Following the chain: a new revelation in the search for the EtherDelta hacker

October 16th 2017
Author profile picture

@decktonicChristian Montoya

Photo by William Bout

I have been reporting on the EtherDelta hacker that made off with possibly hundreds of thousands of dollars worth of ETH in two pieces:

  1. https://medium.com/@decktonic/how-one-hacker-stole-thousands-of-dollars-worth-of-cryptocurrency-with-a-classic-code-injection-a3aba5d2bff0
  2. https://medium.com/@decktonic/following-the-trail-what-we-know-about-the-hacker-behind-the-etherdelta-attack-9ac6015fc2e1

Up until now I figured it would be very unlikely that any information would surface that would help identify the hacker, but some new information has come to light that to be quite honest, I couldn’t even have made up.

First of all I want to thank Bobby Bowboin for uncovering this: he found the smoking gun, I’m just paraphrasing.

It turns out our infamous hacker could not resist the allure of ICOs. Bobby Bowboin discovered that one of the wallets that was used to collect the funds from the EtherDelta hack was also used to fund the wallet that was then used to make the now infamous AirSwap ICO attempt that spent a whopping $75k worth of ETH (now valued at over $80k) only to fail. Even better, the hacker made another attempt that spent over $22k worth of ETH and also failed. Wondering who would be so reckless as to spend almost $100,000 on two transactions? Clearly, someone who is playing with stolen money.

Here is the account I identified in my previous piece:

Which was used to fund the account that created the malicious Ethereum contract used to power a XSS-attack that stole tens of thousands of dollars worth of ETH from multiple unsuspecting EtherDelta users. And, which was also used to fund this wallet:

Which if you look at the transaction history, the user entered the AirSwap Whitelist Crowdsale with a transaction of 3.3 ETH (that was the limit for Whitelist participants). So, presumably, at some point this user successfully registered for the AirSwap whitelist and passed KYC (most likely with fake info) and left a trail in their system. Then, later, they made this infamous transaction:

In an attempt to get into the AirSwap public sale before it sold out, with 1,700 ETH (worth over $500k at the time) and a whopping $75k transaction fee (which sounds crazy, unless you think the AirSwap AST token will trade even slightly above the ICO price, in which case you will eventually sell these tokens at a nice profit).

This user also made another failed attempt with a $22k transaction fee here:

You can tell these are both from the same user because both wallets eventually transferred all the funds to this address:

Traversing the various wallets and transactions, I also found multiple contributions to the AirSwap whitelist sale from a few wallets, multiple contributions to Request Network, ETHLend, one to Cindicator for 18.05 ETH (another whitelisted sale, possibly the Tier_3 cap?) etc. etc. At this point, it seems like this hacker might be more than one person…. but who knows? Finally, this user/team sent 4,000 ETH to this contract:

Which has a bunch of internal transactions from:

Which is apparently the Polkadot ICO contract address.

In Bobby’s own words:

This 4,000 ETH is part of more than >230,000 ETH sent to 0x3bfc20f0b9afcace800d73d2191166ff16540258 over the past 30 days before the official ICO date (perhaps part of a Polkadot token pre-sale?). The interesting thing is that the Polkadot ICO requires a passport identification step (via picops.parity.io), but I’m not sure the hacker would be dumb enough to use his own passport for PICOS verification.

Now I want to make something very clear here: I highly doubt, I mean I think it’s 100% impossible, that this hacker used their own IDs to participate in whitelist token sales. It’s much more likely that they used stolen or purchased ID photos to pose as other people to pass KYC controls (in some cases, multiple times). So while it’s likely that these ICO sales have collected some information from this person, I don’t think it would be useful for this information to be disclosed, because it’s very likely that it would just lead to the wrong person being identified (and I have no intention of encouraging Internet vigilantism).

What I do hope is that by publishing this information publicly, if someone thinks there is a legal case worth pursuing here (possibly involving a law enforcement agency, although I don’t know anything about how that would work), then this information, even just emails or IP addresses, would be able to inform that process.

I also have to mention here that this is a perfect example of the power of blockchain. Thanks to the public, verifiable, and permanent ledger (in this case, Ethereum), we were able to trace this person’s actions and reveal a lot of information.

Lastly, I have spoken to representatives from AirSwap and EtherDelta before publishing this piece.

AirSwap’s team explained that this person was removed from the whitelist after making multiple attempts to contribute to the whitelist token sale (I looked through the multiple wallets used and discovered something like 40 attempted contributions to the whitelist sale from just 3 wallets). This might also explain why this person’s mega $500k contribution attempt failed. Regardless, the tl;dr on this issue is that you shouldn’t feel sorry for whomever it was that spent $75k on a single failed transaction, because they are a thief and it was all stolen money.

EtherDelta can’t do anything about this person, as they have no more information than I have.

At this point, my question is simply: who would be able to use this information effectively? Is there a law enforcement or similar agency that would pursue a case like this? There is plenty of information that can be provided if a legal case is brought forward… if you have ideas, let me know.

Thank you for reading and feel free reach out in the comments.

p.s. tiny disclosure: I happen to hold some AirSwap Tokens.

Enjoying my work? Leave a tip to show your appreciation:

BTC: 1LPkQKNgzspUFmxaytzLg1Q6E5XuSPFNbG

ETH: 0x3c83504968A5Fd197e3af58e36153ed3502b072E

DOGE: DPWkQr5rHwcCecyadXVHnZWMamHbS5ip5g

Thanks!

Comments

Tags

The Noonification banner

Subscribe to get your daily round-up of top tech stories!