The Strange Antics of the Bitcoinica Thief
The internet and the blockchain that power Bitcoin are unique in that they make any significant events in the Bitcoin ecosystem public, even if the identities carrying out the acts may sometimes be pseudonymous. Anomalies like the so-called “mystery miner”, large buys and sells on MtGox and SatoshiDice causing the Bitcoin network to exceed its all-time transaction record are available for all to see and comment on. The recent Bitcoinica theft, however, takes this form of publicity to a whole new level.
The Bitcoinica theft, like all others in the Bitcoin world, is visible on the public blockchain, but this time the thief has decided to exploit this functionality for a novel purpose: to send us a message. The idea of using the blockchain for this purpose is not new; a proof of concept has been demonstrated by one individual putting up one of Shakespeare’s sonnets, and block chain message services appearing online since 2011, but this is the first time this technique has found a use in practice. The message comes in the form of a transaction using the decimal places of the value spent to encode the text in binary:
12ukfPXZXf1c9BAA1mnEJx3di3wHFRgate - (Spent) 1.01100101 BTC12t7J13pGkQRw1fqmXCAC6AtcgMt6WuQ11 - (Unspent) 2.01111 BTC1BvF2mAT1wJBRk1RQdevKr9Y86xJU1xC7r - (Unspent) 3.0111 BTC18Dw1jXWmSN5kc6Ss892LvnjaR7fGmEM4e - (Unspent) 4.01100101 BTC1B45M5U8LEf6SjyKcYhNabRhfTZf7XuFRi - (Unspent) 5.01100011 BTC13uGxhXa7vSgsCVL8k9iAPKnHMT8GNmCN4 - (Unspent) 6.011101 BTC17Q8E5ja1vcPV1iButAiRnL8wP3egWWWDf - (Unspent) 7.001 BTC18mNvmHKWnEDswhY1a4jGRVdnMyLn2S2vq - (Spent) 116.4569963 BTC17ReQJWabDWG3MCYRfv48huZX6BvGc8NQX - (Unspent) 8.01101101 BTC116FM8p14RTPmUE9hPga2fN1M5W314ACNV - (Unspent) 9.01100001 BTC1JzwRdeeCnPRvBWTJWjmeD1CKAHcfmVZ3N - (Unspent) 10.01110011 BTC1CH62vfy7JsP1CyDAcdVNAeW8ojQvcnGaV - (Unspent) 11.01110011 BTC1A7m74Bak6YXfh4S3zZXrGgStCXbcnE49E - (Unspent) 12.001 BTC1J8vS5HfGFHYDdRaT6Qc6GKYXNzgqFnHLe - (Unspent) 13.011011 BTC1PA5AfAnbZsmZSZsihGfBvR1pHLVXb1vi6 - (Unspent) 14.01100101 BTC1FdQpjwo5vYwgo1D3Rx8QusrzUfisPzJbY - (Unspent) 15.01100001 BTC1CWVQ9itPYo8AAmGtfNXPJPyA2byY3QrcY - (Unspent) 16.01101011 BTC1Hax1B8LY4gJQgC8i6LKkCWtQ8ptshTGEC - (Unspent) 17.001 BTC1Hbru1fBYjE8Bp29L9vVCZUDkf84EHPbXW - (Unspent) 18.01110011 BTC1M2EZg1YzhRo4CvS2dd4CeYHGGCCHwLRQc - (Unspent) 19.01101111 BTC15aiB25xw3JSpaoV5pit4BBxpVQwhF2Mwn - (Unspent) 20.01101111 BTC15ArtCgi3wmpQAAfYx4riaFmo4prJA4VsK - (Spent) 21.0110111 BTC
The decimal places give binary ASCII codes for the individual letters of the message, which spell the cryptic “expect mass leak soon”.
Also of interest is the thief’s generosity. The last 21 bitcoin transaction was sent to the address of the Bitcoin faucet, which gives every Bitcoin user 0.005 bitcoins, and the faucet has distributed these coins to over a thousand people since then. The thief also generously gave out bitcoins on the Bitcoin IRC chat, handing out over thirty in total.
There are many possible motives for these actions. Clearly they were in part motivated by a simple desire to have fun, but the generosity may also have ulterior motives behind it. After the previous 43000 BTC Bitcoinica Linode theft, MtGox responded by freezing any accounts which contained coins that came from the original 43000 BTC transaction, reopening the accounts only in exchange for identification documents. It’s likely that the same will happen as a result of this theft. Thus, by distributing the coins so widely what the thief is trying to do is get as many people flagged as being connected to the theft as possible. While a Joker-like desire to wreak havoc for its own sake could be the end of the thief’s motives, and it fits perfectly well with the “expect mass leak soon” message, there is another reason why the thief would want to do this. By flagging so many people as potential thieves, the thief is diluting the value of the blockchain as a forensics tool in the first place. When he himself gets around to cashing out on his remaining 17200 bitcoins, if he gets caught at any point he can simply claim to be one of his lucky recipients.
The long-term strategy of the thief seems to be to hold on to most of his loot. While the perpetrator of the 25000 BTC theft in June 2011 quickly spread the wealth, mixing it in with large, active pools of money that likely represent major services and exchanges, both the Linode thief and this thief instead spread the coins out slightly, but were then content to keep their loot untouched. There are many reasons why the thieves would want to do this; one is the much stricter policy now compared to last June on the part of MtGox, leading the thieves to embark upon a more slow and steady strategy of cashing out by mixing coins a few at a time with various laundry services and accounts. Another is that the thieves are Bitcoin users just like everyone else, and optimistically believe that Bitcoin will have a higher value in the future. Unfortunately, at this point it’s impossible to know. While the more recent thief may be eager to hand out bitcoins and send messages, he has not yet released any kind of manifesto, and unless he does such a thing we have no information to go on; the blockchain may tell us what is happening, but it says nothing as to who or why.