“The brain is at least twenty feet from his apparent forehead in life; it is hidden away behind its vast outworks, like the innermost citadel within the amplified fortifications of Quebec.” — Herman Melville, Moby-Dick
In the first part of this series, we’ve started to draw a map tracing the boundaries of Moby Dick. While useful, this map remains rudimentary and very low def.
Improving this map will be the subject of this third part with the goal of finding new insights about the internals of the attacks and may be about their perpetrator(s). Note that by lack of time, we won’t try to be exhaustive but we will follow a depth-first approach, prioritizing the most promising paths.
With more than 1.2 million transactions, it’s obvious that a manual inspection will be an impasse. We need a way to quickly find the most promising areas of the map which deserve our attention. In order to achieve that objective, we’ll use a set of custom scripts combining what we already know about Moby Dick with additional information provided by OXT.
Note: OXT is a data analytics platform dedicated to the bitcoin blockchain. It extracts raw data from the blockchain and processes them for the computation of miscellaneous statistics and for the analysis of bitcoin transactions. The latter is realized thanks to heuristics which (among others things) detect the addresses likely to be controlled by a same entity and group them into clusters. By default, clusters are identified by poetic names like “ANON-12345” (ANON for anonymous). Additional intel allows to link a particular cluster to a real world entity.
Armed with these new tools, let’s try to identify the entities which have been “targeted” by the dust outputs. If we’re lucky, the perpetrators of these attacks may well appear in the list of receivers.
Running the scripts for Attack A (dust outputs of 10,000 satoshis) gives us more than 10,200 entities and 12,700 individual addresses. Some of the entities have been tagged in OXT and are associated to well-known services (exchanges, payment processors, gambling sites, mining pools, etc) but many remain anonymous. This path doesn’t sound very promising. Too many possibilities…
On the other hand, running the same scripts for Attack B (dust outputs of 1,000 satoshis) gives us 70 entities and 23 individual addresses. Among the 70 entities we find a few services (DISCUS FISH, IGOT, BITPAY, BITFINEX, CAVIRTEX, WIKILEAKS) and 15 wallets that we can link to individual users who have published a bitcoin address on a public medium (like the BitcoinTalk forum). With only 50 anonymous entities, this path seems much more promising, especially if we consider that Attack B was the largest and the most damaging.
What we can do next is an analysis of the outgoing financial flows for these gathering entities: how many bitcoin sent to which entities ?
A first attempt gives us more than 10,000 different flows. Sounds like a lot of work in perspective…
Let’s try to filter these data by removing the flows which aren’t between 2 gathering entities… Bingo ! This simple filter gives us 37 flows but even better, it appears that 30 of these flows are sent to a same entity: ANON-502770422
A manual inspection of this entity on OXT teach us that it’s a cluster of 465 P2PKH addresses but one of these addresses, with 91,738 transactions received, seems very special : 135zDqhbNcmPk3gbyeJmH75yiLdVZechsK
A quick search in the archives teach us that this address has already been identified by some users as likely to be controlled by coinwallet.eu.
The temporal evolution of the number of transactions received by this address reveals another interesting pattern
Peaks of activity for an address likely used by the attacker for the gathering of dust outputs
We can observe a peak on March 2016 and another one on September 2016 (with an increased activity between June 2016 and January 2017). These periods match almost perfectly with the time spans of the 7th and 8th waves (see part 2).
All these elements suggest that we’ve found a part of the mechanism used for the gathering of the dust outputs:
Now, let’s get back to ANON-502770422 and let’s check its outgoing activity. Data tell us that it has been pretty active between July 25th 2015 and August 7th 2015. (3rd wave of spam attack).
Peak of activity for ANON-502770422 during the 3rd wave of spam attacks
A random check of a few transactions sent by the entity during this period allows us to identify transactions like this one. At first sight, this transaction is just an aggregation of dust outputs. Nothing new. But things become more interesting if we follow the flow of bitcoins after this transaction. We can observe that the 0.01000080BTC sent to ANON-502949525 are used to fund a new long chain of spam transactions.
Interactive version of the graph (desktop only)
These transactions tell us that ANON-502770422 was in charge of gathering the dust outputs but was also an active funder of long chains of fan-out transactions.
All right. Time to complete our map.
Let’s try to learn a bit more about ANON-502770422 by analyzing all its outgoing financial flows.
It appears that the top 3 receivers are:
ANON-513450394 seems especially interesting. Charts show 3 peaks of incoming activity in June, August and December 2015 but also peaks of outgoing activity during the periods of spam in June, July and August.
Peak of outgoing activity for ANON-513450394 during the 1st wave of spam
Indeed, a quick manual inspection confirms that the entity has funded long chains of spam transactions.
Actually, by inspecting the history of this entity (June 4th, 2015), we can even detect a transaction looking like a test for the gathering of dust outputs generated by a peeling chain.
Moby Dick runs a preliminary test (May 2015)
Interactive version of the graph (desktop only)
At last, if we focus on the very beginning of the activity of this entity, we find that the first BTC received were sent by an entity called ANON-493563502 which we’ll meet later in our investigation. But for now, let’s just complete the map.
So far, the analysis of financial flows has served us well. Let’s see what we can learn by applying the same method to ANON-513450394.
It appears that the 2 top receivers of funds sent by this entity, are:
Yes. You’re right… We’ve already met these 2 entities before. At this point, it seems legit to give some more attention to both of them.
A manual inspection of these two entities teach us that:
An analysis of their financial flows shows that (among others things):
ANON-493563502 has received around 7,400 BTC from ANON-502638009,
ANON-493563502 has received around 3,000 BTC from ANON-483588853,
ANON-493563502 has sent around 3,000 BTC to POLONIEX,
ANON-493563502 has sent around 500 BTC to ANON-502638009,
ANON-502638009 has sent and received around 3,000 BTC to/from POLONIEX,
ANON-502638009 has received around 760 BTC from ANON-483588853.
These figures suggest that ANON-493563502 and ANON-502638009 have a strong connection but may also have a link with ANON-483588853 or POLONIEX.
A search done on WalletExplorer suggests that ANON-483588853 might be the Canadian exchange QuadrigaCX. That point seems consistent with the temporal patterns of the entity displayed on OXT.
Two elements lead me to think that ANON-493563502 & ANON-502638009 may actually be related to QuadrigaCX:
QuadrigaCX completely switched its P2PKH deposit addresses to multisig addresses on January 1st 2016. That seems consistent with the growth observed in ANON-502638009’s activity profile on December 2015.
The chart of the financial flows between ANON-483588853 and ANON-493563502 displays a uninterrupted “drain” between March 2015 and January 2016. Considering that the activity of ANON-483588853 also stopped at that date, the pattern suggests a transfer of funds between 2 wallets controlled by the exchange.
All good. Let’s complete our map.
Not 100% sure but that seems a reasonable guess for now. Anyway, it should be easy to get a confirmation of that hypothesis (directly from the exchange or from the community).
Absolutely not. But it suggests that the perpetrators are / have been clients of the exchange.
Actually, it doesn’t seem to be the case. We have detected several transactions received by ANON-513450394 suggesting that the entity has been funded via a bitcoin mixer (might be Bitcoin Fog).With regards to ANON-502770422, it seems that it has been funded by gathering of dust outputs generated during the first attacks (initiated by ANON-513450394) and by the reception of additional funds, certainly provided via a mixer.
Too early to say but some additional evidences suggest that the attacker may be located on the American continent and not in Europe.
We have found that 2 entities (ANON-513450394 and ANON-502770422) have played a major role during the 2 phases of the spam attacks.
An analysis of the financial flows suggests that the attacker might be a client of the Canadian exchange QuadrigaCX.
At last, the links between the 2 entities and with the exchange suggest that the 2 entities may be associated to a same attacker or that a strong connection exists between the 2 attackers.
A transaction graph displaying the connection between the funds sent by ANON-493563502 to ANON-513450394 on May 2015, the preliminary test done by ANON-513450394 on June 2015 and the funding of a long chain of spam transactions.