Bitcoin community is in awe as the news about another high profile cryptocurrency hack, this time in multi-algo mining pool Nicehash, spread through the Internet. More than 4,700 BTC have been stolen from Nicehash’s bitcoin wallet and are now parked in another address. But prior to the hack, the funds have been deliberately accumulated to a specific address in Nicehash’s wallet.
The funds were transferred in 5 transactions, the first of them containing the bulk of the loot, approximately 4,655 BTC. That transaction was validated at block height 497,845 on 2017-12-06 07:17:12 UTC. After that, the hacker did another 4 smaller transactions with lots of blocks between them. The last of the transaction was done just a few hours ago at block height 497,988 (2017-12-07 00:21:00).
Thus the hacker was in control of Nicehash’s wallet from 07:17 yesterday (December 6) to 00:21 today. That’s over 20 hours. During that time, the malicious party managed to drain a total of $65,3 million dollars in BTC. Meanwhile, Nicehash has been offline and the first press release came out just a couple hours ago informing customers about the situation.
Some obvious questions arise:
- How did the hacker managed to control the wallet for such a long time?
- Why nobody stop him from performing at least the latest transactions?
- Doesn’t Nicehash monitor their wallet 24/7?
- Shouldn’t they have the vast majority of their BTC in cold storage?
Suspicious BTC Transactions
Another thing to note here is that before the five transactions which drained Nicehash’s wallet, there have been many transactions in previous blocks which were gathering coins from other addresses. These suspicious transactions were done from block height 497825 (017-12-06 04:30:42) to block height 497844 (2017-12-06 07:07:06). That’s another two and half hours.
In the next block, 497845, all the accumulated funds were moved to the hacker’s address. Thus it is evident that someone or something (script?) deliberately gathered coins from lots of addresses to a single address in Nicehash’s wallet and then moved all the coins to the hacker’s address in a single move. But why the hacker needed do this? If he was in command of the wallet, couldn’t he move the coins from their original addresses to his address directly than loosing time gathering them to a single address and then moving them out? Why spend time doing so in many different blocks?
UPDATE DECEMBER 9: Nicehash has posted a nice visualization of transactions related to the notorious hack incident. Here's the image:
Individual Users Talk About "Inside Job"
These questions, among others, are already being debated by the miner community as Nicehash is offline for almost 24 hours. There are already reddit users and miners who talk about “an inside job”:
Some negative memes have been also posted like this obviously making joke of Nicehash.
As JustCryptoNews.com reported earlier there is information circulating about the true owner of Nicehash, allegedly connecting him to the person arrested in 2010 for a malware that infected 12 million computers. And there are also miners that point out the fact that Nicehash was not lowering the 0.01 BTC limit for withdrawals. In fact, they are attributing the hack to the service’s “greed”.
Of course, nobody knows yet what has actually happened and it is probably too early or too easy to talk about an inside job. Nicehash has announced it is already working with authorities and law enforcement to find out what happened. So we should wait before jumping to conclusions, as Nicehash had a clean record until now and many miners were more than satisfied with the service.
The only thing that is sure by now, is that Bitcoin is the new gold and as such it is targeted by thieves as it was happening in the Wild West with the precious metal many years ago.
What do you think?