Tracking the BitFinex Heist
bitfinex·@dooglus·
0.000 HBDTracking the BitFinex Heist
Last week, 119,754 BTC worth around $80 million USD were stolen from the BitFinex exchange in what was probably the second biggest Bitcoin theft of all time.
Yesterday their Director of Community Zane Tackett [posted](https://www.reddit.com/r/Bitcoin/comments/4wizdn/txid_and_bitcoin_addresses_connected_to_the/) a [list of the transactions](http://pastebin.com/2XSASEEZ) made by the thief.
I was curious to check whether any of the coins had been spent since the theft, and also wanted to check that the published total was correct. So I made a new Bitcoin Core wallet and imported all the theft addresses as "watchonly". After rescanning the blockchain all the transactions showed up. I was surprised to find that not a single Bitcoin has been spent yet:
Here's the wallet sorted by amount, showing the biggest thefts at the top. The thief rather sensibly emptied the biggest accounts first, so we see the biggest thefts at around 2am:
And here it is sorted by date, showing the newest transactions first. Notice the top 5 transactions are all tiny. They were likely made by victims of the theft in an attempt to track their coins. Other than those 5 we see the smallest thefts (around 4 BTC each) happening 3 hours later, at 5am. The whole theft took 3 hours to complete, although it is possible that most of that time was spent waiting for confirmations:
I have made a copy of the wallet [available for download](https://just-dice.com/misc/wallet.dat.bitfinex.bz2) if you want to load it into your own Bitcoin Core client to monitor for future spends. If I see the coins start to move I will make another post about it, and link to it from here.
Edit: I don't know if it matters or not, but I made the wallet using a release candidate of version 0.13 of Bitcoin Core. I wouldn't be totally surprised if the wallet.dat is incompatible with earlier versions of the client.
Edit2: I was asked how I made the 'watchonly' wallet. I put a list of all the addresses I wanted to watch into a file, then did this:
cat address.txt | while read x; do
echo $x; bitcoin-cli importaddress $x '' false
done
The `false` causes the client *not* to rescan the blockchain after adding each address. At the end I did this to cause it to rescan the blockchain:
bitcoin-cli importaddress $x '' true👍 dooglus, andu, baron90, madoff, johnerfx, furion, moonguy, satire, jeison, ritaroy, goodluckcanuck, pacpac, jazz, acidyo, thefrog, bergy, solar, frankjones, hanshotfirst, tarindel, bhokor, theyam, alexc, panadacoin, murh, klye, tomaso88, alexgr, prufarchy, wilco, sparkeddev, trance, repholder, hofman386, manoello, principalscunner, capone, bayareacoins, vegasluna, smooth, smooth.witness, thedon, johnbradshaw, unicornfarts, iloveporn, fuck.off, kissmybutt, vote, the.bot, thegodfather, thebotkiller, the.whale, stealthtrader, drinkzya, firepower, ranko-k, elishagh1, g4l, james-show, knozaki2015, jj888, instructor2121, bones, allbtc, helikopterben, roadscape, bledarus, rataloclaw, r0achtheunsavory, coinables, bitcoinerrorlog, juicyg, centre, kaicrypzen, ciao, mrshade, bitfish, steema, steemo, jarvis, confucius, alexoz, sirwinchester, jparty, ethbull, mangous, hmm, starik69, johnerminer, gord0b, someguy123, methodise, gryphon, brendio, wpalczynski, dkpl, jamin90,