The Canadian Connection

Written by laurentmt | Published 2017/08/18
Tech Story Tags: bitcoin | data-analysis | herman-melville | moby-dick | maps

TLDRvia the TL;DR App

“The brain is at least twenty feet from his apparent forehead in life; it is hidden away behind its vast outworks, like the innermost citadel within the amplified fortifications of Quebec.” — Herman Melville, Moby-Dick

In the first part of this series, we’ve started to draw a map tracing the boundaries of Moby Dick. While useful, this map remains rudimentary and very low def.

Improving this map will be the subject of this third part with the goal of finding new insights about the internals of the attacks and may be about their perpetrator(s). Note that by lack of time, we won’t try to be exhaustive but we will follow a depth-first approach, prioritizing the most promising paths.

How to draw a better map ?

With more than 1.2 million transactions, it’s obvious that a manual inspection will be an impasse. We need a way to quickly find the most promising areas of the map which deserve our attention. In order to achieve that objective, we’ll use a set of custom scripts combining what we already know about Moby Dick with additional information provided by OXT.

Note: OXT is a data analytics platform dedicated to the bitcoin blockchain. It extracts raw data from the blockchain and processes them for the computation of miscellaneous statistics and for the analysis of bitcoin transactions. The latter is realized thanks to heuristics which (among others things) detect the addresses likely to be controlled by a same entity and group them into clusters. By default, clusters are identified by poetic names like “ANON-12345” (ANON for anonymous). Additional intel allows to link a particular cluster to a real world entity.

Armed with these new tools, let’s try to identify the entities which have been “targeted” by the dust outputs. If we’re lucky, the perpetrators of these attacks may well appear in the list of receivers.

Running the scripts for Attack A (dust outputs of 10,000 satoshis) gives us more than 10,200 entities and 12,700 individual addresses. Some of the entities have been tagged in OXT and are associated to well-known services (exchanges, payment processors, gambling sites, mining pools, etc) but many remain anonymous. This path doesn’t sound very promising. Too many possibilities…

On the other hand, running the same scripts for Attack B (dust outputs of 1,000 satoshis) gives us 70 entities and 23 individual addresses. Among the 70 entities we find a few services (DISCUS FISH, IGOT, BITPAY, BITFINEX, CAVIRTEX, WIKILEAKS) and 15 wallets that we can link to individual users who have published a bitcoin address on a public medium (like the BitcoinTalk forum). With only 50 anonymous entities, this path seems much more promising, especially if we consider that Attack B was the largest and the most damaging.

Let the money flow !

What we can do next is an analysis of the outgoing financial flows for these gathering entities: how many bitcoin sent to which entities ?

A first attempt gives us more than 10,000 different flows. Sounds like a lot of work in perspective…

Let’s try to filter these data by removing the flows which aren’t between 2 gathering entities… Bingo ! This simple filter gives us 37 flows but even better, it appears that 30 of these flows are sent to a same entity: ANON-502770422

A manual inspection of this entity on OXT teach us that it’s a cluster of 465 P2PKH addresses but one of these addresses, with 91,738 transactions received, seems very special : 135zDqhbNcmPk3gbyeJmH75yiLdVZechsK

A quick search in the archives teach us that this address has already been identified by some users as likely to be controlled by coinwallet.eu.

The temporal evolution of the number of transactions received by this address reveals another interesting pattern

Peaks of activity for an address likely used by the attacker for the gathering of dust outputs

We can observe a peak on March 2016 and another one on September 2016 (with an increased activity between June 2016 and January 2017). These periods match almost perfectly with the time spans of the 7th and 8th waves (see part 2).

All these elements suggest that we’ve found a part of the mechanism used for the gathering of the dust outputs:

  • at a first level, dust outputs are gathered by a set of 30 entities,
  • the utxos aggregated at the first level are sent to ANON-502770422 for a second round of aggregation.

Now, let’s get back to ANON-502770422 and let’s check its outgoing activity. Data tell us that it has been pretty active between July 25th 2015 and August 7th 2015. (3rd wave of spam attack).

Peak of activity for ANON-502770422 during the 3rd wave of spam attacks

A random check of a few transactions sent by the entity during this period allows us to identify transactions like this one. At first sight, this transaction is just an aggregation of dust outputs. Nothing new. But things become more interesting if we follow the flow of bitcoins after this transaction. We can observe that the 0.01000080BTC sent to ANON-502949525 are used to fund a new long chain of spam transactions.

Interactive version of the graph (desktop only)

These transactions tell us that ANON-502770422 was in charge of gathering the dust outputs but was also an active funder of long chains of fan-out transactions.

All right. Time to complete our map.

Tell me who your friends are and…

Let’s try to learn a bit more about ANON-502770422 by analyzing all its outgoing financial flows.

It appears that the top 3 receivers are:

ANON-513450394 seems especially interesting. Charts show 3 peaks of incoming activity in June, August and December 2015 but also peaks of outgoing activity during the periods of spam in June, July and August.

Peak of outgoing activity for ANON-513450394 during the 1st wave of spam

Indeed, a quick manual inspection confirms that the entity has funded long chains of spam transactions.

Actually, by inspecting the history of this entity (June 4th, 2015), we can even detect a transaction looking like a test for the gathering of dust outputs generated by a peeling chain.

Moby Dick runs a preliminary test (May 2015)

Interactive version of the graph (desktop only)

At last, if we focus on the very beginning of the activity of this entity, we find that the first BTC received were sent by an entity called ANON-493563502 which we’ll meet later in our investigation. But for now, let’s just complete the map.

Tell me who the friends of your friends are…

So far, the analysis of financial flows has served us well. Let’s see what we can learn by applying the same method to ANON-513450394.

It appears that the 2 top receivers of funds sent by this entity, are:

Yes. You’re right… We’ve already met these 2 entities before. At this point, it seems legit to give some more attention to both of them.

A manual inspection of these two entities teach us that:

  • ANON-493563502 is a cluster of P2PKH addresses active since 2014. The volume of its activity suggests that it’s a service and its temporal patterns suggests that the entity is active on the American continent,
  • ANON-502638009 is a cluster of P2SH 2-of-3 multisig addresses active since June 2015. The volume of its activity and its temporal patterns suggest again a service active on the American continent.

An analysis of their financial flows shows that (among others things):

ANON-493563502 has received around 7,400 BTC from ANON-502638009,

ANON-493563502 has received around 3,000 BTC from ANON-483588853,

ANON-493563502 has sent around 3,000 BTC to POLONIEX,

ANON-493563502 has sent around 500 BTC to ANON-502638009,

ANON-502638009 has sent and received around 3,000 BTC to/from POLONIEX,

ANON-502638009 has received around 760 BTC from ANON-483588853.

These figures suggest that ANON-493563502 and ANON-502638009 have a strong connection but may also have a link with ANON-483588853 or POLONIEX.

A search done on WalletExplorer suggests that ANON-483588853 might be the Canadian exchange QuadrigaCX. That point seems consistent with the temporal patterns of the entity displayed on OXT.

The Canadian connection

Two elements lead me to think that ANON-493563502 & ANON-502638009 may actually be related to QuadrigaCX:

QuadrigaCX completely switched its P2PKH deposit addresses to multisig addresses on January 1st 2016. That seems consistent with the growth observed in ANON-502638009’s activity profile on December 2015.

The chart of the financial flows between ANON-483588853 and ANON-493563502 displays a uninterrupted “drain” between March 2015 and January 2016. Considering that the activity of ANON-483588853 also stopped at that date, the pattern suggests a transfer of funds between 2 wallets controlled by the exchange.

All good. Let’s complete our map.

Let’s summarize all we’ve found…

Are you sure that ANON-493563502 and ANON-502638009 are controlled by QuadrigaCX ?

Not 100% sure but that seems a reasonable guess for now. Anyway, it should be easy to get a confirmation of that hypothesis (directly from the exchange or from the community).

Does it mean that this exchange is the entity behind the summer 2015 spam attack ?

Absolutely not. But it suggests that the perpetrators are / have been clients of the exchange.

Does it means that the bitcoins used for the spam attacks were coming from this exchange ?

Actually, it doesn’t seem to be the case. We have detected several transactions received by ANON-513450394 suggesting that the entity has been funded via a bitcoin mixer (might be Bitcoin Fog).With regards to ANON-502770422, it seems that it has been funded by gathering of dust outputs generated during the first attacks (initiated by ANON-513450394) and by the reception of additional funds, certainly provided via a mixer.

Does it mean that the attackers live in Canada ?

Too early to say but some additional evidences suggest that the attacker may be located on the American continent and not in Europe.

Conclusion

We have found that 2 entities (ANON-513450394 and ANON-502770422) have played a major role during the 2 phases of the spam attacks.

An analysis of the financial flows suggests that the attacker might be a client of the Canadian exchange QuadrigaCX.

At last, the links between the 2 entities and with the exchange suggest that the 2 entities may be associated to a same attacker or that a strong connection exists between the 2 attackers.

Bonus

A transaction graph displaying the connection between the funds sent by ANON-493563502 to ANON-513450394 on May 2015, the preliminary test done by ANON-513450394 on June 2015 and the funding of a long chain of spam transactions.

Interactive version (desktop only)

Published by HackerNoon on 2017/08/18
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy