Bitstamp - Taint analysis

[fairglu]

What follows is a Bitstamp Hot Wallet from taint analysis

This is guesstimated, from blockchain analysis only, so take it with a shovel of salt and a critical eye.
It's at best an under-estimation, as the taint will naturally not affect all change addresses and other things, though from experience on altcoins, it's not usually complete bollocks either

Hot Wallet guesstimated Balance

day 01/01/2015 02/01/2015 03/01/2015 04/01/2015 05/01/2015

received 1,657.5 2,778.2 9,592.7 18,614.2 1,223.1

spent 934.9 2,553.8 9,033.8 21,122.9 1,338.7

balance 1,842.3 2,066.7 2,625.7 117.1 1.5

So apparently something happened on the 4th, either big external deposit(s) followed by larger withdrawal(s), or something that triggered a refill from a cold storage.

The hot wallet was then promptly cleared, with the high fee transactions that have been reported, though it's anyone's guess at this point if it was Bitstamp clearing it in panic mode, or a thief.

And below is recent guesstimated hot wallet history, the big bumps are (AFAICT) deposits from the large cold storage they created during their audit, so they're very likely artifacts more than real deposits. Those deposits were eventually compensated by withdrawals to likely cold storage addresses.

It shows Bitstamp aimed to keep between 500 and 2000 BTC in their hot wallet, so the hack occurring just after or during a "bump" to 20k BTC is suspicious.

[smithd98@gmail.com]

Thanks for the analysis!

It doesn't seem suspicious to me. It makes sense.

If I were going to steal coins and knew the target kept between 500 and 2k coins. I'd want to wait to steal until there were 2k coins (if possible) and try to trigger an event to make it fill to 2k (if possible) before stealing to maximize my illicit gains.

[btcisreal]

What I think is very weird about this whole mess is... How come no kind of custom firewall was programmed? This would be impossible if some simple filters would be put in place aswell as an automatic analysis tool in combination. This all happened in a day or so And no red flags at all? Okey... That's quite shocking.

Mr Kodrič should be worried for his own safety if this won't be repaid (speculating, not making threats).

[freebit13]

Could those 9000 coins moving through the wallet on the 3rd be the start of the crash? It lines up with the start of the price drop quite suspiciously... and it was a day before Stamp noticed anything. Perhaps he was already selling those 9000 coins when he stole the other 18000 the next day.

[aclass]

here is another one...

the 9k coins were a deposit from someone planning to crash the price. they cleared in the account and the dump started, but they also got stolen

[mayax]

here is another one...

the 9k coins were a deposit from someone planning to crash the price. they cleared in the account and the dump started, but they also got stolen

9k coins belong to Bitstamp. they wanted to crash the price. Price down, they earn a lot )

[jabetizo]

How did you get the hot wallet addresses? If you're just using addresses connected to the "hack address", it's normal that they have less traffic on other days (since you would be missing other hot wallet addresses).

[fairglu]

How did you get the hot wallet addresses? If you're just using addresses connected to the "hack address", it's normal that they have less traffic on other days (since you would be missing other hot wallet addresses).

It was based on prior taint analysis, not just the addresses related to the hack, though the hack did generate extra taint, it was minor in the grand scheme of things (at least 140k addresses in that wallet, counting tainted change addresses, it's one of the top 20 hot wallets)