Bitstamp Hot Wallet Theft - 2 to 5 Jan 2015
From 4 Jan to 6 Jan 2015 Bitstamp experienced a loss of nearly 19,000 Bitcoins from
First, this address was not seen prior to 4 Jan 2015, and within 24 hours it had amassed nearly
A graph of the transactions that involve the alleged address shows a lot of interaction between other addresses.
Older transactions tend to be to the right of this graph, and they form peel chains that in some cases are combined multiple times into one transaction. It is interesting to note that some of the transactions form exact sums of the collected coins. To the left of the
One of the concerns on the
If anything coins are being moved into cold storage based on the uptick on 4 Jan 2015, so there is no evidence of a cold storage leak.
So how could this happen? (Warning, baseless speculation follows). There are two ways this could be done, first the private keys of the input addresses could have been leaked. This would be consistent with their request to stop deposits. The other possibility is that the attackers somehow are inducing their software to send all the bitcoins to an address of their choosing.
What would indicate private key compromise is continued activity and continued theft. While we see continued activity on 6 January 2015 it appears to be of the "dust tagging" variety. Consider this peel chain:
100 bits are peeled off four times from the same source address. This is not consistent with the earlier transactions where the change addresses were
Second, there is evidence of deposit addresses not being cleared out after the bulk of the movements
There were five deposits that were stolen
So why didn't BitStamp simply pull the plug the moment they were sure they were hacked? Maybe they did and this was just the remaining transactions propagating through the system. Or perhaps they were attempting to sweep what they could to their cold storage. There was over 6,000 BTC of movement into cold storage near the tail end of the hack, representing $1.5 Million of value saved.
It could have been worse.
This analysis was performed when the blockchain was at height 337832, so any transactions after that block are not reflected in this post.
Check out other articles: