CRACKING -

Investigating one of the biggest -


digital heists in history – from the outside

KIM NILSSON
• Brief history reminder

• Basics of blockchain analysis

• Acquiring the missing pieces

• Findings so far
Early 2014
BREAKING NEWS

WITHDRAWALS HALTED AT MTGOX

BREAKING NEWS

MTGOX CUSTOMERS DEMAND ANSWERS

BREAKING NEWS

MTGOX CEO ANNOUNCES BANKRUPTCY

 ALSO IN THE NEWS

• MtGox data leaked (March 2014)

• The “Willy Report” (May 2014)

• First creditor meeting (July 2014)

• Kraken selected to assist bankruptcy (November 2014)

 BEHIND THE NEWS

• Multiple creditor initiatives

• Acquire and/or rehabilitate MtGox

• Lawsuits to recover funds

• Gain access to investigate

• “Will this get handled properly?”

• Individual efforts < focused group effort






✓ Competence


 ✓ Local presence


 ✓ Determination

✓ Wannabe hacker group name

 PUBLIC AUDIT?
• First-of-a-kind opportunity

• Audit and forensic investigation using public data

• Blockchain + additional leaked data

• (Deposits) + (buys) – (withdrawals) – (sells) = (final balance)

• Reconcile deposits and withdrawals against blockchain

• (All MtGox spends) – (valid withdrawals) = theft ?

 OBJECTIVES
• Verify existing research

• Approach insiders

• Get better data

• Dig deeper

• Assist official investigations

 OBJECTIVES
• Verify existing research

• Approach insiders

• Get better data

• Dig deeper

• Assist official investigations

“Hey Mark, can we get a copy

of the MtGox database?”

LOL NO

OKAY
 RECONCILING DATA

• Leaked log of deposits and withdrawals

• Date and amount

• Match blockchain outputs to logged events

• Problem: too large for naive approach

 PARSING THE BLOCKCHAIN
• About 30–40 GB of blockchain at the time

• Approach 1: Scan entire blockchain, beginning to end,

while looking for target outputs to match

• Slow: 30m~8h depending on query complexity

• Approach 2: Build a fast index of the blockchain

entities and relationships
 BLOCKCHAIN DATA
• Block: previous hash, merkle root, timestamp, …

+ list of transactions

• Transaction: version, locktime


+ list of inputs

+ list of outputs

• Output: value, scriptPubKey

• Input: transaction hash, output index, seq#, scriptSig

BLOCKCHAIN RELATIONS
*
Block Transaction

* *

Input Output
*

Address
 BLOCKCHAIN INDEX
• Keep only essential data: identifiers, relationships, amounts

• Optimize for fast lookups and traversal

• O(log n) to look up something by identifier

• O(1) to get related entities

• Compact representation suitable for memory mapping

• 35 GB → 5 GB
RECONSTRUCTING WALLETS

1AbCd… 1DeFg… 1HjKm… 1NoPq… 1RsTu…

1Change… 1Target… 1Storage…

RECONSTRUCTING WALLETS

1AbCd… 1DeFg… 1HjKm… 1NoPq… 1RsTu…

1Change… 1Target… 1Storage…

RECONSTRUCTING WALLETS

1AbCd… 1DeFg… 1HjKm… 1NoPq… 1RsTu…

1Change… 1Target… 1Storage…

RECONSTRUCTING WALLETS

1AbCd… 1DeFg… 1HjKm… 1NoPq… 1RsTu…

1Change… 1Target… 1Storage…

RECONSTRUCTING WALLETS

1AbCd… 1DeFg… 1HjKm… 1NoPq… 1RsTu…

1Change… 1Target… 1Storage…

RECONSTRUCTING WALLETS
IDENTIFYING WALLETS

👤 4.756 BTC 👤
Entity X Entity Y
1AbCd…
 1B8k4…

1EfGh… 1CoW9…
1HjKm… 1Xxm2…
1.25477 BTC
1NoPq… 1Yb3w…
"

Help: deposit not showing up in account

Apr 27, 2016, 06:39:14 PM

btcoinr I sent 0.123456 BTC to Exchange A, as I write this


the transaction has 20 confirmations already but it

hasn’t shown up in my account yet, and support isn’t

answering… what do I do?
"

Help: deposit not showing up in account

Apr 27, 2016, 06:39:14 PM

btcoinr I sent 0.123456 BTC to Exchange A, as I write this


the transaction has 20 confirmations already but it

hasn’t shown up in my account yet, and support isn’t

answering… what do I do?

TXID: 01234567789abcdef…

👤 👤
Entity X Entity Y
1AbCd…
 1B8k4…

1EfGh… 1CoW9…
1HjKm… 1Xxm2…
1NoPq… 1Yb3w…
"

Help: deposit not showing up in account

Apr 27, 2016, 06:39:14 PM

btcoinr I sent 0.123456 BTC to Exchange A, as I write this


the transaction has 20 confirmations already but it

hasn’t shown up in my account yet, and support isn’t

answering… what do I do?

TXID: 01234567789abcdef…

" 🏦
btcoinr Exchange A
1AbCd…
 1B8k4…

1EfGh… 1CoW9…
1HjKm… 1Xxm2…
1NoPq… 1Yb3w…
 EARLY RESULTS
• ~2 million addresses identified as MtGox

• False positives when clustering! (shared keys)

• Growing discrepancy between real and expected

bitcoin holdings, suspected theft transactions

• Acquire better data to clean up results

 PROGRESS BY 2015

• Limited interest from bankruptcy trustee


or law enforcement

• Mark more cooperative after all the work so far

<nikuhodai> hey word on the street is


that they’re going to arrest you
<MagicalTux> just a rumor
8 HOURS LATER
 FINDINGS BY 2016

• There were multiple thefts


(as far back as the beginning of 2011)

• MtGox was insolvent for most of its existence

• MtGox traded its own liabilities on itself

• Connected to other bitcoin thefts

 WAITING…

• Known suspect for handling stolen coins

• Ongoing law enforcement investigations

• Delay publishing to avoid interfering

• Keep investigating details

ONE YEAR LATER
• Alexander Vinnik a.k.a. “WME”

• Received over half a million stolen

bitcoins from MtGox and other thefts

• Deposited the stolen coins onto

BTC-e, TradeHill, MtGox etc.

• Probably sold most bitcoins


(including via “money codes”)

• Alleged by US to be a

BTC-e administrator
 THE TRAIL TO VINNIK

• Didn’t use tumblers/mixers

• Spent coins from multiple sources together

• Deposited coins back to MtGox accounts (“WME”)

• Used his real name online (to complain about his

stolen funds being confiscated)
 LAUNDERER ≠ THIEF ?
• All evidence pointing to Vinnik are for the wallet(s) that
receive and move the stolen bitcoins

• The thief had possession of MtGox’s private keys, could

have sent the coins anywhere

• Unlikely a single person carried out this many thefts

• Sending coins to Vinnik without intermediate steps


suggests involvement or prior arrangement
 STOLEN PRIVATE KEYS?

• How do we know the thief stole the private keys?

• Running a second Bitcoin wallet on top of a

copied wallet.dat file leaves blockchain fingerprints
 KEYPOOL

• In the original Bitcoin wallet, 100 “next” private

keys are already pre-generated

• Lower chance of losing funds when restoring

from a backup

• Largely superseded by deterministic wallets

 KEYPOOL

Wallet
 Wallet

1Addr1
 1Addr1

1Addr2
 1Addr2

1Addr3
 1Addr3

…
 1KP1

1KP1
 …

1KP2
 1KP2

1KP3
 1KP3

… 1KP4

…
 KEYPOOL

Wallet.dat

Original 1
 Copy
2

3

4
⋮
100 Split

First new address unique to Copy
 MTGOX’S KEYPOOL
• First 100 theft transactions have change addresses
perfectly matching MtGox’s keypool as of

September 11, 2011, ~21:30 UTC

• Some of those addresses were allocated as

deposit addresses on MtGox’s side

• Thief steals coins, MtGox sees change as deposit

 WHAT WAS TAKEN?

• Compromised hot wallet, up to 100,000 keys

• Over time, relatively smaller share of total keys


(eventually MtGox had ~4 million keys)
 THEFT PATTERN

• Each transaction steals similar amounts

• Longer and longer time between transactions

• Restarts with same stolen wallet.dat file

THEFT PATTERN
 THE FULL MTGOX HISTORY

• Founded by Jed McCaleb in 2010

• Sold to Mark Karpelès in March 2011

• Already insolvent when sold

• Numerous incidents
BITCOIN HOLDINGS
…AND LIABILITIES
 INCIDENTS
Liberty Reserve withdrawal exploit

(January 20–23, 2011)

• Unsanitized input → XML injection

• Override with custom amount

• 50,000 USD lost



Total losses
50,000 USD

0 BTC
 INCIDENTS
Liberty Reserve withdrawal exploit #2

(January 30, 2011)

• Forgot to check for negative amounts

• User “withdrew” –$2,147,483.647,


got credited to their account


Total losses
• Fixed without permanent damage? 50,000 USD

0 BTC
 INCIDENTS
Hot wallet stolen

(March 1, 2011)

• Thieves copied wallet.dat from server

• 80,000 BTC lost

• Stolen bitcoins never moved



Total losses
• Spawned idea of trading debts to recover 50,000 USD

80,000 BTC
 INCIDENTS
Off-site wallet stolen

(May 22, 2011)

• 300,000 BTC temporarily kept on an unsecured


publicly accessible network drive

• Thief got nervous; gave coins back


in return for 1% keeper’s fee 

Total losses
50,000 USD

83,000 BTC
 INCIDENTS
Public hack via compromised accounts

(June 19, 2011)

• Hacker gained access to Jed’s admin account

• Manipulated balances and crashed market

• Got about 2,000 BTC out



Total losses
50,000 USD

85,000 BTC
 INCIDENTS
Absorbed Bitomat’s debts

(August 11, 2011)

• Bitomat collapsed after they accidentally deleted

their private keys

• MtGox offered to absorb the company



Total losses
• About 17,000 BTC of debts 50,000 USD

102,000 BTC
 INCIDENTS
Compromised database

(September, 2011)

• Hacker gained read-write access to database

• Inflated account balances and withdrew funds

• Deleted (most) evidence



Total losses
• About 77,500 BTC of withdrawals 50,000 USD

179,500 BTC
 INCIDENTS
Hot wallet stolen (again)

(Between September 11 and October 1, 2011)

• Thief got a copy of MtGox’s main wallet.dat

• Didn’t begin stealing funds until October 1

• In total, over 630,000 BTC stolen



Total losses
• Seemingly never noticed… 50,000 USD

809,500 BTC
 INCIDENTS
Incorrectly detected deposits

(October 1, 2011 and onwards)

• Thief wallet’s change seen by MtGox as deposits

• 48 MtGox users received a total of 44,300 BTC

• Some BTC recovered;




Total losses
about 30,000 BTC lost 50,000 USD

839,500 BTC
 INCIDENTS
Accidentally destroyed bitcoins

(October 28, 2011)

• A bug in Mark’s new wallet software caused it to

send 2,609 BTC to an unspendable null key



Total losses
50,000 USD

841,509 BTC
 INCIDENTS
US seizures

(May and August, 2013)

• Two law enforcement related seizures


of a total of 5 million dollars



Total losses
5,050,000 USD

841,509 BTC
 INCIDENTS
CoinLab dispute

(May, 2013)

• After a deal to become MtGox’s US processor fell

through, CoinLab allegedly refused to return 5
million dollars



Total losses
10,050,000 USD

841,509 BTC
 INCIDENTS
“Willy” — the MtGox obligation exchange

(2011–2013)

• Internal MtGox program to shift debts between different

currencies by injecting fake currency

• Intended to recover from insolvency,


but actually made it worse:

–51,600,000 USD
 

Total losses
–22,800 BTC 61,650,000 USD

864,309 BTC
 TOTAL IMPACT
• Over 60 million dollars and 865,000 BTC lost

• ~950,000 BTC in customer balances

• ~100,000 BTC in company revenues

• ~200,000 BTC left when MtGox collapsed

• Multiple compromises, not survivable

• Made worse by decision to keep quiet

 FAILURES
• Didn’t disclose early thefts

• Tried to dig their way out of a hole

• Proper auditing and monitoring prevented


by the need to keep the secret

• Increased risk
 ANYTHING LEFT?

• Coins from the June 2011 hack are moving

• Track 300,000 BTC thief-with-a-conscience?

• Possible connection with BTC-e?

• Additional traces connecting the thefts

 QUESTIONS?
kim@wizsec.com

@wizsecurity / @nikuhodai

1nikuYD1PUhAkhJaQWzLiLahuJBe9a2sZ