BitStamp Theft - Two Weeks Later
Before I get into the analysis I'de like to thank all of you who have found me in the past two weeks. What used to be a sleepy and infrequent technical blog resulted in a story on CoinDesk (where they took my analysis and re-told it in a form even an e-mail administrator can understand), an interview on The Bitcoin Game podcast over at Let's Talk Bitcoin, and I even got a name-drop on GigaOm. As always your interest and feedback
BitStamp Theft From Old Wallet Addresses is Still Ongoing
Now that it's been over two weeks since the hack you would think that people have received the memo to not use their old BitStamp deposit addresses or at least to not put large sums of bitcoin in them. You would be wrong.
Last Friday there was a 700 BTC deposit that was caught up in the heist. Check out the block numbers and transaction time. It was stolen in the block after it was confirmed in and it was also stolen in 3 minutes flat from the confirmation of the previous transaction. Also, this wasn't an account that has been stolen from before, this the first transaction to the theft wallet for this address.
One obvious question is "was this a customer?" I consider them a Bitstamp customer because they have shared transactions with other affected accounts before. One such transaction is 311f9f which shared inputs with 18dsZT and 1BPezx, both of which were "
They have been at this address with Bitstamp for over a year now and have made several sizable deposits before.
This transaction is actually relevant for reasons other than its loss. On my
Stolen Coins Continue to be Spent
The last time I looked at the outputs I saw only three locations where you could confirm they were being mixed with other coins. Now, the spending is going in earnest all over the place. I considered doing a comprehensive analysis of the particular places they were mixed, but that would take way too many words to write about.
As of block number 339205, which cleared on or about Friday 16 Jan 2015 at 5:33 GMT, a rounded total of 19,940 BTC has been deposited in the 1L2Js theft address. About 95% of those stolen coins have been spent out of that address. For the most
One interesting outbound transaction from the theft involves 1 BTC that has been sent to the Sarutobi iOS game. This is a game that rewarded players with
All of the transactions not on the top line are 100% derived from the stolen coins, all the way to the very bottom row. And it gets even more insane when you go down some of those chains I didn't expand after Saurtobi split it up into quarters. For these four peel chains, until it hits the users wallet for those transactions, the bitcoins have a 100% taint from the theft address. And those peel chains down the 3MXxfN paths are insanely long, some of the longest peel chains on the blockchain. And those have all been formed in the last three weeks.
Unless something else interesting happens with the Bitstamp theft coins, I don't see myself returning to report on their propagation across the blockchain. There
If you know of any interesting transactions on the blockchain that may benefit from a visual analysis, feel free to drop me a line at email@example.com or tweet me at @Numisight and I'll take a look at it. I cannot guarantee blog coverage if I don't find any entertaining findings. I am also open to paid investigations or paid consulting relating to blockchain analysis, and I can be as public or confidential as you desire. For these inquiries please send email to firstname.lastname@example.org.
Check out other articles: