Report 'The Anomaly Of Two Transactions' by rate3 at 12 Jun 2020

The Anomaly Of Two Transactions Source

"Someone paid $2.6 million in fees to move $134 worth of crypto". When that piece of news first hits us two days ago I dismissed it as a noise. However, today, after I had spent some time in Etherscan hopping from one address to another my position was flipped and as a result I present to your attention this brief observation.

At the moment (when I write this post) an address (0xcdd6a2b9dd3e386c8cd4a7ada5cab2f1c561182d), which belongs to the sender of two (not one) anomaly transactions for the total sum >$5 mio, displays 78161 in and out-puts from / to, seemingly, a whole multitude of different other addresses but it's, obviously, not someone but something generating its. Here's some of giveaways.

- All transfers are ranging in volume from under 1 to several hundreds of ETH, adding 2-6 transactions to each block starting from number 10219082;

- The first transaction was registered only 4 days ago. The pick in transfer activity (~6-7 transaction per block) happened two days ago when this two anomalies occurred;

- Although all sums differ from each other there are never two double digit transactions following each other in that sequence, and only occasionally there are 3 digit transactions in it;

- The sum almost never exceeds 0.4k ETH (in fact, I have found only one transactions over this range - that for 499.99874 ETH in block 10231372) and very rarely under 1 ETH;

- Besides, all those transactions have at least 5 digits after decimal points, and there are almost none not round numbers ending to 0 before decimal points;

- Moreover some transactions in the same block are absolutely similar (f.e. 0x9cfa742fdfd2873580a41014cc086dff49e50813997b49f0a650805f815399d4, 0xd0d5627421cf99f6bb6c36f5097a935ae072232c89d09b54f68e3185f1c405af and 0xdc9dfc7aa40515e926296f48e7650574e64bad69f0f416bd2c87480b5109bf63 for 4.99874 Ether in block 10221350).

Additionally, the constant inflow of transactions during, roughly, first 2 day was abruptly changed to outflow after 2-3 blocks, which precede the first anomaly output. Moreover, almost all of connected addresses sum to zero ETH.

Notable, however, is the fact that, this one address, which now attracts all attention of medias is actually only one small link in a whole web of other accounts separated by about 2-3 transaction from the 'famous' one (0xcdd6a2b9dd3e386c8cd4a7ada5cab2f1c561182d).

Check out for example this address (0xCABDa7c04a240498636Ee0e535e0596B504c66d2), which has 22339 transactions in it each of which has absolutely the same set of 'shadow' characteristics, which I've just described.

So, what we, probably, have here is not 'a new exchange' at all, which owners will rush now to collect their millions from two generous miners, which have already declared that they will return back those insane fees to whoever proves an ownership of its source address. Based on all of the above, I highly doubt, that anyone will show up to claim back this ~5 mio :)

It proves the point that 'laundering' anything in blockchain (which issue is, obviously, worrying too much so many ambitious but ignorant bureaucrats) is the very bad idea by definition and in order to reveal it no 'agencies' involvement is required at all. Specially, for accounts based platforms like that of Ethereum.


This morning Vitalik twitted his explanation of this anomaly: "So the million-dollar txfees *may* actually be blackmail. The theory: hackers captured partial access to exchange key; they can't withdraw but can send no-effect txs with any gasprice. So they threaten to "burn" all funds via txfees unless compensated."

My objections to his argumentation are the following:

first, the sender's address is not an exchange and 're-rooting' or stopping all transactions inflow even with accounts keys compromised shall not be an issue for original owners, however, all activities on this account were stopped only 5 hrs ago - long after the first anomaly fees was paid;

second, with keys compromised emptying an account is the best tactic for original owners, still, this account now contains 16,076.870502047742489338 Ether ($3.8 mio);

third, blackmailers did leave themselves almost no time for negotiations with owners about ransom after the first anomaly fees were paid, so what was the point of two, instead of one, transactions?;

fourth, why attackers are being so generous with those fees? wouldn't, say, $1-2K worth of ETH or less be a sufficient wakeup signal for owners?