Visualizing the transactions behind the $31m Tether hack

Max Galka
Nov 22, 2017

While reading up on the recent $31M Tether hack, we stumbled upon an excellent example of chain analysis posted by Reddit user SpeedflyChris.

By following the transaction flows through the Bitcoin and Omni blockchains, the analysis lays out the timeline of the events leading up to and following the attack. It also manages to link the attacker to:

Kudos SpeedflyChris!

The analysis is well explained and meticulously documented. However, written narratives of blockchain transactions don't make for easy reading. So, we've supplemented SpeedflyChris's commentary with a series of graphics visualizing the transactions.

The Tether hack, visualized

All blue text below has been reproduced from Reddit.

Italics are for comments we've added for clarification.

Tether treasury wallet and Bitstamp attacker

It actually starts with this wallet1 here:

Look familiar? Go to the last page, that was the wallet used to steal 19000BTC from Bitstamp back in January 2015 (and which was still receiving coins from Bitstamp as recently as September, well done guys).

Tether attacker transfers bitcoin

This wallet made two transactions, the first is fairly innocuous but I'll come back to it later:

This address then sends out a further 0.01BTC 0.2 BTC

Another bitcoin movement

The following morning it sends 0.01 to the address that was several hours later used to empty the Tether wallet2:

I'm not quite sure why they would make a deposit like this to it hours before - perhaps to test that everything is working?

Looks like the attacker wanted to make sure this address had enough bitcoin to pay transaction fees, which would be needed to move the Tether it was about to receive.

Tether token hack frame 4

At 10:53, the wallet makes several transactions transferring 23 million tethers from the tether wallet:

Tether hack frame 5

Then at 11:10 they transfer another 7.9 million tethers.

Tether hack frame 6

A further 50,000 tethers are transferred over at 11:54.

Tether hack - final lot of stolen tethers

At 12:01, 5BTC (the bulk of the bitcoin in the tether wallet) is transferred over to the same address:

Tether hack - attacker address

These tethers are then transferred over to the address in the Tether announcement as their relevant blocks are confirmed.

Tether hack frame 9

The 5BTC is also transferred to this address in amounts of roughly 1BTC per transaction:

Tether hack frame 10

Following the BTC along, you arrive back at an address from before, which is confirmed to be part of the wallet holding the stolen Tether:

It's worth noting that this same address was just used to create an Omni token called lioncoin:

Tether hack - three bitcoin addresses

The BTC from the tether wallet ended up in these addresses:

All transactions viewed together

Tether hack data visualization
  1. Here, "wallet" refers to a collection of Bitcoin addresses that are owned by the same person (not to be confused with a multisig "wallet"). The address shown in the graph (1L2JsXHPMYuAa9ugvHGLwkdstCPUDemNCf) is not the one that carried out the Bitstamp hack (16KYFJiAoM4aX82xw2V3YBHX72trWNhz48). But since their funds were commingled in an earlier transaction, they are very likely to have the same owner and can therefore be treated as one and the same.
  2. In this case, "wallet" has a different meaning. Tether's wallet, the target of the attack, is a multisig wallet, a single Bitcoin address requiring signoff by 3 of its 4 owners in order to make an outgoing transaction.