Blockchain forensics end double-spending debate – Cointelegraph Magazine
2024.07.11 10:03
|
A decade after Ethereum’s initial coin offering, which raised $18.5 million in Bitcoin by selling roughly 60 million Ether, debates about whether different forms of manipulation tactics were involved still swirl in social media.
One theory questions whether the Ethereum founders double-spent investors’ funds to artificially inflate the success of the ICO while allowing them to close the sale with a larger share of Ether under their control.
Magazine conducted a joint investigation with Canada-based blockchain forensics experts at Gray Wolf Analytics to determine whether the ICO included double-spending of Bitcoin, an activity deemed fraudulent by the presale’s terms and conditions. The investigation specifically looked for any Bitcoin that entered the presale wallet, was withdrawn and then looped back in.
Three batches of withdrawals took place during the sale. The Ethereum team pulled approximately 3,800 Bitcoin from the ICO deposit address, also known as the exodus wallet, claiming to use them to cover operational costs and loans. Upon examination, some subsequent transactions related to these outflows appeared to create loops in which relatively small quantities of Bitcoin returned to the deposit address.
However, the investigation found that although some transactions initially displayed double-spending characteristics, further analysis determined that the funds in question did not originate from the presale address.
Exodus wallet (36PrZ-gxo2) withdrew roughly 3,800 BTC across three withdrawals during the Ethereum ICO. (Gray Wolf)
“We concluded with a high degree of certainty that this was not the same BTC withdrawn from the exodus address, ” Chedi Mbaga, head of forensics at Gray Wolf, tells Magazine.
However, the investigation found some funds with illicit origins, suggesting that bad actors used the Ethereum ICO to launder dirty Bitcoin for clean Ether.
In 2014, it was quite easy to participate in the Ethereum ICO. All you needed to do so was have some Bitcoin and an email address.
In one example, Gray Wolf’s forensic analysis traced 499 Bitcoin — the second largest single purchase in the ICO — to BTC-e, a now-defunct exchange notorious for serving illicit actors and laundering criminal proceeds.
Although the investigation found no double spending in Ethereum’s presale, it was clear that no measures were taken to limit the sale of Ether to illicit actors.
The Ethereum Foundation did not respond to requests for comments.
Here’s where double-spending allegations can occur
Approximately 3,800 Bitcoin were withdrawn from the presale wallet during the 42-day ICO in three batches. The trail of one of these outflows shows Bitcoin dispersed to several wallets, and within a few transactions, a wallet is seen moving 53 Bitcoin into the exodus wallet “36PrZ1KHYMpqSyAQXSG8VwbUiq2EogxLo2.”
Additionally, there are several trails from the three batches of Bitcoin outflows that share these characteristics.
But Mbaga says that these trails could be mistaken as double-spending incidents, and blockchain records unveil an opposing narrative.
First, the “1L1JRVExeKiqBU1pmvoyzCfRzCfEP64pBJ” address is identified as the recipient address of the three batches of withdrawals. The first batch was a 1,150 Bitcoin transfer from the exodus wallet to 1L1J on August 11. From here, the Bitcoin appears to disperse to various wallets.
Most of those Bitcoin were sent to a second wallet, which then transferred 592 Bitcoin to a third wallet, and from there, 93 Bitcoin were sent to a fourth wallet.
The next transaction is where recycling allegations arise.
The following transaction by wallet four contains deposits from seven different addresses and two receiving addresses: Recipient A and Recipient B.
Transaction records show Bitcoin from Recipient A (1QFDJ-Xus7) depositing tokens to the exodus wallet. (Blockchain.com)
Recipient A is subsequently seen sending 53 Bitcoin to the exodus address. Without context, this could appear as if the 53 Bitcoin circled back into the ICO wallet.
But Gray Wolf’s analysis found that these Bitcoin trace back to the six other deposits within the transaction involving wallet four.
Meanwhile, the majority of the Bitcoin from wallet four was ultimately deposited to an Ethereum Foundation wallet through Recipient B.
“Those outflows (62.93 of the 93.313 BTC) traced from [wallet four] were deposited to an Ethereum Foundation wallet [and] we ultimately attributed the BTC deposited by [Recipient A] to different deposit paths in the backward trace,” Mbaga says.
He adds that the behavior of the funds that moved from the exodus wallet during the presale mirrors that of payments and operating costs rather than nefarious activities.
Why was the Bitcoin withdrawn?
It’s not as if the Ethereum team secretly took out some funds during the sale to cover existing costs.
In fact, Ethereum co-founder Vitalik Buterin announced the withdrawals before they happened to repay loans and operating expenses.
“The intent is to withdraw 4,150 BTC from our exodus address within the next 48 hours. We reserve the right to withdraw up to 850 BTC more if needed before the end of the 42 day duration of the sale, but at this point it is likely that the remainder of the BTC in the address will remain unused until the sale ends,” Buterin wrote in an August 8, 2014 blog post.
Read also
Features
This is how to make — and lose — a fortune with NFTs
Features
Can blockchain solve its oracle problem?
Blockchain transaction data shows that the Ethereum Foundation withdrew less than the announced amount (roughly 3,800 Bitcoin) during the presale period, with the 1L1J wallet used to manage the funds.
Outside of what appears to be a $3 trial transaction, 1L1J has only ever received funds from the exodus wallet during the presale. This address appears to have been created to facilitate operational outflows during the sale, as all funds were quickly emptied, and it was never used again.
Major outflows from 1L1J were traced to 15 hop search depth. (Gray Wolf)
Of the total 3,800 Bitcoin, Gray Wolf’s analysis found at least 1,000 Bitcoin were either parked, deposited to exchanges or transferred to Ethereum team wallets in 15 transfers. The rest of the Bitcoin continued moving beyond 15 hops.
Terms of the Ethereum ICO
The Ethereum presale was conducted under Ethereum Switzerland (EthSuisse). Operations were handed over to the Ethereum Foundation after the ICO, with EthSuisse eventually liquidated.
The ICO kicked off on July 22, 2014, and ran for 42 days, concluding on September 2. By the end, around 31,600 Bitcoin were deposited into the exodus address for a total sale of around 60 million Ether. Of that total, an additional 9.9% of the presale was allocated to early contributors, and another 9.9% was given to the Ethereum Foundation.
The decision to allocate pre-mined tokens to the founding members was controversial, as it pushed the starting supply of Ether to 72 million, with the team controlling at least 16.7% of the entire supply. As a result, about 60% of the 2024’s circulating supply of about 120 million Ether was distributed in its genesis block.
For the first two weeks of the sale, 1 Ether was priced at 0.0005 Bitcoin, meaning a single Bitcoin could buy 2,000 Ether. Over the next 22 days, the amount of Ether received per Bitcoin decreased by 30 Ether per day. In the final six days, 1 BTC would buy1,337 Ether.
To prevent a single investor from acquiring a large portion of the token’s supply, EthSuisse limited individual purchases to 2 million ETH, though the terms and conditions state that large purchasers could contact EthSuisse directly for clearance.
Read also
Features
Meet Dmitry: Co-founder of Ethereum’s creator Vitalik Buterin
Features
Crazy outcomes when current laws applied to NFTs and the metaverse
Regardless, there was no strict way to enforce these limits.
Any single entity could hypothetically make unlimited purchases with multiple email addresses and repeat this as many times as they could afford to.
Meanwhile, investors were discouraged from directly depositing to the presale wallet.
Instead, the ETH presale website would generate a proxy wallet for ICO participants to send their Bitcoin. The funds were then moved to the exodus wallet on behalf of investors. This means that most investors did not control the wallets that directly deposited the Bitcoin to the exodus wallet.
Gray Wolf found 9,000 total inflows into the exodus wallet on the Bitcoin network.
Deposits to the exodus wallet. (Gray Wolf)
Of those inflows, smaller purchases of 25 or fewer Bitcoin dominated the presale with 8,814 transactions. The second most frequent volume range was 26 to 50 Bitcoin in 98 transactions. The highest single purchase was recorded for 699 Bitcoin and the second-highest for 499, which can be traced back to BTC-e.
Ethereum’s ICO experience can still be emulated by accessing the presale website using the Internet Archive’s Wayback Machine.
Visitors can still follow the presale prompts to generate a fully functioning Bitcoin wallet.
Magazine generates a Bitcoin wallet through the 2014 Ethereum presale page in 2024. (EthSuisse/Internet Archives)
Magazine generated a wallet through the Ethereum 2014 presale page in June 2024 and sent a very small amount of Bitcoin to confirm that the wallet is indeed functional. Magazine has no control of the wallet.
Dirty Bitcoin, clean Ether
A case of illicit fund flows in the Ethereum ICO was revealed in November 2023 when the US Department of Justice seized 30,000 Ether ($54 million) from darknet drug dealer Christopher Castelluzzo.
Some of the proceeds from Castelluzzo’s narcotics business (which were in Bitcoin) were allegedly used to buy Ether in the 2014 ICO. At the best rate, Castelluzzo would have traded 15 Bitcoin for his 30,000 Ether.
The Justice Department stated that in 2016, Castelluzzo received an additional 30,000 tokens of Ethereum Classic, a cryptocurrency representing the Ethereum blockchain that includes records of The DAO hack, from which the current Ethereum blockchain forked to revert its damages.
Supporting this trend, Magazine and Gray Wolf’s investigation found trails that suggest illicit actors used the Ethereum ICO to wash their dirty Bitcoin in exchange for clean Ether.
Bilyuchenko is among the most wanted criminals listed on the US Secret Service website. (US Secret Service)
Namely, the second-largest single purchase of 499 Bitcoin was tracked back to BTC-e, an exchange that was shut down by law enforcement in 2017. Launched in 2011, BTC-e was “one of the primary ways by which cyber criminals transferred, laundered and stored criminal proceeds,” according to the US Justice Department.
US authorities claim that the exchange was used to launder funds from the Mt. Gox hack.
In June 2023, the Justice Department charged Alexey Bilyuchenko and Aleksandr Verner with involvement in the Mt. Gox hack and with conspiring to launder the funds. Additionally, Bilyuchenko was charged with conspiring with Alexander Vinnik to operate BTC-e from 2011 to 2017. Vinnik pleaded guilty in May 2024.
The Mt. Gox hack came to a crescendo in early 2014, and it’s possible that due to the lack of Anti-Moneuy Laundering or Know Your Customer controls in the Ethereum presale, the proceeds from the theft may have been laundered, Mbaga says.
“It’s the concern that due to the lack of these controls, someone could have put in dirty money and got out clean ETH at the other end,” he says.
In addition to the second-largest single purchase order in the Ethereum ICO, the investigation also found other Bitcoin deposits that trail back to BTC-e, though these instances occurred in smaller volumes, such as five to 10 Bitcoin, according to Mbaga.
In the earlier days of the ICO, 10 Bitcoin would have bought investors 20,000 Ethereum. That’s worth about $68 million, as of June 28, 2024.
Where did all the other Bitcoin go?
The remaining proceeds from the Ethereum presale either ended up in dormant wallets or sent to exchanges while a majority circled back to Ethereum Foundation-linked wallets.
Aside from the 1L1J address, three other wallets were used to facilitate major outflows from the exodus wallet.
Read also
Features
Crypto audits and bug bounties are broken: Here’s how to fix them
Features
Crazy outcomes when current laws applied to NFTs and the metaverse
The remaining deposits occurred after the presale concluded and behavioral patterns suggest that all three wallets belonged to the Ethereum team, Mbaga says.
The first withdrawing wallet received about 1,202 Bitcoin from the exodus wallet. Gray Wolf traced these Bitcoin within a 15-hop search depth and found that 428 of those coins were either parked at a wallet that stayed dormant, sent to exchanges or circled back to Ethereum-controlled addresses.
A second withdrawer, also belonging to the Ethereum Foundation, was identified as the largest direct recipient of the presale proceeds. It received 17,219 Bitcoin from the exodus account.
“From a behavior analysis perspective, the wallets played noticeably different roles. The 1L1J address seemed to have been for upfront operational expenses, with smaller exchange deposits and smaller individual distributions across subsequent hops,” Mbaga says.
“[The first] was more for smaller distributions, with a significant proportion of those funds going back to team wallets. And [the second] was largely a pass-through wallet used for short-term storage.”
Fund flows from the exodus wallet to the Ethereum Foundation’s public address. (Gray Wolf)
Finally, a publicly known Ethereum Foundation address emptied the presale wallet by receiving 9,359 Bitcoin. It also received 14,888 of the 17,219 Bitcoin in the second wallet and, by September 2015, held 24,214 of the presale BTC proceeds.
Into the Ether
The success of Ethereum’s presale kicked off what is known today as the ICO boom of 2017, a period where cryptocurrency projects successfully raised millions of dollars through the presale process, though the method was also favored by scammers.
A decade later, Magazine and Gray Wolf’s joint investigation found that Ethereum’s ICO may have created an environment for illicit actors to launder criminal proceeds on the Bitcoin blockchain to present themselves with a fresh opportunity on Ethereum.
Some illicit actors that held on to their Ether saw astronomical gains in the past decade, with Ether trading at $3,380 on June 25, 2024. At the time of the presale, they were sold for about $0.31 per coin.
Meanwhile, the investigation concluded that the presale did not contain double-spending of Bitcoin.
Three batches of outflows from the exodus wallet that were withdrawn to cover a backlog of costs raised concerns that some of the token’s final destination could be the same as its origin.
Such double-spending would have allowed the founding team to get a head start on Ether accumulation on top of the 12 million tokens that they already received on the genesis block as part of the project’s allocation strategy.
The transactions on the Bitcoin network were found to visually present potential double-spending activities, but closer analysis of the trails squashed such suspicions.
Subscribe
The most engaging reads in blockchain. Delivered once a
week.
Yohan Yun
Yohan Yun is a multimedia journalist covering blockchain since 2017. He has contributed to crypto media outlet Forkast as an editor and has covered Asian tech stories as an assistant reporter for Bloomberg BNA and Forbes. He spends his free time cooking, and experimenting with new recipes.
Read also
Hodler’s Digest
FTX 2.0 coming up, Multichain FUD and Worldcoin raises $115M: Hodler’s Digest, May 21-27
by
Editorial Staff
6 min
May 27, 2023
FTX reboot is in the works, Multichain issues spark uncertainty and Sam Altman’s crypto project Worldcoin raises millions of dollars.
Read more
Hodler’s Digest
Coinbase posts $1.1B loss, Polygon DApps rocket 400% in 2022 and Elon Musk says inflation is on the decline: Hodler’s Digest, Aug 7-13
by
Editorial Staff
6 min
August 13, 2022
The best (and worst) quotes, adoption and regulation highlights, leading coins, predictions and much more — one week on Cointelegraph in one link!
Read more