Courtesy of Giancarlo and Alberto from Neutrino, the creators of the P-Flow cyrptointelligence platform. They do this as a job, they provide deep transaction data and analysis and have a history of developing investigative cyber tools.
On November 19th the Tether Team announced that 31 million in Tether funds had been removed from the Tether treasury wallet by a hacker. The announcement was made to warn third party tether integrators about the disruption risk that these events might have implied.
Tether (USDT) is a token issued over the bitcoin blockchain and is distributed on the Omni token platform. Tethers have been created to maintain a fixed 1:1 exchange rate with USD. This allows cryptocurrency exchange platforms to list Cryptocurrency/USDT pairing not implementing a fiat currency deposit procedure and replacing it with a crypto-to-crypto listing.
Technically speaking, Tether is a token created within the Omnilayer protocol: it is an intermediate layer enabling a digital asset on top of the bitcoin blockchain. In simple terms, tokens are moved by performing bitcoin transactions (even using just a few satoshi) and the metadata of the transactions are then moving the USDT tokens as per user request (e.g. it is possible to create a transaction moving 0.00001 bitcoins that is actually transferring 10M of USDT).
Transactions on Tethers include the “issuer” (address 3MbYQMMmSkC3AgWkj9FMo5LsPTW1zBTwXL) in charge of creating new tethers, and the “Treasury” (3BbDtxBSjgfTRxaBUgR2JACWRukLKtZdiQ) in charge of transmitting them to the destination address requested by the user (ref. https://tether.to/wp-content/uploads/2017/09/Final-Tether-Consulting-Report-9-15-17_Redacted.pdf).
Online it is also possible to consult a list of the richest Tether addresses (https://wallet.tether.to/richlist)
. Most of these refer to known, primary, cryptocurrency exchange platforms.
Events and technical analysis
Recently, important amounts of Tether were received by an address ascribable to Bitfinex (1KYiKJEfdJtap9QX2v9BXJMpz2SfU4pgZw).
The patterns have always been seen in this sequence:
Issuer -> Treasury -> Bitfinex
On Nov 19th the Treasury sent 30.9M USDT to a new address: 31okFF1rUu8jjPEVuajycTRBp82Nteo4Mv, which in turn immediately transferred them to 16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r.
In the online community someone noticed that this was a different address from the usual one owned by Bitfinex, however it appeared as a legitimate change of address.
On November 20th, Tether announced on the website that an authorized access to their platform had lead to a theft of 30,9M USDT (https://tether.to/tether-critical-announcement/). As the critical situation required, the team created a temporary “emergency” hard fork to prevent the address 16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r that was keeping the stolen 30.9M USDT from spending them. All the exchange platforms supporting USDT were required to immediately install the new patched version of the Omni layer.
It is worth noting that as a consequence of this the USDT value on the Kraken platform (which is the only one listing a USD/USDT trading pairing) dropped to 0.906.
Since the USDT are tokens issued on Omnilayer, based on the bitcoin blockchain, it is possible to analyze the bitcoin transactions involved as they were the “settlement” of USDT Transactions.
First of all, it’s possible to identify a transaction moving 10USDT from the Treasury to the address 31okFF1rUu8jjPEVuajycTRBp82Nteo4Mv. This appears to be a testing transaction to verify the efficiency of the USDT transfer process. In a few hours about 30.9M USDT were moved with 6 transactions valued respectively at 1M, 1M, 1M, 10M, 10M and 7.9M.
As mentioned previously, the emergency patch issued by the Tether team prevented the hacker from spending the 30.9M that had been stolen and moved to the address 16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r. However, it is interesting to note that in the emergency situation nothing has yet been declared or clarified about the address 31okFF1rUu8jjPEVuajycTRBp82Nteo4Mv.
This address appeared on the blockchain for the first time on November 19th as the output of a transaction receiving 0.01bitcoins from 1LBQpqUTEmdPTH8adaV6xS8KQt6FGCD3xD. It is plausible to presume this transaction was providing the address with sufficient funds to perform the subsequent transactions moving USDT to 16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r.
This in turn, one hop back on the blockchain, is plausibly the change address of a transaction originated by 16KYFJiAoM4aX82xw2V3YBHX72trWNhz48 (part of the BitStamp Stolen Coins) and paying to this address 1Ci3XEy71dGZ3ZDWF2CiVgsiAStt9WG5LX (Lioncoin Issuer).
We know it is difficult to follow this path without dedicated tools, so let’s recap the information we were able to identify as follows: