Recovering stolen bitcoin: a digital wild goose chase

Bitcoin

Victims of the biggest theft in bitcoin history tried to put the much vaunted anonymity of the currency to the test as they attempted to recover their stolen money.

But instead, they were left out of pocket and with egg on their faces.

In early December, Sheep Marketplace, a site which used bitcoin and the anonymising browser Tor to enable online sales of illicit goods, shut down. The site's administrator reported that a dealer had found a bug in the system which had been exploited to steal 5,400 bitcoins.

But users smelled a rat: they reckoned Sheep had probably been holding far more than that amount, and had returned none of the excess to users.

Former customers of Sheep banded together, and discovered a bitcoin wallet holding 96,000 bitcoins which seemed to be linked to the thefts. At the exchange rate at the time, that was worth a little over $100m.

Follow the money

What happened next was only possible due to the unique features of bitcoin. The money started to be transferred between accounts – and the users followed it.

Bitcoin's approach to privacy differs markedly from the traditional financial system. The conventional privacy model works by strongly linking personal identities to transactions, and then sharing those transactions only with the two parties involved and trusted third parties – normally payment providers such as Visa and Mastercard.

Bitcoin's decentralised nature means that all transactions are necessarily public, because they have to be verified by the peer-to-peer system. To counter that lack of anonymity, the network is designed to separate transitions from identities: users can see that one "wallet" - denoted by a string of random letters and numbers – has sent bitcoins to another wallet (another string of random letters and numbers), but can't easily find out who is behind those strings.

For small transactions, that leaves anonymity largely intact, although there remains a risk that a particular pattern of transactions may render users identifiable; and if someone posts their address publicly, they are no longer anonymous. But when a block of 96,000 bitcoins moves through the network, the public nature of all transactions becomes more difficult to overcome.

One member of the bitcoin subforum on Reddit was particularly tenacious in tracing the money. In a long series of posts on the subforum, "sheeproadreloaded2" detailed the many twists and turns the money took travelling through the systems.

Small bitcoin transactions can be laundered using a "tumbler", which takes money from multiple sources, mixes it all together in one wallet, and spits it out the other side. Someone following the cash sees it get split and recombined over and over, until it's impossible to separate from the money being tumbled by other users.

But that plan falls apart when trying to launder $100m of bitcoin. What the bitcoin thief found was that the sheer quantity of cash they were tying to hide overwhelmed every other transaction being tumbled at the same time: 96,000 bitcoins went in at one end, and 96,000 came out at the other. It seemed like their money had been successfully traced to one final address where it eventually came to rest.

But then, the edifice came tumbling down. Another user on the subforum noticed their own bitcoins being transferred to the same address.

And then the truth dawned: far from being a holding account for the biggest bitcoin theft in history, the wallet was actually part of the internal workings of BTC-E, an exchanges where users can trade bitcoins for conventional currency.

It turned out that for three days, the community had been following not the increasingly desperate attempts of a thief to cover their tracks, but the internal workings of a currency exchange.

Dead ends

At one point, at least, the internet detectives were on the right track. Sheep Marketplace really did shut down, and bitcoins were stolen. But rather than play a shell game to try and keep the money hidden, the thief appears to have done what any normal person would have: traded the digital currency for real money at the earliest opportunity.

It's not the first time a bitcoin exchange has had its internal workings thrust into the spotlight. In November, a 190,000 bitcoin transfer (then worth $147m) made the press as the largest in history. Speculation abounded as to who had moved the money, with the Zuckerberg-bothering, bitcoin-investing Winklevoss twins and the currency's mysterious creator Satoshi Nakamoto both being named as possibilities.

But in reality that transaction was probably just the result of Bitstamp, a popular exchange, shuffling its own funds: most of the money came from accounts known to be used by the exchange, and ended back in similar accounts later on.

Nor is it the first time a crowd-sourced manhunt on Reddit has gone awry. The site has such problems with its user base attempting to track down wrongdoers that it enforces a rule against posting personal information – known as doxxing – more thoroughly than practically any other rule it maintains.

Even that didn't prevent users wrongly accusing Sunil Tripathi, a missing student from Brown University, of being the Boston Bomber in April this year. Tripathi was cleared when the names of Tamerlan and Dzhokhar Tsarnaev were released, but that wasn't in time to stop vigilates vandalising a memorial Facebook page and "informing" his family that he was a terrorist. Tripathi was found dead a week after the bombs went off.

When it comes to Sheep Marketplace, the crowd is still working through the information. They think they've found the former moderator of the site, who has given an interview to the Czech Republic's biggest newspaper in an attempt to clear his name, and behind the scenes some users are trying to see if there are any other loose ends in the block chain.

Sheeproadreloaded2 has left the scene, refusing to accept that they were wrong: "You all stop [the thief] becoming the richest man in Europe in 20 years. I'm going home. I'm tired, I've got no milk in the fridge,and I need to go back to my day job of driving about in a van, solving mysteries. I think bitcoin is real, because I sell it. Most of you only buy it and change it into weed. It's the sort of money which not only buys political power - its enough to bend the fabric of space/time itself."

For the most part, though, things are back to normal. The second top post on the dying subforum is a review of some MDMA shipped by a vendor who moved to the Silk Road. "It just misses the mark as the best MDMA I have ever used… For the price, you can't beat it."

Bank of America predict that Bitcoin could be worth $1,300, giving the currency its biggest boost yet.

Powered by Guardian.co.ukThis article was written by Alex Hern, for theguardian.com on Monday 9th December 2013 15.29 Europe/London

guardian.co.uk © Guardian News and Media Limited 2010

 

images: © Zach Copley, © Zach Copley

Register for Financial Markets News Alerts