As reported by Core Media, a recent security breath in Tether’s treasury wallet led to the theft of nearly $31 million worth of USDT, the tokens the company issues that are supposedly pegged to the USD at a 1:1 ratio.
Reacting to the attack, Tether decided to upgrade the Omni Core software, in which it is built on, to lock the stolen tokens and prevent them from entering the cryptocurrency ecosystem. At the time, various exchanges halted USDT trading to upgrade their systems.
Recently, a Reddit user dubbed “SpeedflyChris,” in an attempt to learn more about the incident, managed to link the attack to the $5 million Bitstamp hack of 2015, in which about 18,000 BTC, now worth nearly $150 million, were stolen from the Luxembourg-based bitcoin exchange as employees fell victim to a weeks-long phishing attempt.
The redditor managed to link the attacks by using a smart bitcoin block explorer that groups addresses into clusters in order to identify its likely owners, WalletExplorer. Through it, he managed to link this wallet, used to collect funds stolen from Bitstamp in 2015, to the Tether attack.
Per his research, the address used to collect the stolen Tether funds received .01 BTC before the hack, from the wallet linked to the Bitstamp incident. The deposit, according to SpeedflyChris, was either a way to make sure everything was working properly, or to ensure there was enough BTC there for transaction fees to move the Tethers around.
He continued, adding that the wallet, after receiving the BTC to ensure everything would function, received 23 million Tethers from the treasury wallet, then another 7.9 million, and then another 50,000, plus another 5 BTC, taken from the same wallet.
Then, the funds are sent to the known hacker’s address, which is then revealed to the public in the company’s announcement. The 5 BTC then end up on three separate wallets [1,2,3] as the Omni protocol allows coins to be “tagged” for different purposes.
SpeedflyChris further noted that the hacker’s address was used to create an Omni token, called Lioncoin. Furthermore, he added that the Bitstamp hackers’ wallet seems to be linked to other attacks:
“This wallet from the Tether and Bitstamp hacks seems to be owned by the same person who took 12000BTC from Huobi in late 2015, interesting.. https://www.walletexplorer.com/wallet/002d28cac852fc7d (…) Huobi are saying this is not a hack, so who knows why 12000 or so bitcoin was withdrawn from their exchange and combined with the coins from bitstamp see here before being passed through several more wallets and onto BTC-e in batches of 1000 or so.”
Connection to BTC-e and LocalBitcoins
The user further connected the attacks to now-defunct bitcoin exchange BTC-e. BTC-e was taken down earlier this year by the U.S. Federal Bureau of Investigation (FBI) and other law enforcement organizations, supposedly for being used to launder money.
A Russian national, Alexander Vinnik, was at the time arrested in Greece and accused of laundering $4 billion in BTC as BTC-e’s operator, although the exchange denies he was ever involved in it. Vinnik, who says he was just an employee at BTC-e, is currently awaiting extradition to Russia or the U.S., while BTC-e has rebranded and launched as WEX.
SpeedflyChris notes that the hacker took thousands from other exchanges and sent them to BTC-e, and that he used to sell smaller amounts on LocalBitcoins, pointing to various addresses. He concluded:
“So Localbitcoins guys, if you have a log of who was using this address back in 2015, you’ve got the hacker ;)”