Bitstamp narrowly avoided losing an additional $1.75m in bitcoin during its recent hack, according to a blockchain analysis by an independent researcher.

In the final hours of a $5.1m heist that took place at the exchange five days ago, the $1.75m in bitcoin was quickly moved to an address thought to be used for cold storage by Bitstamp, analyst Danno Ferrin has found.

CoinDesk can confirm that the address in question was controlled by Bitstamp as recently as 2nd December. The firm’s chief executive, Nejc Kodric, said at the time that the address was being used during an audit. While the CEO said the data was to be made public in the week of 8th December, the exchange hasn’t published any audit results since 24th May.

Ferrin, who publishes his blockchain analysis at his blog CryptoCrumb, said the rescued funds likely came from the hundreds of addresses the exchange used to accept customer deposits. Those addresses appear to form the ‘operational wallet’ Bitstamp said was compromised on 4th January, leading to a heist of the $5.1m.

According to Ferrin’s analysis, transaction data on the blockchain links funds flowing out of Bitstamp’s operational wallet into the Bitstamp ‘audit’ address, as well as another address that is widely presumed to be controlled by the thief.

If Ferrin is right, then a total of $6.6m in Bitstamp funds were at risk of being stolen, although the exchange managed to rescue about a quarter of the funds in the nick of time.

“It could have been worse,” Ferrin wrote.

Flurry of transactions

The hack appears to have started in the early hours of 4th January, when 3,100 BTC was transferred into the theft wallet. Funds flowed in steadily for the next 16 hours. By 4pm, the address had a balance of over 6,000 coins.

Then the inflows accelerated. Late into 4th January and in the first hours of the next day, an additional 12,000 coins were placed in the theft wallet.

At this point, Bitstamp appeared to begin sweeping funds out of its hot wallet, placing them beyond the reach of the hackers.

The rescued funds were spirited into the cold storage address in a flurry of transfers taking place over about 30 minutes that saw 4,200 BTC deposited.

The exchange’s address received two transactions of 1,000 BTC at 00:54 on 5th January. Some 15 minutes earlier, it had already taken in 22 transfers of 100 BTC. The large transfers continued until 01:06, when an additional four 100 BTC chunks were deposited.

All told, the cold storage address received a total of 6,478 BTC, worth about $1.8m, on 5th January. The theft address held 18,977 bitcoins at its height.

Race to grab funds

One explanation for what took place on 4th and 5th January is that the exchange was locked in a race with the intruder to grab funds out of the hot wallet.

The thief appeared to have access to all the addresses in Bitstamp’s hot wallet, Ferrin says, because some transactions show the theft wallet generating a ‘change address‘ that was later accessed by Bitstamp.

One example of this highlighted on Ferrin’s blog shows 32 BTC sent to the theft address. This transaction generated a change address that contained about 0.64 BTC. Some 40 minutes later, this change address was emptied out, forming part of a transaction totalling 10 BTC to Bitstamp’s cold storage address.

The thief’s wallet, therefore, created a change address that was also accessible by Bitstamp. This suggests the thief had gained control of Bitstamp’s internal systems governing its hot wallet and not merely that wallet’s private keys, Ferrin said, adding:

“They knew they were in a race between each other to claim what was left on the table.”

Analysis ‘makes sense’

Ferrin wrote a piece of software called Numisight to perform blockchain analysis as a hobby. His day job is on a software deployment team at enterprise software giant Oracle. He says he intends to release his software soon.

One security researcher who has read Ferrin’s analysis concurs with its conclusions.

Kristov Atlas, who started the Open Bitcoin Privacy Project, said the sequence of transactions was consistent with the notion that Bitstamp salvaged about a quarter of the funds at risk. He adds that the evidence remains inconclusive about precisely how the intruder breached Bitstamp’s systems.

“The timeline of Bitstamp working to sweep coins into cold storage in the final hours of the attack makes sense,” Atlas said.

Unexplained details

Several other details of the attack transactions published to the blockchain continue to puzzle analysts like Ferrin, however.

A number of transactions to the theft wallet had high miner’s fees of up to 1 BTC attached. Such high fees wouldn’t have increased the priority of the transaction in many cases, because the transaction amounts were already large enough to grant it high-priority status among miners.

Miners value a transaction’s priority by weighing its size and age, before considering the transaction fees attached.

Another issue is what appears to be continued activity and theft from Bitstamp’s hot wallet. As recently as 8th January, coins continued to flow into the theft wallet, from what Ferrin and others presume to be addresses in which Bitstamp customers deposit funds.

The thief’s decision to transfer all the ill-gotten funds to one address is also a puzzling one, Ferrin says.

Funnelling such a large amount of coins to one address encourages scrutiny on the blockchain. It also could make the coins more difficult for the thief to spend undetected.

“Sending it all to one address was a huge mistake,” Ferrin said. “[If the coins were sold on an exchange], they would be asked to explain it. They would have left a trail.”

Stolen coins on the move

The stolen coins are now on the move. The original theft address has been largely emptied out with just 90.6 BTC remaining. The funds have been dispersed to dozens of new addresses – 47 at Ferrin’s last count on 7th January.

A small number of coins now appear to have been sent to a coin mixer, which would make it more difficult for future buyers of the coins to trace them back to the Bitstamp theft.

But no matter where the stolen coins end up, the transactions surrounding the theft will now remain publicly available on the blockchain.

“Things used to happen in the smoke-filled rooms which you would never know about, now the blockchain provides an opportunity to go back in time, prove them going backwards. It’s kind of like sunlight being the best disinfectant,”said Ferrin.

Correction: Ferrin may release his software, but would keep the source proprietary. An earlier version of this article mistakenly said he would make his software open-source.