Visualizing the transactions behind the $31m Tether hack

Elementus Announces $10M Series A-2 led by ParaFI Capital

Request a demo

article

Visualizing the transactions behind the $31m Tether hack

Author

Max Galka

Date

Nov 22, 2017

While reading up on the recent $31M Tether hack, we stumbled upon an excellent example of chain analysis posted by Reddit user SpeedflyChris.

By following the transaction flows through the Bitcoin and Omni blockchains, the analysis lays out the timeline of the events leading up to and following the attack. It also manages to link the attacker to:

the theft of 19,000 BTC from Bitstamp in 2015
the creation of an Omni token called lioncoin (Ponzi scheme perhaps?)
a series of transactions on LocalBitcoins.com
a history of crypto-money laundering via the now-defunct BTC-e exchange.

Kudos SpeedflyChris!

The analysis is well explained and meticulously documented. However, written narratives of blockchain transactions don't make for easy reading. So, we've supplemented SpeedflyChris's commentary with a series of graphics visualizing the transactions.

The Tether hack, visualized

All blue text below has been reproduced from Reddit.

Italics are for comments we've added for clarification.

Tether treasury wallet and Bitstamp attacker

It actually starts with this wallet¹ here:

https://www.walletexplorer.com/wallet/12f4885dad525cc1

Look familiar? Go to the last page, that was the wallet used to steal 19000BTC from Bitstamp back in January 2015 (and which was still receiving coins from Bitstamp as recently as September, well done guys).

This wallet made two transactions, the first is fairly innocuous but I'll come back to it later:

https://www.walletexplorer.com/txid/7b46c7....

This address then sends out a further 0.01BTC 0.2 BTC

https://www.walletexplorer.com/address/31okFF1rUu8jjPEVuajycTRBp82Nteo4Mv

The following morning it sends 0.01 to the address that was several hours later used to empty the Tether wallet²:

https://www.walletexplorer.com/address/1LBQpqUTEmdPTH8adaV6xS8KQt6FGCD3xD

I'm not quite sure why they would make a deposit like this to it hours before - perhaps to test that everything is working?

Looks like the attacker wanted to make sure this address had enough bitcoin to pay transaction fees, which would be needed to move the Tether it was about to receive.

At 10:53, the wallet makes several transactions transferring 23 million tethers from the tether wallet:

https://omniexplorer.info/lookupadd.aspx?address=31okFF1rUu8jjPEVuajycTRBp82Nteo4Mv

Then at 11:10 they transfer another 7.9 million tethers.

A further 50,000 tethers are transferred over at 11:54.

Tether hack - final lot of stolen tethers

At 12:01, 5BTC (the bulk of the bitcoin in the tether wallet) is transferred over to the same address:

https://www.walletexplorer.com/txid/e7e09cd092a5febdcae6b2ec76b06389c29298ed237dd1f210e1e54f096f1f92

These tethers are then transferred over to the address in the Tether announcement as their relevant blocks are confirmed.

https://omniexplorer.info/lookupadd.aspx?address=16tg2RJ...

The 5BTC is also transferred to this address in amounts of roughly 1BTC per transaction:

https://www.walletexplorer.com/address/31okFF1rUu8jjPEVuajycTRBp82Nteo4Mv

Following the BTC along, you arrive back at an address from before, which is confirmed to be part of the wallet holding the stolen Tether:

https://blockchain.info/tx/eeaf8b9c6288c28c481d6e37d687b5c42b0222fb3d8a73bdca81c1a12243c579

It's worth noting that this same address was just used to create an Omni token called lioncoin: https://omniexplorer.info/lookupsp.aspx?sp=2147484016

The BTC from the tether wallet ended up in these addresses:

https://blockchain.info/address/1HtmVRdFRqPScH7Ud6UFR6HUcndksjVmua https://blockchain.info/address/155KG55pRsV1Y9jdwwynfGHGqR9cqPKToB https://blockchain.info/address/1M8b8BNMEMFFem9UQpZydoespHzXjAnC9t

All transactions viewed together

Footnotes

Here, "wallet" refers to a collection of Bitcoin addresses that are owned by the same person (not to be confused with a multisig "wallet"). The address shown in the graph (1L2JsXHPMYuAa9ugvHGLwkdstCPUDemNCf) is not the one that carried out the Bitstamp hack (16KYFJiAoM4aX82xw2V3YBHX72trWNhz48). But since their funds were commingled in an earlier transaction, they are very likely to have the same owner and can therefore be treated as one and the same. ↩
In this case, "wallet" has a different meaning. Tether's wallet, the target of the attack, is a multisig wallet, a single Bitcoin address requiring signoff by 3 of its 4 owners in order to make an outgoing transaction. ↩

‍