Bitcoin Forum
December 03, 2022, 01:29:49 PM *
News: Reminder: do not keep your money in online accounts
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Bitstamp - Taint analysis  (Read 1612 times)
fairglu (OP)
Legendary
*
Offline Offline

Activity: 1100
Merit: 1030


View Profile WWW
January 05, 2015, 08:51:50 PM
 #1

What follows is a Bitstamp Hot Wallet from taint analysis

This is guesstimated, from blockchain analysis only, so take it with a shovel of salt and a critical eye.
It's at best an under-estimation, as the taint will naturally not affect all change addresses and other things, though from experience on altcoins, it's not usually complete bollocks either Wink

Hot Wallet guesstimated Balance
day
01/01/2015
02/01/2015
03/01/2015
04/01/2015
05/01/2015
received
1,657.5
2,778.2
9,592.7
18,614.2
1,223.1
spent
934.9
2,553.8
9,033.8
21,122.9
1,338.7
balance
1,842.3
2,066.7
2,625.7
117.1
1.5

So apparently something happened on the 4th, either big external deposit(s) followed by larger withdrawal(s), or something that triggered a refill from a cold storage.

The hot wallet was then promptly cleared, with the high fee transactions that have been reported, though it's anyone's guess at this point if it was Bitstamp clearing it in panic mode, or a thief.

And below is recent guesstimated hot wallet history, the big bumps are (AFAICT) deposits from the large cold storage they created during their audit, so they're very likely artifacts more than real deposits. Those deposits were eventually compensated by withdrawals to likely cold storage addresses.

It shows Bitstamp aimed to keep between 500 and 2000 BTC in their hot wallet, so the hack occurring just after or during a "bump" to 20k BTC is suspicious.


Bitcoin mining is now a specialized and very risky industry, just like gold mining. Amateur miners are unlikely to make much money, and may even lose money. Bitcoin is much more than just mining, though!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
smithd98@gmail.com
Newbie
*
Offline Offline

Activity: 26
Merit: 0


View Profile WWW
January 06, 2015, 01:25:13 AM
 #2

Thanks for the analysis!

It doesn't seem suspicious to me. It makes sense.

If I were going to steal coins and knew the target kept between 500 and 2k coins. I'd want to wait to steal until there were 2k coins (if possible) and try to trigger an event to make it fill to 2k (if possible) before stealing to maximize my illicit gains.
btcisreal
Newbie
*
Offline Offline

Activity: 20
Merit: 0


View Profile
January 06, 2015, 04:10:42 AM
 #3

What I think is very weird about this whole mess is... How come no kind of custom firewall was programmed? This would be impossible if some simple filters would be put in place aswell as an automatic analysis tool in combination. This all happened in a day or so Huh And no red flags at all? Okey... That's quite shocking.

Mr Kodrič should be worried for his own safety if this won't be repaid (speculating, not making threats).
freebit13
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500

I got Satoshi's avatar!


View Profile
January 07, 2015, 07:00:01 AM
 #4

Could those 9000 coins moving through the wallet on the 3rd be the start of the crash? It lines up with the start of the price drop quite suspiciously... and it was a day before Stamp noticed anything. Perhaps he was already selling those 9000 coins when he stole the other 18000 the next day.

Decentralize EVERYTHING!
aclass
Sr. Member
****
Offline Offline

Activity: 381
Merit: 251


View Profile
January 07, 2015, 07:54:30 AM
 #5

here is another one...

the 9k coins were a deposit from someone planning to crash the price. they cleared in the account and the dump started, but they also got stolen
mayax
Legendary
*
Offline Offline

Activity: 1442
Merit: 1004


View Profile
January 07, 2015, 10:15:33 AM
Last edit: January 07, 2015, 12:39:46 PM by mayax
 #6

here is another one...

the 9k coins were a deposit from someone planning to crash the price. they cleared in the account and the dump started, but they also got stolen

9k coins belong to Bitstamp. they wanted to crash the price. Price down, they earn a lot Smiley)
jabetizo
Full Member
***
Offline Offline

Activity: 125
Merit: 101


View Profile WWW
January 07, 2015, 11:13:31 PM
 #7

How did you get the hot wallet addresses? If you're just using addresses connected to the "hack address", it's normal that they have less traffic on other days (since you would be missing other hot wallet addresses).

fairglu (OP)
Legendary
*
Offline Offline

Activity: 1100
Merit: 1030


View Profile WWW
January 08, 2015, 09:38:38 AM
 #8

How did you get the hot wallet addresses? If you're just using addresses connected to the "hack address", it's normal that they have less traffic on other days (since you would be missing other hot wallet addresses).

It was based on prior taint analysis, not just the addresses related to the hack, though the hack did generate extra taint, it was minor in the grand scheme of things (at least 140k addresses in that wallet, counting tainted change addresses, it's one of the top 20 hot wallets)

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!