How EtherScan.io shows transfers of tokens out from 0x0 address, while no one has the private key?

Actually, this is slightly technical: etherscan.io just depends on Solidity Events to show the transactions. You can imagine Solidity Events like messages from Solidity code to the outer world. Those Events (messages) usually represent what is happening for most cases but for minor cases they does not.

Actually, some smart contracts (Mintable tokens) uses this events by passing 0x0 as the “from” address. The code looks like:

emit Transfer(address(0), _to, _amount);

Technically speaking, Solidity Events as like messages (from Solidity to the subscribed listener) and they do not necessarily reflect what is actually happening.

Code sample of a Mintable Token:

function mint(address _to, uint256 _amount) onlyOwner canMint public returns (bool) {
totalSupply_ = totalSupply_.add(_amount);
balances[_to] = balances[_to].add(_amount);
emit Mint(_to, _amount);
emit Transfer(address(0), _to, _amount);
return true;
}

So, there is nothing actually transferred from 0x0 address. It is just how etherscan.io displayed the Events that it reads from Ethereum network.

To read some discussions about this at you can check the replies to this Reddi question.

You may like to check the following related publication for a wider view angle: Hundreds of Millions of Dollars Locked at Ethereum 0x0 Address and Smart Contracts’ Addresses — How, Why and What to do?