| submitted by /u/pilotfo
Decided to have a look at what we could learn about the Tether hack from the blockchain, the coins are still moving around so I may edit this later as this develops.
It actually starts with this wallet here:
Look familiar? Go to the last page, that was the wallet used to steal 19000BTC from Bitstamp back in January 2015 (and which was still receiving coins from Bitstamp as recently as September, well done guys).
This wallet made two transactions, the first is fairly innocuous but I'll come back to it later:
This address then sends out a further 0.01BTC:
The following morning it sends 0.01 to the address that was several hours later used to empty the Tether wallet:
I'm not quite sure why they would make a deposit like this to it hours before – perhaps to test that everything is working?
At 10:53, the wallet makes several transactions transferring 23 million tethers from the tether wallet:
Then at 11:10 they transfer another 7.9 million tethers. A further 50,000 tethers are transferred over at 11:54.
At 12:01, 5BTC (the bulk of the bitcoin in the tether wallet) is transferred over to the same address:
These tethers are then transferred over to the address in the Tether announcement as their relevant blocks are confirmed.
The 5BTC is also transferred to this address in amounts of roughly 1BTC per transaction:
Following the BTC along, you arrive back at an address from before, which is confirmed to be part of the wallet holding the stolen Tether:
It's worth noting that this same address was just used to create an Omni token called lioncoin:
The BTC from the tether wallet ended up in these addresses:
I will update this post as more develops.
This wallet from the Tether and Bitstamp hacks seems to be owned by the same person who took 8500BTC from Huobi in late 2015, interesting…
Before he was taking thousands of BTC off exchanges and sending it to BTC-e, he also used to sell much smaller amounts on Localbitcoins.
So Localbitcoins guys, if you have a log of who was using this address back in 2015, you've got the hacker 😉
So I was asked whether this could be an inside job.
Well, maybe? I don't think there's enough evidence from chain analysis alone to draw a conclusion.
Some of the transactions which funded the lioncoin address came from an old Bitfinex wallet, and some came from the bitstamp hack address. Bear in mind that this is part of the same wallet that the stolen tethers were sent to.
Also if you look at the tether address you'll notice that when other blocks of tether were released they were quickly transferred to the Bitfinex wallet, with this 30 million being the exception, that said in prior months they had regularly left millions of tether in this address for days at a time, so this isn't necessarily a red flag.
It could be that the attacker had access to the main tether issuance address (3MbYQMM etc) or it may just be that they noticed the 30 million tethers sat on the wallet that they could manipulate. Presumably Tether know whether or not they intended to make this transaction. Without knowing that we can only speculate on whether the compromise went beyond the address that was emptied.