The DAO Hacker’s Booty Is On The Move

Update 23:05 Oct 26 2016 UTC with trace through ShapeShift to Bitcoin address 1M2aaNN3GTw6dy13uScodHaQ8Egr6xr6Ew. And corrected ETC equivalent USD amounts.
Update Oct 28 2016 15:39:45 UTC re ShapeShift transparency.


Table of contents

 


Summary

Hawkeye @usukan on https://thedao.slack.com noticed that the hacker’s booty is on the move. Let’s see what is happening.

So far, The DAO hacker has converted 94719.9848 Classic ethers (ETC) ~ USD 97,845 into one or more other cryptocurrencies through an exchange. Exchanges would have to trace any sources of funds from the hacker’s booty account to prevent the flow of these stolen funds into their exchanges – if they choose to do so.

And keep a close eye on any of your developer colleagues – see who next buys a shiny new yacht.

Update 23:05 Oct 26 2016 UTC ETCs traced through ShapeShift to Bitcoin address 1M2aaNN3GTw6dy13uScodHaQ8Egr6xr6Ew totalling 144.92992187 BTC ~ USD 97,835 with some unconfirmed transactions for almost a day (Bitcoin Blocksize Tweetle Beetle Bottle Puddle Paddle Battle Muddle).

Update Oct 28 2016 09:02:25 UTC – See Coindesk – The Plot Thickens As DAO Attacker Trades Stolen Funds for Bitcoin.

Update Oct 28 2016 15:39:45 UTC – I do like ShapeShift’s transparency:

Hello everyone, ShapeShift’s policy is two-fold:

1) ShapeShift requests as little information as possible in order to enable blockchain asset exchange. Personal private information is not needed to exchange blockchain assets, so we don’t ask for it.

2) All the information we do have, as a platform, we make transparent. We do not obscure any information. Transaction details like input coin, amount, output coin, etc. are all transparent on ShapeShift. Indeed, we even publish it on our homepage and make it available via the API.

Since ShapeShift does not obscure information, it would be a horrible idea to use it as a mixer or similar. We state this in our Terms of Service. Further, we will always cooperate with reasonable requests for this information (from law enforcement or private investigation, we make no distinction).

With this policy, ShapeShift is simultaneously the least invasive exchange, as well as the most transparent. We neither expose users, nor hide them.

Related reddit/r/ethereum post – The DAO Hacker’s Booty Is On The Move.
See also Ethereum Network Attacker’s IP Address Is Traceable and the related reddit post.

 


The Hacker’s Booty Address

The DAO hacker withdrew their booty from The DAO on the ETC chain on Sep 5 2016.

You can see that the main part of booty still sitting in 0x5e8f0e63e7614c47079a41ad4c37be7def06df5a:

Screen-Shot-2016-10-26-at-22.34.53

Movements From The Hacker’s Booty Address

You can see that a total of 106,100 Classic ethers (ETC) has moved to 0x085acc2d9794fc82e88b9b7b561ac3fea56406a9 in lots of 1,100, 5,000, 10,000, 15,000 and 25,000 ETC. From this account, you can see many amounts around 2,333 ETC moving into different accounts:

Screen-Shot-2016-10-26-at-22.42.35

Is The Hacker Converting The Hot Booty Via ShapeShift?

From https://shapeshift.io, you can see that the maximum ETC amount that ShapeShift will convert in one transaction is currently 2,448.84336818 ETC. This is the first clue that the hacker is using ShapeShift to convert their booty into another cryptocurrency.

Screen-Shot-2016-10-26-at-22.45.33

Let’s Trace A Transaction

Let’s trace one of the transactions – tx 0x81b8…6d0b. The amount of 2,333.9612 ether is transferred from 0x085acc2d9794fc82e88b9b7b561ac3fea56406a9 to 0x0a99050db96a7be5c7e92a4b908ec0e9790d4805.

Screen-Shot-2016-10-26-at-22.52.12

You can then see 2,333.9586 ETC move from 0x0a99050db96a7be5c7e92a4b908ec0e9790d4805 to 0x9bcb0733c56b1d8f0c7c4310949e00485cae4e9d:

Screen-Shot-2016-10-26-at-22.53.38

And in 0x9bcb0733c56b1d8f0c7c4310949e00485cae4e9d, you can see many transactions – this address is likely to be an exchanges address where ETCs are received, then transferred into another wallet:

Screen-Shot-2016-10-26-at-22.58.37Screen-Shot-2016-10-26-at-22.59.05

How Can We Confirm Address 0x9bcb…4e9d Is ShapeShift’s Account?

ShapeShift publishes the last 50 transactions at <https://shapeshift.io/recenttx/1000. If we can correlate this with a transaction to the 0x9bcb0733c56b1d8f0c7c4310949e00485cae4e9d account, we can confirm that the hacker has been converting parts of the booty in small chunks via ShapeShift.

Here is the data from https://shapeshift.io/recenttx/1000. I’ve highlighted a transaction that exchanges 100 ETC to ethers (ETH):

Screen-Shot-2016-10-26-at-23.04.26

The timestamp for this transaction is 1477480174.02 which is GMT: Wed, 26 Oct 2016 11:09:34 GMT according to http://www.epochconverter.com/.

And here is the 100 ETC transaction received by ShapeShift’s account 0xaca117af6d06a3469e78951bf2d30c85dfa300ac.

Screen-Shot-2016-10-26-at-23.13.15

You can then see the 99.9974 ETC transfer into the same https://gastracker.io/addr/0x9bcb0733c56b1d8f0c7c4310949e00485cae4e9d account that the hacker’s funds were transferred into.

The Hacker Is Converting The Booty Via ShapeShift

So this confirms that the hack has sent the transaction above to ShapeShift to be converted. Unfortunately we do not have the list of transactions showing what the hacker’s ETCs were converted into.

The total amount of the booty converted so far is 94,719.9848 ETC (~ USD 97,845).

What Can The Exchanges Do?

The exchanges would have to enhance their computer systems to trace the source of funds for each account before allowing the exchange from the account. This would take at least a few days to implement but they could consider shutting down ETC transfers in the meantime. If the tracing back to the booty account is implemented, the hacker could then poison legitimate accounts by sending small amounts from the booty to these accounts, and these legitimate accounts would be blocked by the exchanges as well. Messy.


Conversion Of Booty Into Bitcoins

User @tayvano of https://www.myetherwallet.com/ provided me with the ShapeShift transaction API in the form of https://shapeshift.io/txstat/0x0a99050db96a7be5c7e92a4b908ec0e9790d4805, so here is the trace of all the ShapeShifted booty, and it is into bitcoins:

As you can see, the ShapeShift transactions funded out of the booty has ended up in the 1M2aaNN3GTw6dy13uScodHaQ8Egr6xr6Ew Bitcoin address:
Screen-Shot-2016-10-27-at-09.29.45

The current balance of this account is 101.33194293 BTC ~ USD 64,404 with the total received being 144.92992187 BTC ~ USD 97,835.

From this 1M2aaNN3GTw6dy13uScodHaQ8Egr6xr6Ew address there are spends to the following addresses:

Looking at the main transfer 1FbaGw4PEMmX4PkRqWEUuUKEwBv3dqEzRm of 38.1 BTC:

Follow the trail over the next few weeks and it will probably end up in a red Tesla with following number plate:
plate
And sitting in the Tesla would be a

C, C++, Java, Assembly Language developer, mid 30s to mid 40s, male, small time miner with the rig small enough to fit in the unit or house, basement or garage, 5 foot 8 inches, long hair 🙂

And some of the Bitcoin booty is in an unconfirmed state after almost a day. The Bitcoin network is clogged due to the artificial blocksize limit. There are 66373 unconfirmed Bitcoin transactions – from https://blockchain.info/unconfirmed-transactions:
Screen-Shot-2016-10-27-at-10.13.21.

This entry was posted in Blog and tagged , . Bookmark the permalink.