Following the chain: a new revelation in the search for the EtherDelta hacker

Written by decktonic | Published 2017/10/16
Tech Story Tags: blockchain | ethereum | hacking | ico | cybersecurity

TLDRvia the TL;DR App

I have been reporting on the EtherDelta hacker that made off with possibly hundreds of thousands of dollars worth of ETH in two pieces:

  1. https://medium.com/@decktonic/how-one-hacker-stole-thousands-of-dollars-worth-of-cryptocurrency-with-a-classic-code-injection-a3aba5d2bff0
  2. https://medium.com/@decktonic/following-the-trail-what-we-know-about-the-hacker-behind-the-etherdelta-attack-9ac6015fc2e1

Up until now I figured it would be very unlikely that any information would surface that would help identify the hacker, but some new information has come to light that to be quite honest, I couldn’t even have made up.

First of all I want to thank Bobby Bowboin for uncovering this: he found the smoking gun, I’m just paraphrasing.

It turns out our infamous hacker could not resist the allure of ICOs. Bobby Bowboin discovered that one of the wallets that was used to collect the funds from the EtherDelta hack was also used to fund the wallet that was then used to make the now infamous AirSwap ICO attempt that spent a whopping $75k worth of ETH (now valued at over $80k) only to fail. Even better, the hacker made another attempt that spent over $22k worth of ETH and also failed. Wondering who would be so reckless as to spend almost $100,000 on two transactions? Clearly, someone who is playing with stolen money.

Here is the account I identified in my previous piece:

Ethereum Account 0x563b377a956c80d77a7c613a9343699ad6123911 Info_The Ethereum BlockChain Explorer, API and Analytics Platform_etherscan.io

Which was used to fund the account that created the malicious Ethereum contract used to power a XSS-attack that stole tens of thousands of dollars worth of ETH from multiple unsuspecting EtherDelta users. And, which was also used to fund this wallet:

Ethereum Account 0xf51ec864d5fb2f184198e369fe063fc77045a3ad Info_The Ethereum BlockChain Explorer, API and Analytics Platform_etherscan.io

Which if you look at the transaction history, the user entered the AirSwap Whitelist Crowdsale with a transaction of 3.3 ETH (that was the limit for Whitelist participants). So, presumably, at some point this user successfully registered for the AirSwap whitelist and passed KYC (most likely with fake info) and left a trail in their system. Then, later, they made this infamous transaction:

Ethereum Transaction 0x167b6e3217536e66e69f906a457b2457c6cc4f95928a47b0443ad895b23c6e76_The Ethereum BlockChain Explorer, API and Analytics Platform_etherscan.io

In an attempt to get into the AirSwap public sale before it sold out, with 1,700 ETH (worth over $500k at the time) and a whopping $75k transaction fee (which sounds crazy, unless you think the AirSwap AST token will trade even slightly above the ICO price, in which case you will eventually sell these tokens at a nice profit).

This user also made another failed attempt with a $22k transaction fee here:

Ethereum Account 0xb2a43375d2a07f5d5c6867f139fb053ba522f51c Info_The Ethereum BlockChain Explorer, API and Analytics Platform_etherscan.io

You can tell these are both from the same user because both wallets eventually transferred all the funds to this address:

Ethereum Account 0x85d0fdabbe633106c14268b0e62e14e5d5f6c34a Info_The Ethereum BlockChain Explorer, API and Analytics Platform_etherscan.io

Traversing the various wallets and transactions, I also found multiple contributions to the AirSwap whitelist sale from a few wallets, multiple contributions to Request Network, ETHLend, one to Cindicator for 18.05 ETH (another whitelisted sale, possibly the Tier_3 cap?) etc. etc. At this point, it seems like this hacker might be more than one person…. but who knows? Finally, this user/team sent 4,000 ETH to this contract:

Ethereum Account 0x3bfc20f0b9afcace800d73d2191166ff16540258 Info_Contract Source Code Copy Find Similiar Contracts //sol Wallet // Multi-sig, daily-limited account proxy/wallet. //…_etherscan.io

Which has a bunch of internal transactions from:

Ethereum Account 0x54a2d42a40f51259dedd1978f6c118a0f0eff078 Info_Contract Source Code Copy Find Similiar Contracts //! Copyright Parity Technologies, 2017. //! Released under the…_etherscan.io

Which is apparently the Polkadot ICO contract address.

In Bobby’s own words:

This 4,000 ETH is part of more than >230,000 ETH sent to 0x3bfc20f0b9afcace800d73d2191166ff16540258 over the past 30 days before the official ICO date (perhaps part of a Polkadot token pre-sale?). The interesting thing is that the Polkadot ICO requires a passport identification step (via picops.parity.io), but I’m not sure the hacker would be dumb enough to use his own passport for PICOS verification.

Now I want to make something very clear here: I highly doubt, I mean I think it’s 100% impossible, that this hacker used their own IDs to participate in whitelist token sales. It’s much more likely that they used stolen or purchased ID photos to pose as other people to pass KYC controls (in some cases, multiple times). So while it’s likely that these ICO sales have collected some information from this person, I don’t think it would be useful for this information to be disclosed, because it’s very likely that it would just lead to the wrong person being identified (and I have no intention of encouraging Internet vigilantism).

What I do hope is that by publishing this information publicly, if someone thinks there is a legal case worth pursuing here (possibly involving a law enforcement agency, although I don’t know anything about how that would work), then this information, even just emails or IP addresses, would be able to inform that process.

I also have to mention here that this is a perfect example of the power of blockchain. Thanks to the public, verifiable, and permanent ledger (in this case, Ethereum), we were able to trace this person’s actions and reveal a lot of information.

Lastly, I have spoken to representatives from AirSwap and EtherDelta before publishing this piece.

AirSwap’s team explained that this person was removed from the whitelist after making multiple attempts to contribute to the whitelist token sale (I looked through the multiple wallets used and discovered something like 40 attempted contributions to the whitelist sale from just 3 wallets). This might also explain why this person’s mega $500k contribution attempt failed. Regardless, the tl;dr on this issue is that you shouldn’t feel sorry for whomever it was that spent $75k on a single failed transaction, because they are a thief and it was all stolen money.

EtherDelta can’t do anything about this person, as they have no more information than I have.

At this point, my question is simply: who would be able to use this information effectively? Is there a law enforcement or similar agency that would pursue a case like this? There is plenty of information that can be provided if a legal case is brought forward… if you have ideas, let me know.

Thank you for reading and feel free reach out in the comments.

p.s. tiny disclosure: I happen to hold some AirSwap Tokens.

Enjoying my work? Leave a tip to show your appreciation:

BTC: 1LPkQKNgzspUFmxaytzLg1Q6E5XuSPFNbG

ETH: 0x3c83504968A5Fd197e3af58e36153ed3502b072E

DOGE: DPWkQr5rHwcCecyadXVHnZWMamHbS5ip5g

Thanks!

Published by HackerNoon on 2017/10/16
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy