While reading up on the recent $31M Tether hack, we stumbled upon an excellent example of chain analysis posted by Reddit user SpeedflyChris.

By following the transaction flows through the Bitcoin and Omni blockchains, the analysis lays out the timeline of the events leading up to and following the attack. It also manages to link the attacker to:

Kudos SpeedflyChris!

The analysis is well explained and meticulously documented. However, written narratives of blockchain transactions don't make for easy reading. So, we've supplemented SpeedflyChris's commentary with a series of graphics visualizing the transactions.

The Tether hack, visualized

All blue text below has been reproduced from Reddit.

It actually starts with this wallet1 here:

https://www.walletexplorer.com/wallet/12f4885dad525cc1

Look familiar? Go to the last page, that was the wallet used to steal 19000BTC from Bitstamp back in January 2015 (and which was still receiving coins from Bitstamp as recently as September, well done guys).

This wallet made two transactions, the first is fairly innocuous but I'll come back to it later:

https://www.walletexplorer.com/txid/7b46c7....

This address then sends out a further 0.01BTC

https://www.walletexplorer.com/address/31okFF1rUu8jjPEVuajycTRBp82Nteo4Mv

The following morning it sends 0.01 to the address that was several hours later used to empty the Tether wallet2:

https://www.walletexplorer.com/address/1LBQpqUTEmdPTH8adaV6xS8KQt6FGCD3xD

I'm not quite sure why they would make a deposit like this to it hours before - perhaps to test that everything is working?

At 10:53, the wallet makes several transactions transferring 23 million tethers from the tether wallet:

https://omniexplorer.info/lookupadd.aspx?address=31okFF1rUu8jjPEVuajycTRBp82Nteo4Mv

Then at 11:10 they transfer another 7.9 million tethers.

A further 50,000 tethers are transferred over at 11:54.

At 12:01, 5BTC (the bulk of the bitcoin in the tether wallet) is transferred over to the same address:

https://www.walletexplorer.com/txid/e7e09cd092a5febdcae6b2ec76b06389c29298ed237dd1f210e1e54f096f1f92

These tethers are then transferred over to the address in the Tether announcement as their relevant blocks are confirmed.

https://omniexplorer.info/lookupadd.aspx?address=16tg2RJ...

The 5BTC is also transferred to this address in amounts of roughly 1BTC per transaction:

https://www.walletexplorer.com/address/31okFF1rUu8jjPEVuajycTRBp82Nteo4Mv

Following the BTC along, you arrive back at an address from before, which is confirmed to be part of the wallet holding the stolen Tether:

https://blockchain.info/tx/eeaf8b9c6288c28c481d6e37d687b5c42b0222fb3d8a73bdca81c1a12243c579

It's worth noting that this same address was just used to create an Omni token called lioncoin: https://omniexplorer.info/lookupsp.aspx?sp=2147484016

The BTC from the tether wallet ended up in these addresses:

https://blockchain.info/address/1HtmVRdFRqPScH7Ud6UFR6HUcndksjVmua https://blockchain.info/address/155KG55pRsV1Y9jdwwynfGHGqR9cqPKToB https://blockchain.info/address/1M8b8BNMEMFFem9UQpZydoespHzXjAnC9t

All transactions viewed together

Blockchains are not designed to be read by humans. Enter Elementus.

Our technology surfaces actionable insights directly from the blockchain, identifying security vulnerabilities, exposing bad actors, and providing market intelligence for smarter digital investments.