Introduction
First of all let me say that this report is based on facts that I’ve learned through my research of QuadrigaCX Ethereum hot wallets. I do not wanna speculate, read between lines, make any conspiracy theories. I just wanna present facts that can be verified. It’s not helpful for crypto, as whole, to make theories that can’t be proven.
First things first
When I decided to look into this, I got withdrawal tx info from couple QuadrigaCX users (thanks for this!). From there I concluded that all withdrawals are coming from address
0xB6AaC3b56FF818496B747EA57fCBe42A9aae6218. Looking further into blockchain I realized that in the past they had one more hot wallet and it’s
0x027beefcbad782faf69fad12dee97ed894c68549. If you look at Etherscan you can see that second address is even marked as QuadrigaCX. It mean that address is verified by Quadriga and it’s 100% owned by them. First address is not verified, but according my analyze, the fact that users withdrawals went from there and that it’s stated in current director affidavit as hot wallet address proves it without any doubt.
Some interesting facts
Before I deep dive into blockchain analysis, let me show some interesting numbers. According my analysis, QuadrigaCX had total of 42,314 users with ETH deposits. Total amount of ETH ever sent to (both) QuadrigaCX hot wallets is 2,935,752 ETH. In next couple of graphs, I've combined both hot wallets and made them look like one. Here’s a graph that show number of new users (with ETH deposits) per day:
Next graph show how many input/output transactions per day were made to QuadrigaCX hot wallets:
Next one show how many ETH were sent to QuadrigaCX hot wallets, how many were sent out of hot wallet and what was a final hot wallet balance for that day:
I'm aware that those graphs are not easy to read, so here is a table that show daily stats that you can easily read:
How I did this analysis and what I was looking for
It's time to dive a bit deeper into blockchain. First thing that I wanna state here is that I'm not going to speculate and make any suggestions about inputs/outputs from hot wallets. Any QuadrigaCX users could trigger withdrawal to ANY address (including other exchanges or ShapeShift). In the same manner, ANY users could send funds to hot wallet from any address (including other exchanges or ShapeShift). Once funds enter exchange, there's no way to know who have sent funds in our out. Any conclusions and speculations about those just can't be proven and shouldn't be made. My sincere hope is that other exchanges (including ShapeShift) will cooperate and give us (and/or authorities) some info. We can ONLY flag those transactions and ask exchanges for help. My effort in this analyse is to try to find some suspicious behaviour which should not happen. I'm going to flag all those suspicious transactions and analyze those wallets. I will also try to see are there any traces of cold wallets and finally show top 100 input/output wallets for known QuadrigaCX hot wallets.
One more thing that I wanna explain before deep dive is my understanding how QuadrigaCX hot wallet is set, what would I consider suspicious behaviour and why are there still inputs to hot wallet. As far I can see QuadrigaCX is using derivated addresses (can be BIP32, BIP39, BIP44...) with some derivation path. So, each QuadrigaCX customer have unique derivated ETH address assigned to him, where he send deposits. All those addresses are constantly monitored and when new funds are found, those are transfered to hot wallet. That's how hot wallet is set according my analyse. Worth mentioning is that they probably used BIP39 mnemonic words+passphrase to create seed and root key (xprv). With that you can create/access all derivated addresses that are used in hot wallet. My current understanding (but can't be sure) is that frontend database is prefilled with those derivated addresses so system can assign new ones to new users, but there's a backend part where only QuadrigaCX owner had access, hich have all private keys and is responsible for funds transfer from derivated address to hot wallet. I assume that reason why funds are still transfered to hot wallet is that none have access to this backed part, so it's still up.
If that's how system operates (and I'm sure that it is according my analyse, with possible slight derivations), I would consider suspicious each transaction from those derivated addresses to somethhing else than hot (or eventually cold) wallet. My main effort is to figure out all those suspicious transactions and analyze them.
Final note that I wanna add here is that this is "outdated" way to operate hot wallets. Mainly because user pay transaction fee to send to his assigned address and then exchange need to pay another fee to move those funds to hot wallet. Most efficiant way to do this is to create a smart contract (one time fee to create it) which will just proxy payment to hot wallet. Those contract are then assigned to users and instead exchange to pay second transaction fee, those are paid by user.
Old hot wallet analysis
This table shows top 100 addresses that have sent funds to old QuadrigaCX hot wallet, how many ETH, in how many transactions and some basic comments about those addresses. It's probably worth deep diving into all those top addresses for better understanding of wallet hot funding. I will try to do that after I'm done with all suspicious and extended suspicious addresses. I would like to point out that all addresses, marked as "QuadrigaCX deposit address", look like legit user deposit addresses. That means that we can try to analyze those addresses so we can understand biggest QuadrigaCX users and their ETH sources, but refering to thos addresses in any other mean than "QuadrigaCX user deposit address without suspicious activity" is just speculation. Only QuadrigaCX database can reveal true identity of those users and inputs connected to those addresses does not prove anything.
This table shows top 100 addresses where funds were sent from old QuadrigaCX hot wallet, how many ETH, in how many transactions and some basic comments about those addresses. It's probably worth deep diving into all those top addresses for better understanding where funds actually went. I will try to do that after I'm done with all suspicious and extended suspicious addresses. I would like to point out that all those addresses that are not marked as "suspicious list" or "extended suspicious list" looks like legit withdrawal addresses. This means that we can try to analyze those addresses so we can understand where funds from hot wallet went, but referring to those addresses by any other mean than "QuadrigaCX user withdrawal address without suspicious activity" is just speculation. Only QuadrigaCX database can reveal true identity of those users and outputs connected to those addresses does not prove anything.
Suspicious transactions for old hot wallet
Here are deposit addresses with suspicious behaviour and their analyses. Just to clarify this again, I consider suspicious transactions, ones that have output to something else than new/old hot wallet address OR eventually cold wallet address(es). There shouldn't be any output other than that, if there is that's done by someone who have private keys of those derivated addresses (QuadrigaCX owner or operater).
0x0247bc4e03142079cfa2e3daf500722ed0f9a6b2
- This address, at a first glance look like a classical derivated address assigned to some user for deposits. Current balance of this address is ETH 0. This address did send total of ETH 58,310 to old hot wallet in 116 transactions and ETH 75,415 in 157 transactionsto new hot wallet. There are total of 1,171 transactions connected to this wallet. What make's it suspicious ETH 34,933 in 40 transactions to address
0x0ee4e2d09aec35bdf08083b649033ac0a41aa75e which is also flagged as suspicious so check analyse of that one. There's also ETH 329,838 sent in 368 transactions to contract
0x1e143b2588705dfea63a17f2032ca123df995ce0 which is also separately analysed so will not cover it here. In addition and worth mentioning is that there are ETH 215,981 sent in 216 transaction to that contract with error (aka gas is wasted and ETH is still on wallet address. Most errors are "out of gas"). There's also ETH 2,400 sent to address
0x696dd748a2edd9692ed93bd592dd2f293483eada in 3 transactions and finaly, there's ETH 800 sent in one transaction to address
0x57b727dc48b5d9261958e0fb9f94fa02dc328bf6. I've added those two addresses to "extended suspicious addresses list" because they deserve separate analyse. Wanna state again here that person who have made output transactions from this (or any address in suspicious list) most likely have private keys for all derivated addresses. I can't be sure how exchange excatly operate or maybe some address private key got "hacked", bruteforced or obtained in any other way. IMHO, that's not really likely and probably exchange owner/operater moved those funds out of deriuvated address. Considering that it's most likely scenario, I'm also going to include base analyse from where funds came to those suspicious addresses.
- This derivated (deposit) address was funded from 6 different addresses. It received ETH 198,317 in 325 from
0x32be343b94f860124dc4fee278fdcbd38c102d88 (Poloniex withdrawal address, marked as Poloniex_1), ETH 57,148 in 99 transactions from
0x267be1c1d684f78cb4f6a176c4911b741e4ffdc0 (Kraken withdrawal address, marked as Kraken_4), ETH 21,628 in 43 transactions from
0x2910543af39aba0cd09dbb2d50200b3e800a63d2 (Kraken withdrawal address, marked as Kraken_1), ETH 7,086 in 14 transactions from
0x67fc93fd01a15d9fb02a80d0ae6207fb45625be4 (looks like regular user address), ETH 850 in 2 transactions from
0x7180eb39a6264938fdb3effd7341c4727c382153 (Bitfinex withdrawal address, marked as Bitfinex_Old2), ETH 685 in 3 transactions from
0x1151314c646ce4e0efd76d1af4760ae66a9fe30f (Bitfinex withdrawal address, marked as Bitfinex_1). In conclusion, almost all the funds come to this deposit QuadrigaCX address from other exchanes and one deposit from regular user address. Considering that there were suspicious (manual) outputs I storgly believe that there was some manipulation with this address and will include that user address in extended suspicious addresses. It's impossible to say does this address really belong to QuadrigaCX owner/operater but it's worth looking at. Final note, it would be really valuable if we can get input from Poloniex/Kraken/Bitfinex who have sent funds to this address. At least, it would be valuable to know was it QuadrigaCX owner / one of employees or not.
0x1588498edcc08af1ceaff2ec344c0d03f9be39e7
- This address, at a first glance look like a classical derivated address assigned to some user for deposits. Current balance of this address is ETH 0. This address did send total of ETH 4,525 to old hot wallet in 79 transactions and ETH 3,800 in 35 transactionsto new hot wallet. There are total of 607 transactions connected to this wallet. What make's it suspicious ETH 1,697 in 18 transactions to address
0x0ee4e2d09aec35bdf08083b649033ac0a41aa75e which is also flagged as suspicious so check analyse of that one. There's also ETH 20,697 sent in 144 transactions to contract
0x1e143b2588705dfea63a17f2032ca123df995ce0 which is also separately analysed so will not cover it here. There's also ETH 59 sent to address
0x57b727dc48b5d9261958e0fb9f94fa02dc328bf6 in one transaction, ETH 17 sent in one transaction to address
0x1fdfc835d6b107a73d8429daf8f591e2e38380a8, ETH 1 sent in one transaction to address
0xc44f5199cf54cb3a70dc9745d17e3594d879286e, ETH 0.1 sent in one transaction to address
0x0c530c5bc48de2734ecee1511b1db404538cdfda and finaly , ETH 0.05 sent in one transaction to address
0x6e4af762143222669b9a9638ec93588ae385709e. I've added those addresses to "extended suspicious addresses list" because they deserve separate analyse.
- This derivated (deposit) address was funded from 18 different addresses. It received ETH 15,727 in 110 transactions from
0xaec946927ee7a735712a9da384ccf204fa1a04af (looks like regular user address), ETH 5,702 in 108 transactions from
0x267be1c1d684f78cb4f6a176c4911b741e4ffdc0 (Kraken withdrawal address, marked as Kraken_1), ETH 3,060 in 21 transactions from
0x267be1c1d684f78cb4f6a176c4911b741e4ffdc0 (Kraken withdrawal address, marked as Kraken_4), ETH 1,928 in 10 transactions from
0x32be343b94f860124dc4fee278fdcbd38c102d88 (Poloniex withdrawal address, marked as Poloniex_1), ETH 1,226 in 6 transactions from
0xd24400ae8bfebb18ca49be86258a3c749cf46853 (Gemini withdrawal address, marked as Gemini_1), ETH 1,000 in 7 transactions from
0xc43865f32dd26d901a20a1087f008b969a5a74e9 (looks like regular user address), ETH 973 in 7 transactions from
0xc4fd30157153780db1cc09dd89b334dd9ca2f7d5 (looks like regular user address), ETH 596 in 42 transactions from
0x1151314c646ce4e0efd76d1af4760ae66a9fe30f (Bitfinex withdrawal address, marked as Bitfinex_1), ETH 200 in one transaction from
0xabf84d63590413cf2dd896461e18f98102f75e86 (looks like regular user address), ETH 119 in 4 transactions from
0x7180eb39a6264938fdb3effd7341c4727c382153 (Bitfinex withdrawal address, marked as Bitfinex_Old2), ETH 100 in one transaction from
0x4341eb20c1c5809cca093e4a01605a6378366fe8 (looks like regular user address), ETH 80 in 2 transactions from
0x1fd477672de56a6be0f77a51f335505c7e5b9e70 (looks like regular user address), ETH 40 in one transaction from
0xd638cf3efa463976032c3d30df2c0818ddd4ec72 (looks like regular user address), ETH 23 in one transaction from
0xddaa827b7d221228782557f8ef4bac252f2df7b8 (looks like regular user address), ETH 10 in 2 transactions from
0x5a7a60324510a578302c085bc59a9217a7bdd7c9 (looks like regular user address), ETH 8 in one transaction from
0x9d3880bdf39b40e14948ad0c5022d30d87cb10f5 (looks like regular user address), ETH 3 in one transaction from
0xb6aac3b56ff818496b747ea57fcbe42a9aae6218 (this is new hot wallet, it shouldn't send funds back to deposit address!!!), ETH 0.001 in one transaction from
0x027beefcbad782faf69fad12dee97ed894c68549 (this is old hot wallet address, it shouldn't send funds back to deposit address!!!). In conclusion, half of the funds that come to this deposit QuadrigaCX address are from other exchanes and second half of deposits are from what appears to be regular user addresses. Considering that there were suspicious (manual) outputs and suspicious inputs from hot wallets, I storgly believe that there was some manipulation with this address and will include all 10 user address in extended suspicious addresses list. It's impossible to say does this address really belong to QuadrigaCX owner/operater but it's worth looking at. Final note, it would be really valuable if we can get input from Poloniex/Kraken/Bitfinex/Gemini who have sent funds to this address. At least, it would be valuable to know was it QuadrigaCX owner / one of employees or not.
0x32be343b94f860124dc4fee278fdcbd38c102d88
- This address is Poloniex withdrawal address. It's verified on etherscan as it does belong to Poloniex (marked as Poloniex_1). It have sent total od ETH 3,715 to old hot wallet in 7 transactions and ETH 1,010 to new hot wallet in 12 transactions. By design, other exchanges shold never send funds to hot wallet. Considering small number of transactions, it might be some user sending funds by mistake to hot wallet instead his deposit address. On other hand it can be QuadrigaCX owner/operater who have sent funds to hot wallet directly to bring liquidity up. However, we can't know who and why sent those directly to hot wallet, it speculation and I don't wanna do that. This is question for Poloniex, they are the ones who can help and explain who have triggered those transactions.
0x44392c6965f0aa76c5b6ed66efe0d27253d61ea4
- This address, at a first glance look like a classical derivated address assigned to some user for deposits. Current balance of this address is ETH 0. This address did send total of ETH 351 to old hot wallet in 297 transactions and ETH 1 in one transactionsto new hot wallet. There are total of 1,054 transactions connected to this wallet. What make's it suspicious ETH 106 in 9 transactions to address
0x0ee4e2d09aec35bdf08083b649033ac0a41aa75e which is also flagged as suspicious so check analyse of that one. There's also ETH 257 sent in 250 transactions to contract
0x1e143b2588705dfea63a17f2032ca123df995ce0 which is also separately analysed so will not cover it here. In addition and worth mentioning is that there are ETH 158 sent in 165 transaction to that contract with error (aka gas is wasted and ETH is still on wallet address. Most errors are "out of gas"). There's also ETH 10 sent to address
0x1fdfc835d6b107a73d8429daf8f591e2e38380a8 in one transactions. I've added this addresses to "extended suspicious addresses list" because it deserve separate analyse.
- This derivated (deposit) address was funded from 2 different addresses. It received ETH 515 in 453 from
0x2a65aca4d5fc5b5c859090a6c34d164135398226 (DwarfPool address, marked as DwarfPool_1) and ETH 51 in 43 transactions from
0x151255dd9e38e44db38ea06ec66d0d113d6cbe37 (DwarfPool, marked as DwarfPool_2). In conclusion, there are no suspicious inputs to this address. It looks like some miner who's sending funds to QuadrigaCX and use them as custodian.
0x45cab8d124fce8663581172c614f2ee08d01d48e
- This address, at a first glance look like a classical derivated address assigned to some user for deposits. Current balance of this address is ETH 0. This address did send total of ETH 48,694 to old hot wallet in 71 transactions and ETH 6,550 in 45 transactionsto new hot wallet. There are total of 1,776 transactions connected to this wallet. What make's it suspicious ETH 39,153 in 29 transactions to address
0x0ee4e2d09aec35bdf08083b649033ac0a41aa75e which is also flagged as suspicious so check analyse of that one. There's also ETH 115,623 sent in 730 transactions to contract
0x1e143b2588705dfea63a17f2032ca123df995ce0 which is also separately analysed so will not cover it here. There's also ETH 3,100 sent to address
0x696dd748a2edd9692ed93bd592dd2f293483eada in 2 transactions and finaly, there's ETH 1,500 sent in one transaction to address
0x57b727dc48b5d9261958e0fb9f94fa02dc328bf6. I've added those two addresses to "extended suspicious addresses list" because they deserve separate analyse.
- This derivated (deposit) address was funded from 17 different addresses. It received ETH 81,563 in 86 transactions from
0x2910543af39aba0cd09dbb2d50200b3e800a63d2 (Kraken withdrawal address, marked as Kraken_1), ETH 65,210 in 392 transactions from
0x267be1c1d684f78cb4f6a176c4911b741e4ffdc0 (Kraken withdrawal address, marked as Kraken_4), ETH 39,597 in 216 transactions from
0x32be343b94f860124dc4fee278fdcbd38c102d88 (Poloniex withdrawal address, marked as Poloniex_1), ETH 17,859 in 135 transactions from
0x1151314c646ce4e0efd76d1af4760ae66a9fe30f (Bitfinex withdrawal address, marked as Bitfinex_1), ETH 3,708 in 28 transactions from
0x876eabf441b2ee5b5b0554fd502a8e0600950cfa (Bitfinex withdrawal address, marked as Bitfinex_4), ETH 2,550 in 2 transactions from
0x7180eb39a6264938fdb3effd7341c4727c382153 (Bitfinex withdrawal address, marked as Bitfinex_Old2), ETH 2,174 in 18 from
0x3272f018cdb5660d2a707b17df4a4e922d0c3ea8 (looks like regular user address but extremely active), ETH 609 in 10 transactions from
0xfbb1b73c4f0bda4f67dca266ce6ef42f520fbb98 (Bittrex withdrawal address, marked as Bittrex_1), ETH 506 in 3 transactions from
0x3f5ce5fbfe3e9af3971dd833d26ba9b5c936f0be (Binance withdrawal address, marked as Binance_1), ETH 250 in one transaction from
0x0085f20ad3c519a4008fb89abdc6f790afe24043 (looks like regular user address), ETH 250 in one transaction from
0x2b8d5c9209fbd500fd817d960830ac6718b88112 (looks like regular user address but have a LOT of ERC20), ETH 110 in one transaction from
0x564286362092d8e7936f0549571a803b203aaced (Binance withdrawal address, marked as Binance_3), ETH 65 in one transaction from
0xd551234ae421e3bcba99a0da6d736074f22192ff (Binance withdrawal address, marked as Binance_2), ETH 61 in one transaction from
0x004bf20b868a0694546790dfad60fb5fb78d27f5 (looks like regular user address), ETH 55 in one transaction from
0x005cb96b96c8fe801f89500df6ee38dc5fa0081f (looks like regular user address), ETH 50 in one transaction from
0xcd9acdeb01776d4701439bc755d2011b78d8792f (looks like regular user address), ETH 1 in one transaction from
0x0d0707963952f2fba59dd06f2b425ace40b492fe (Gate.io withdrawal address, marked as Gate.io_1). In conclusion, almost all the funds come to this deposit QuadrigaCX address from other exchanes and 6 deposit from regular user addresses. Considering that there were suspicious (manual) outputs I storgly believe that there was some manipulation with this address and will include those user addresses in extended suspicious addresses list. It's impossible to say does this address really belong to QuadrigaCX owner/operater but it's worth looking at. Final note, it would be really valuable if we can get input from Poloniex/Kraken/Bitfinex/Binance/Bittrex/Gate who have sent funds to this address. At least, it would be valuable to know was it QuadrigaCX owner / one of employees or not.
0x4807f634aa6a1de64709a9881ec2adaa6aee4612
- This address, at a first glance look like a classical derivated address assigned to some user for deposits. Current balance of this address is ETH 0. This address did send total of ETH 205 to old hot wallet in 3 transactions and ETH 30 in 9 transactions to new hot wallet. There are total of 29 transactions connected to this wallet. What make's it suspicious ETH 73 in 2 transactions to address
0x0ee4e2d09aec35bdf08083b649033ac0a41aa75e which is also flagged as suspicious so check analyse of that one. There's also ETH 20 sent in one transaction to contract
0x1e143b2588705dfea63a17f2032ca123df995ce0 which is also separately analysed so will not cover it here. There's also ETH 10 sent to address
0x1fdfc835d6b107a73d8429daf8f591e2e38380a8 in one transactions. I've added this address to "extended suspicious addresses list" because it deserve separate analyse.
- This derivated (deposit) address was funded from 7 different addresses. It received ETH 103 in 2 transactions from
0x267be1c1d684f78cb4f6a176c4911b741e4ffdc0 (Kraken address, marked as Kraken_4), ETH 103 in 1 transaction from
0x32be343b94f860124dc4fee278fdcbd38c102d88 (Poloniex, marked as Poloniex_1), ETH 83 in 2 transactions from
0x2910543af39aba0cd09dbb2d50200b3e800a63d2 (Kraken address, marked as Kraken_1), ETH 40 in 4 transactions from
0x97dcd0b6671f6c047ec008b40df300242a9a3eab (looks like regular user address), ETH 5 in one transaction from
0xfbb1b73c4f0bda4f67dca266ce6ef42f520fbb98 (Bittrex address, marked as Bittrex_1), ETH 3 in 2 transactions from
0xa3f065063f4f63152b791edfa39197c5996d16dd (looks like regular user address), ETH 0.05 in one transaction from
0x002be6a00c8ff509c9210b3ea2130e75d1b3de72 (looks like regular user address. In conclusion, almost all the funds come to this deposit QuadrigaCX address from other exchanes and three deposit from regular user address. Considering that there were suspicious (manual) outputs I storgly believe that there was some manipulation with this address and will include those user address in extended suspicious addresses list. It's impossible to say does this address really belong to QuadrigaCX owner/operater but it's worth looking at. Final note, it would be really valuable if we can get input from Poloniex/Kraken/Bittrex who have sent funds to this address. At least, it would be valuable to know was it QuadrigaCX owner / one of employees or not.
0x70faa28a6b8d6829a4b1e649d26ec9a2a39ba413
- This address is ShapeShift address. It's verified on etherscan as it does belong to ShapeShift (marked as ShapeShift_3). It have sent total od ETH 807 to old hot wallet in 2 transactions. By design, ShapeShift shold never send funds to hot wallet. Considering small number of transactions, it might be some user sending funds by mistake to hot wallet instead his deposit address. On other hand it can be QuadrigaCX owner/operater who have sent funds to hot wallet directly to bring liquidity up. However, we can't know who and why sent those directly to hot wallet, it speculation and I don't wanna do that. This is question for ShapeShift, they are the ones who can help and explain who have triggered those transactions.
0x7180eb39a6264938fdb3effd7341c4727c382153
- This address is Bifinex withdrawal address. It's verified on etherscan as it does belong to Bitfinex (marked as Bitfinex_Old2). It have sent total od ETH 2,150 to old hot wallet in 3 transactions. By design, other exchanges shold never send funds to hot wallet. Considering small number of transactions, it might be some user sending funds by mistake to hot wallet instead his deposit address. On other hand it can be QuadrigaCX owner/operater who have sent funds to hot wallet directly to bring liquidity up. However, we can't know who and why sent those directly to hot wallet, it speculation and I don't wanna do that. This is question for Bitfinex, they are the ones who can help and explain who have triggered those transactions.
0x9e6316f44baeeee5d41a1070516cc5fa47baf227
- This address is ShapeShift address. It's verified on etherscan as it does belong to ShapeShift (marked as ShapeShift_2). It have sent total od ETH 714 to old hot wallet in 6 transactions. By design, ShapeShift shold never send funds to hot wallet. Considering small number of transactions, it might be some user sending funds by mistake to hot wallet instead his deposit address. On other hand it can be QuadrigaCX owner/operater who have sent funds to hot wallet directly to bring liquidity up. However, we can't know who and why sent those directly to hot wallet, it speculation and I don't wanna do that. This is question for ShapeShift, they are the ones who can help and explain who have triggered those transactions.
Extended suspicious address list
New hot wallet analysis
This table shows top 100 addresses that have sent funds to new QuadrigaCX hot wallet, how many ETH, in how many transactions and some basic comments about those addresses. It's probably worth deep diving into all those top addresses for better understanding of wallet funding. I will try to do that after I'm done with all suspicious and extended suspicious addresses. I would like to point out that all addresses, marked as "QuadrigaCX deposit address", look like legit user deposit addresses. That means that we can try to analyze those addresses so we can understand biggest QuadrigaCX users and their ETH sources, but refering to thos addresses in any other mean than "QuadrigaCX user deposit address without suspicious activity" is just speculation. Only QuadrigaCX database can reveal true identity of those users and inputs connected to those addresses does not prove anything.
This table shows top 100 addresses where funds were sent from new QuadrigaCX hot wallet, how many ETH, in how many transactions and some basic comments about those addresses. It's probably worth deep diving into all those top addresses for better understanding where funds actually went. I will try to do that after I'm done with all suspicious and extended suspicious addresses. I would like to point out that all those addresses that are not marked as "suspicious list" or "extended suspicious list" looks like legit withdrawal addresses. This means that we can try to analyze those addresses so we can understand where funds from hot wallet went, but referring to those addresses by any other mean than "QuadrigaCX user withdrawal address without suspicious activity" is just speculation. Only QuadrigaCX database can reveal true identity of those users and outputs connected to those addresses does not prove anything.
Suspicious transactions for new hot wallet
Here are deposit addresses with suspicious behaviour and their analyses. Just to clarify this again, I consider suspicious transactions, ones that have output to something else than new/old hot wallet address OR eventually cold wallet address(es). There shouldn't be any output other than that, if there is that's done by someone who have private keys of those derivated addresses (QuadrigaCX owner or operater).
0x876eabf441b2ee5b5b0554fd502a8e0600950cfa
- This address is Bitfinex withdrawal address. It's verified on etherscan as it does belong to Bitfinex (marked as Bitfinex_4). It have sent total of ETH 499 to new hot wallet in one transaction. By design, other exchanges shold never send funds to hot wallet. Considering small number of transactions, it might be some user sending funds by mistake to hot wallet instead his deposit address. On other hand it can be QuadrigaCX owner/operater who have sent funds to hot wallet directly to bring liquidity up. However, we can't know who and why sent those directly to hot wallet, it speculation and I don't wanna do that. This is question for Poloniex, they are the ones who can help and explain who have triggered those transactions.
0x3f5ce5fbfe3e9af3971dd833d26ba9b5c936f0be
- This address is Binance withdrawal address. It's verified on etherscan as it does belong to Binance (marked as Binance_1). It have sent total of ETH 2 to new hot wallet in one transaction. By design, other exchanges shold never send funds to hot wallet. Considering small number of transactions, it might be some user sending funds by mistake to hot wallet instead his deposit address. On other hand it can be QuadrigaCX owner/operater who have sent funds to hot wallet directly to bring liquidity up. However, we can't know who and why sent those directly to hot wallet, it speculation and I don't wanna do that. This is question for Poloniex, they are the ones who can help and explain who have triggered those transactions.
Extended suspicious address list
yyy
- Connection from
xxx address (suspicious output).
Day by day since Gerald Cotten died
- I believe that it's valuable to understand what was going on since QuadrigaCX owner died and to deep dive into each day transactions. Most of those wallets are already analysed and we have daily table with basic stats, but what I wanna do here is to actually inspect daily who have sent and who received funds each day and was there something shaddy. So we will go since 09 December 2018 to January 25 when withdrawals stopped.
Conclusion
- Yes, will write it ;).
Contact
Just ping me on
twitter if you have any questions.