I’ve read over the chat between Francesco Firano (aka Bomber), Colin LeMahieu and Zack Shapiro a few times over the weekend, and there’s a lot of information in there. What interested me in particular was the wallet that Bomber pointed out as the culprit responsible for the ‘hack’. I say ‘hack’, because there is strong evidence that there were bugs in Bitgrail’s code that resulted in ETH deposits being duplicated, resulting in additional funds. One theory is that this may have been exploited on a large scale by the culprit.
Another thing I spotted from that chat is how keen Francesco is to suggest the idea with Colin and Zack that the timestamps could be incorrect or invalid. Why? Because he wants them to believe that he only just discovered the theft from the exchange and that they occurred recently. If he can convince Colin that the timestamps aren’t accurate then there is no solid evidence of how far back the theft has been occuring, and it also makes the Nano team partially culpable because their own tech was unreliable or not accurate. Neither of these scenarios are true in my opinion.
In their chat, Bomber points out this wallet as being the person responsible for the theft. We’ll call this Wallet A. Scroll down and you’ll see that there were numerous large transfers of XRB from this wallet to another, which we’ll call Wallet B here. On 26th October 2017, funds were moved from Wallet B to A in several batches of 10,000 XRB
If you scroll further down Wallet A transactions you’ll see that there were *several* transactions made from one of Bitgrail’s wallets — Bitgrail Representative 1 (let’s call it BGR1) into Wallet A. Here are just a couple screenshots:
There are a lot of transactions from BGR1 into Wallet A, and they are all timestamped 19th January 2018. Two of them were for 1,000,000 XRB. How was this not detected when according to BitGrail, large transactions were being processed manually?
Anyway, back to our paper trail. So funds are being moved out of Bitgrail’s wallet and into Wallet A on 19th Jan, where they are then moved to Wallet B and several other wallets, including this one here, Wallet C. This is probably a RaiWallet address.
Scroll down through Wallet C’s transactions and you’ll see a block of ‘receive’ transactions. Recognise the sender’s address? That’s Wallet A. These transfers were also made on 26th October 2017
Further down Wallet C’s transactions there are a number of other send and receives dated Thursday 18th January 2018 (the day before the larger transactions). This is significant because some of the transactions include XRB received from BGR1. These are relatively small amounts though, all in the hundreds. It could be that at this point the person had discovered a vulnerability in BitGrail and tried a few small transfers to see if they would work, and whether the transfers could be made without detection. The next day on Friday 19th January, he saw that the funds were still in his wallets, so he began to siphon off larger amounts from BGR1 into his various wallets.
Another wallet i’d like to bring to your attention: Wallet D. This wallet is particularly interesting for a couple of reasons. Firstly, all the transactions that you see there occur on just two dates: Thursday 18th January and Friday 19th January. The second thing is the pattern of the transactions. Many are transfers received from Wallet A, and then sent to BGR1 in the exact amounts:
We know that Wallet A is the scammer’s wallet, because remember this is the same wallet Bomber pointed out in his chat to Colin and Zack as the person behind the ‘hack’. What isn’t clear is who wallet D belongs to or who is in control of it at this point. What is interesting is that this person is receiving hundreds of thousands of XRB into this wallet from scammer Wallet A, and then sending those same amounts to BGR1, Bitgrail’s legitimate wallet.
There are quite a few other wallets that may or may not be of interest, but one last one i’d like to bring your attention to is this one, Wallet E. Remember in Wallet D above we were seeing lots of transactions coming into the wallet from the scammer’s Wallet A and then being sent to BGR1, one of Bitgrail’s main wallets. Well, if you scroll further down you’ll see that wallet D was doing the same thing with E too. Receiving XRB from E and then transferring the same amount to Bitgrail’s official wallet BGR1. These transactions are also timestamped 19th January.
E is an interesting wallet because if you look at it’s transactions it is primarily used to send XRB, it doesn’t receive much. I have no idea why. What was of interest to me is that of the 5 ‘receive’ transactions that do come into this wallet, 4 of them come from a Mercatox wallet, totalling 1.3M XRB. I don’t know if this is relevant at all, but I thought i’d add it because I recall seeing a post on Reddit where someone believes they found a nexus between the theft on Bitgrail and a wallet on Mercatox.
Anyway, this is what i’ve found. I don’t know if any of the above is relevant. There could be an innocent explanation for everything i’ve shared above. I just hope everyone who still has money on Bitgrail is able to get it out. I also hope there is something Colin and Zack can do to help those who have lost funds. I have seen some people who have lost up to $1M in this incident and that’s not fair as they invested in Nano in good faith. I’m a big believer in Nano myself, but I wasn’t affected as the little I have was already off the exchange.
If you discover anything that might clear up anything I have shared above feel free to tweet me at @leediddy, or hit me up on Reddit u/leediddy. Thanks for reading.
