The 2015 Bitstamp, 2015 Bitfinex, and 2017 Tether Hacks are Connected

Acknowledgements: I would not have been able to complete this as thoroughly as I did without building off existing work. It needs to be pointed out that years ago u/SpeedflyChris (archive) pointed out these same connections. I also relied heavily on a tool created by Aleš Janda.

In January of 2015 Bitstamp was hacked in what they described as a phishing attack. (Archive) These funds were withdrawn to 1L2JsXHPMYuAa9ugvHGLwkdstCPUDemNCf (referred to as 1L2 for the remainder of this piece for convenience) at first. Bitstamp also sent funds to 1AXsTbi4sSH1M5hccgdEVn5et9xFd7Bxpd (referred to 1AX) and 16KYFJiAoM4aX82xw2V3YBHX72trWNhz48 (referred to as 16KY). All 3 of these addresses which received withdrawals from Bitstamp were part of the same wallet and this can be determined by reviewing the transactions where they ‘co-spent’ or both provided inputs to a transaction, suggesting the same person could sign for both addresses. 1L2 and 1AX co-spent in transaction 7e80957db4514d150899b308b0472b51ce7b3dbd979f2b3e80681cb9067dac13 and 16KY and 1L2 co-spent in transaction 41afc875a478acdf322ea37e6edcd3878627e6d0b4a6c4de280708c822670b2a. This suggests the 2015 Bitstamp hacker was receiving funds from Bitstamp as late as December 19th 2018 in transaction 4a05c4347d5cf797f7eeacc1d1b6881ef9e4e71195025bb3275a18f495b988be. That is a LONG hack.

The 16KY address described above seems to be directly related to the Tether hack. In transaction 7b46c7e412b1f1e93ff0aa67232457dde3fb6e91f4c61e025a97e56290049050 the 16KY address funds 1LBQpqUTEmdPTH8adaV6xS8KQt6FGCD3xD  (referred to 1LBQ for the remainder) and 1Ci3XEy71dGZ3ZDWF2CiVgsiAStt9WG5LX  (referred to 1Ci3 for the remainder). The next morning right before the hack the funds were transferred from 1LBQ to 31okFF1rUu8jjPEVuajycTRBp82Nteo4Mv  (referred to 31ok for the remainder) which would be the address that hours later would hack Tether.

In a series of transactions on November 19th 2019 the Tether treasury was hacked and ~30 million Tethers and 5 BTC were withdrawn to 31OK. These were then passed along to 16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r (referred to at 16tg for the remainder) which is where the Tethers would stay forever as Tether forced a hard-fork of the Omni layer.

The 16tg address is interesting because it co-spent with the previous mention 1Ci3 address in transaction eeaf8b9c6288c28c481d6e37d687b5c42b0222fb3d8a73bdca81c1a12243c579. The 1Ci3 address was funded in the same transaction from the Bitstamp hacker wallet that the 1LBQ address was funded. This helps solidify the link between the Tether hacker and the Bitstamp hacker.

It is also notable that the 1Ci3 address seems to have been receiving funding from the old Bitfinex hot wallet which had been hacked in 2015. This is strange because Zane Tackett, a Bitfinex spokesperson at the time, insisted that Bitfinex would be creating a new wallet. (Archive) Nonetheless, it appears that 1Ci3 was funded by addresses associated with that old wallet (according to WalletExplorer). You can see this in transactions: 080cfe133b8f48ae6f73e2ea5409786ce2e1b30313eae550f25a0c0bc8a46538 and 8e62fae22d0642ec22591b36ca77779c6d273eec5f766830435ec09a3d1d3bef. I am unsure of exactly how to interpret this. Someone with access to those keys (so either Bitfinex or the hacker) would seem to have been responsible for sending funds to this address clearly associated with the Tether hacker.

Further complicating the picture is the fact that this wallet in question was responsible for issuing an Omni Asset (like Tether) shortly before the Tether hack. In transaction f77f0c5f08c5491133a8422b163789eb5860f6d37ecc8aadb5b4bb730532fb36 mere days before the Tether hack, the hacker appears to have created ‘lioncoin‘. ‘lioncoin’ is notable for never moving or being used, and for the fact that a few years later Bitfinex would issue their own ‘lion’ coin. (Archive) (My copy)

So far it seems that the Tether hacker was possibly also the Bitstamp hacker and may have also been the Bitfinex hacker.

The Bitfinex hack in particular is interesting for several reasons. Namely, it is very rarely discussed because it was just the hot wallet. Bitfinex never gave us a post-mortem, and Bitfinex’s founder Raphael Nicolle had previously made many comments about their hot wallet.

These included:

I, Raphael NICOLLE, and my wife, are the only one who controls the keys of the bitcoin wallet. These keys are not on the server (read-only wallet on the server). We also are the only one that can access our Mtgox account (with OTP). Similarly, there is no withdrawal enabled keys on the servers. Our partners don’t have any control on the funds of Bitfinex

Yes, that means there is no hot wallet on the servers, I have the wallet on my computer, and there are digital and paper backup of the wallet in case something happen to my computer (we use the very secure Armory client and its awesome watch-only wallet feature to track deposits on Bitfinex side). In other word, if a hacker manage to find an access to the servers, he won’t be able to steal your bitcoins. That doesn’t mean we don’t take care of the security of our servers though ,

Only I and my wife has access to the keys which allow to send bitcoins from the bitfinex wallet, and to the bank and mtgox credentials to use the funds there. There is CURRENTLY NO DEAD MAN SWITCH yet, so if both my wife and I die, well the coins are pretty much lost. We will set up a dead man switch but of course that’s something that needs thinking.

Further muddying the water, May of 2015 is when Bitfinex got hacked, and according to Raphael’s LinkedIn that is the exact same month that he left Bitfinex.

In conclusion, it seems that there are interesting links between the 2015 Bitstamp hack, the 2015 Bitfinex hack, and the 2017 Tether hack. I am hopeful that all of these exchanges and cryptocurrency companies reported these hacks to law enforcement and have been cooperating. They should have much more insight than I do into who may be associated with these addresses, especially Bitstamp who was still providing withdrawals as late as 2018. I do wonder why none of these companies have ever produced a post-mortem or serious review of what led to any of these three hacks.

To subscribe to my blog please enter your email:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.