Insider hack

The incident

In December 2017, ~ 4,700 BTC were stolen from a company’s wallet.

The stolen Bitcoins were the assets of the said company’s customers.
This company offers a platform for renting computing power for mining various cryptocurrencies on the Internet. The computing power is provided by their customers and rented to users via the platform.
The processing of the payments (deposits for renting computing power and payments to the providers of computing power) is handled by the company concerned.

At the Bitcoin rate at that time, the value of the stolen Bitcoins was ~ 53,815,000.00 EUR.

Date

December 2017

Damage amount

~4,700 BTC / ~53,815,000 EUR

Status

open

If you are interested in a demo version of the analyzes-data, please contact us.

The analyzes

Due to the complexity of the case, the analyzes of the same turned out to be very time-consuming.
We used the analyzes tools we developed for blockchain analyzes.

In addition, our analyzes included the following research:

  • Tax data from publicly available annual reports of the company.
  • Statements made by the company to their customers or the press (e.g. in their blog).
  • Research about the company’s likely sales (through statistics on their website).
  • Research into the history of the company founder (he has already been sentenced to several years imprisonment in another case for computer fraud).
  • An extensive research into the repayments that the company made to its customers.
  • Since this is an open case, we will not publish all the details of our analyzes here. We ask for your understanding.

Blockchain analyzes

Immediately after the hack, the stolen Bitcoins were divided into thousands of small amounts and transferred between hundreds of Bitcoin addresses in order to cover up the traces of the transactions.
We have followed these transactions in our analyzes up to deposits on wallets, which we can clearly assign to crypto exchanges.
This resulted in the fact that the stolen Bitcoin (except for a few *) were all sold on crypto exchanges or exchanged for other crypto currencies by the end of January 2018. Most of the stolen Bitcoin was probably exchanged for Monero.
Our analyzes resulted in all transactions of the stolen Bitcoin for these exchanges, with the exact transaction ID, the associated Bitcoin address, the exact time of the transaction and the volume of the transaction.

* The Bitcoins that have not been sold are still on addresses that we classify as a supposed “trap” for FiFo analyzes.

Analyzes of reimbursement to customers

Shortly after the incident, we were surprised that the robbed company made a statement to its customers in January 2018 (only one month after the theft) that it would pay for the damage incurred in full.
A look at the company’s annual reports showed a profit of 77,750.00 euros (2015), 118,384.00 euros (2016) and 3,264,210.00 euros (2017) for the years before the hack.
A comparison of these sums with the total value of the stolen Bitcoins made this statement seem even more daring.

The repayments to the robbed customers were carried out until November 28, 2019 and a total of 82% of the stolen Bitcoins were reimbursed.
We have analyzed these repayments in order to be able to assess the resulting costs.
We have used various calculation models for this.
With one model, we assumed the lowest bitcoin rate at the time of repayment, with the second model, we assumed the highest bitcoin rate and then the bitcoin rate on the exact date of the repayment and finally the average bitcoin rate between the individual repayments.
This resulted in a value for the costs incurred for the repayments between EUR 19,536,339.00 and EUR 30,289,845.00.
You can see these values in the following graphic (the costs for the repayments are shown in blue).

Analyzes of the wallets of the stolen company

After the stolen Bitcoins were sold on crypto exchanges or exchanged for an anonymized crypto currency and their whereabouts could no longer be traced, the next step was to locate the Bitcoin wallets of the robbed company.
As you can see from the graphic, the account balance of these wallets increased significantly shortly after the hack, to finally reach a level in mid-2018, which almost corresponded to the total amount of the stolen Bitcoin (the account balance of the wallets is shown in yellow).
Of course, this also includes the deposits made by the company’s customers.
But if you take into account the company’s profits / sales from previous years, that probably does not explain such a rapid increase in account balances.

The bottom line

We published this case as an “Insider Hack” because we believe it was not a third party theft.
The data all suggest that the December 2017 hack was only faked to gain access to their own customers’ assets.

If you are interested in the complete analyzes or in access to our demo version, please contact us.