Initial theories suggested the Binance hack was self-inflicted, but followup events say otherwise.

Update 9/5/2019: The coins are actually being spent so this theory has been debunked. We now return you to your regularly scheduled $40 million crypto heist.

So it appears that the hacker has directly disproven this theory because the funds have moved from the bech32 addresses that they were sent to. Definitely taught me something about Bitcoin that I did not know before. https://t.co/qBfkOtvg59 — CryptoMedication (@ProofofResearch) May 8, 2019

As the cryptoverse starts diving more deeply into the news of the alleged $40 million Binance hack, a number of strange details are emerging and compelling signs say this was not actually a robbery, but rather a $40 million screw up.

Findings come courtesy of CryptoMedication on Twitter.

A failed migration

1/ In studying the TX ID provided for the alleged hack that occurred on Binance, I came to the firm conclusion that the funds that were sent to the bech32 addresses (prefix 'bc1') are NOT SPENDABLE. Here's the TX ID: https://t.co/auzxZPuBCv — CryptoMedication (@ProofofResearch) May 8, 2019

The vast majority of the supposedly stolen funds were moved to Bech32 addresses.

SegWit Bitcoin wallets are characterised by Bech32 addresses. SegWit is basically just an upgraded flavour of Bitcoin infrastructure that's better and more user friendly, while Bech32 addresses are the type of Bitcoin wallet that goes with SegWit.

You can immediately recognise Bech32 addresses because they start with the prefix "bc1". So whenever you see funds going into a Bitcoin address beginning with "bc1" you know someone's using SegWit.

Cryptocurrency exchanges want to upgrade to SegWit because it's all-around better, and because users will commonly request it for their own convenience, as well as the good of Bitcoin on the whole. SegWit is more efficient, so more people using it rather than the older versions can help lower Bitcoin transaction fees.

But in order to upgrade, exchanges have to migrate all their Bitcoin from the old addresses to new Bech32 addresses. To do this, exchanges literally have to send money from their own wallets to the new wallets. They're often moving hundreds of millions of dollars, so it's a pretty tense process and is usually done unannounced to avoid inviting trouble.

Coinbase made the migration in December 2018, triggering a mild panic in the process, but Binance was one of the last major exchanges yet to make the SegWit migration.

In fact, in a Q&A session following the news of the "hack", Binance CEO Changpeng "CZ" Zhao responded to someone who asked when SegWit would be arriving, by saying that Binance was still working on it. So if this $40 million loss really was the result of an accident during SegWit migration, CZ may have died a little inside upon fielding that question.

Why the funds are unspendable

Every Bitcoin transaction carries information about the wallets it's going to and from, the reasons you know it's a valid transaction and so on. Without the right information, the Bitcoin can't be spent.

One of the improvements of SegWit is that it rearranges this information and packs it more efficiently. Bech32 addresses are designed to read that information in the new and more efficient way that SegWit arranges it. But if it's not packed correctly, they can't read it.

So when you're sending Bitcoin to a Bech32 address, you need to make sure you're sending it from a type of address that knows how to pack the information correctly. Otherwise it arrives in the Bech32 address without the information needed to be transferred again.

That's what happened here. About 7,000 Bitcoin worth $40 million are now stuck.

It's like the Binance Bitcoin went on vacation but forgot their passport, and now they're stuck in an airport for eternity because border control won't let them out without a passport.

How do we know it wasn't the thief who messed up?

But which is more likely? That a Binance technician makes this kind of mistake when carefully transferring $40 million, or that some dopamine-crazed hacker makes a fatal error while trying to escape with the loot?

Perhaps the latter, but in this case there's evidence that it was the former.

3/ One TX, in particular, really caught my eye. Funds were sent to 1CQFNdCsDvZgB62eYLgS5q4eNZkZDuhUev as part of the illicit extraction of funds from the exchange, but those funds were then sent back to Binance's hot wallet directly (which is very abnormal). pic.twitter.com/FYcmEQXPGR — CryptoMedication (@ProofofResearch) May 8, 2019

While this isn't conclusive proof that someone at Binance made a mistake, it's a strong sign that it was an unintentional inside job.

This is because when you send money to your Binance account, you're sending it to your own personal Binance address. Once it's in there, Binance's systems automatically sweep it into the same big wallet, but keep track of who it belongs to.

But what happened here is that some of the funds which were supposedly stolen were sent directly back to that big wallet address. Presumably the only people who would ever do this are Binance employees who want to put funds directly in the wallet. Plus there's certainly no reason for a thief to do this.

On the whole, the evidence is pretty compelling. It's not 100% guaranteed and there may be other things to consider, but it's definitely compelling.

It's not clear why Binance would claim it was theft, which is an even worse look than admitting it was just a straight up mistake, but hey, grief makes people do strange things.

On the bright side of things, 7,000 Bitcoin just got burnt. Theoretically that means the rest just got a little bit more valuable.

Disclosure: The author holds BTC, BNB, ATOM at the time of writing.