Bitcoin Forum

Due to rules relating to new posters, I'm stuck placing this here and hoping for the best.

http://blockexplorer.com/address/1Q3bsvTBcWF32Bt8FZgKAx7s43crvN9RVi (http://blockexplorer.com/address/1Q3bsvTBcWF32Bt8FZgKAx7s43crvN9RVi)

Has anyone else noticed that the funds from Slush's pool wound up here?  There is also a lot of transaction history, going back at least seven months, showing that there has been major transactions of a similar nature.

In several of these transactions the amounts seem almost trivial, until you find them all in one lump sum totaling 150,000 ( One Hundred and Fifty Thousand) BTC getting broken down to amounts under 3,000 (Three Thousand) BTC.  The path woven by these sizable transactions is quite intricate, but that could easily be attributed to the nature of the BTC currency and it's generation.

I have seen no evidence indicating any actual generation activity associated with these particular transactions.

http://blockexplorer.com/tx/309441d29fa84b912af1c02c44c6c72f7fe31da5cf6d5b8a453e8df6229240b9#o1 (http://blockexplorer.com/tx/309441d29fa84b912af1c02c44c6c72f7fe31da5cf6d5b8a453e8df6229240b9#o1)

This transaction, dated 2012-02-14, shows one hell of a deposit being made to one address:

http://blockexplorer.com/address/1ELwS9w4B3vBPt7Mw5Her9GcBbzNMYqhy3 (http://blockexplorer.com/address/1ELwS9w4B3vBPt7Mw5Her9GcBbzNMYqhy3)

From here, the coins get dispersed to multiple accounts by simple division, and the amounts drop as low as <600 BTC being deposited.




I found this in a little over an hour of tracing, with no real experience mind you, using the transaction that Slush posted in the discussion board relating to the theft from his pool.  Near as I can tell, this kind of theft/piracy has been going on for a lot longer then people have been noticing/reporting.  And in far greater amounts then 43k BTC.

Of course, there're trojans collecting coins.

No doubt that could be on possible, not to mention feasible, explanation.  Something about the route doesn't feel like its completely automated

While I could be way off base on this, some of the other transactions don't make much sense.  Something viral wouldn't be likely to take whole amounts that could be easily divided by someone in the fourth grade like that.  Could one be setup like that, certainly.  Would someone with an iota of sense set something up like that?  Not likely.  Would be simpler, not to mention harder to detect, to act like a CC skimmer.  Intercept the outgoing transaction before it hits the block stack, add a second transaction that rounds up to the nearest 0.1 and route that to whatever address you want.

The way those transactions shifted, it looked more like someone was manually doing the major shifts in currency.  I'll have to dig a bit deeper to see if something else shows up.  Who knows, it could be that we're both right and wrong on details.

Zhoutong has admitted to having 43,000 BTC stolen. That will contribute to the size of the thief's balance. If you follow most coins back, it won't be long before you find that they were in an exchange or other service where they were part of huge balances. That is likely what you are discovering, exchange and pool wallets that are not the hacker's.

happy coincidence that a similarly large sum of btc was dumped at mt gox a few hours back? :(

BTC laundering service?

This is highly likely. Consider the output address of the 25k transaction (http://blockexplorer.com/tx/d9804de366aa4c2a01565c3a3c8aa2ea20baafc276dc875f80b9044841205333#o1).
If this address really belonged to the hacker who stole the funds, he was extremely stupid to send the funds to this address. The reason why I say this is because the address has activity all the way back to December 20, all of which could be backtraced. However, we already know that the attacker was incredibly smart, especially in regards to Bitcoin. It also turns out that this is the first address in the chain that we don't know for sure whether it's controlled by the attacker. So, either he's showing off how much he's stolen from people already, or that address is owned by an underground bitcoin laundering service specifically designed for stolen bitcoins. Why must it be underground? Because all of the public services don't have enough volume to effectively launder money. It also isn't likely the Silk Road laundry. The hacker wouldn't want to risk receiving other people's tainted coins and be forced to identify themselves because of that - any leak of identity could eventually be traced back to him. Because the hacker probably wants to actually spend their money, it wouldn't surprise me if the hacker outsourced the need to forever spend the funds only anonymously to a third party at a significant discount. In exchange, the new owner of these funds provides the hacker with clean, freshly mined funds. If this was agreed on well in advance, the funds could have been sent or even directly mined to special public keys that were constructed with two separate parts of a private key using ECC math, essentially putting the funds in escrow. Upon completion, the launderer could provide the other part of the private key and the network would never end up recording a transfer after the hack happened.

Of course, the hacker could also be the launderer and have no problem with being forced to spend the coins anonymously.

Some of the intermediary addresses could also be previously used addresses of normal people who got hacked. They could be the target of accusations if they are know and there is a connection between a used bitcoin address and their name. There are many possibilities...