Look familiar? Go to the last page, that was the wallet used to steal 19000BTC from Bitstamp back in January 2015 (and which was still receiving coins from Bitstamp as recently as September, well done guys).
This wallet made two transactions, the first is fairly innocuous but I'll come back to it later:
This address then sends out a further
0.01BTC 0.2 BTC
The following morning it sends 0.01 to the address that was several hours later used to empty the Tether wallet2:
I'm not quite sure why they would make a deposit like this to it hours before - perhaps to test that everything is working?
Looks like the attacker wanted to make sure this address had enough bitcoin to pay transaction fees, which would be needed to move the Tether it was about to receive.
At 10:53, the wallet makes several transactions transferring 23 million tethers from the tether wallet:
Then at 11:10 they transfer another 7.9 million tethers.
A further 50,000 tethers are transferred over at 11:54.
At 12:01, 5BTC (the bulk of the bitcoin in the tether wallet) is transferred over to the same address:
These tethers are then transferred over to the address in the Tether announcement as their relevant blocks are confirmed.
The 5BTC is also transferred to this address in amounts of roughly 1BTC per transaction:
Following the BTC along, you arrive back at an address from before, which is confirmed to be part of the wallet holding the stolen Tether:
It's worth noting that this same address was just used to create an Omni token called lioncoin: https://omniexplorer.info/lookupsp.aspx?sp=2147484016
The BTC from the tether wallet ended up in these addresses:
https://blockchain.info/address/1HtmVRdFRqPScH7Ud6UFR6HUcndksjVmua https://blockchain.info/address/155KG55pRsV1Y9jdwwynfGHGqR9cqPKToB https://blockchain.info/address/1M8b8BNMEMFFem9UQpZydoespHzXjAnC9t
All transactions viewed together
Here, "wallet" refers to a collection of Bitcoin addresses that are owned by the same person (not to be confused with a multisig "wallet"). The address shown in the graph (1L2JsXHPMYuAa9ugvHGLwkdstCPUDemNCf) is not the one that carried out the Bitstamp hack (16KYFJiAoM4aX82xw2V3YBHX72trWNhz48). But since their funds were commingled in an earlier transaction, they are very likely to have the same owner and can therefore be treated as one and the same. ↩
In this case, "wallet" has a different meaning. Tether's wallet, the target of the attack, is a multisig wallet, a single Bitcoin address requiring signoff by 3 of its 4 owners in order to make an outgoing transaction. ↩
Blockchains are not designed to be read by humans. Enter Elementus.
Our technology surfaces actionable insights directly from the blockchain, identifying security vulnerabilities, exposing bad actors, and providing market intelligence for smarter digital investments.