Grayscale GBTC Trust, the largest legal holder of BTC, refuses to provide any Proof of Reserve.
To begin a community lead effort at transparency for the GBTC holdings, we have taken steps to ID likely GBTC addresses and balances based on public info and blockchain forensics.
Alameda ETH addresses are digging around in the sofa for spare change and swapping bits ERC20s for ETH/USDT.
ETH and USDT then funneled through instant exchangers.
Rings some major alarm bells...
TLDR
- Using public data and chain forensics, we have attributed 432 addresses holding 317,705 BTC to likely GBTC custody activity.
- This total is ~50% of GBTC reported current holdings.
- Additional work is necessary to ID the remaining addresses.
The Grayscale G(BTC) Coins Part 2
In this analysis we use additional on-chain forensics to CONFIRM the approximate 633k BTC balance held by G(BTC) at Coinbase Custody.
Which begs the question, why does Grayscale refuse to disclose their on-chain holdings?
Grayscale GBTC Trust, the largest legal holder of BTC, refuses to provide any Proof of Reserve.
To begin a community lead effort at transparency for the GBTC holdings, we have taken steps to ID likely GBTC addresses and balances based on public info and blockchain forensics.
Adding another 444 BTC to the previously reported 4.6k ETH from yesterday's
@cryptocom
hack.
Still no acknowledgement of loss, despite large outflows from the custodial wallet into ETH's Tornado Cash and a well known BTC tumbler (as detailed below).
In case you missed it, GBTC claims they cannot provide a Proof of Reserve due to “security concerns”.
Maybe this is a non-disclosure policy enforced by Coinbase Custody.
Maybe it’s deliberate obfuscation by Grayscale.
6) Coinbase frequently performs on-chain validation. Due to security concerns, we do not make such on-chain wallet information and confirmation information publicly available through a cryptographic Proof-of-Reserve, or other advanced cryptographic accounting procedure.
I’ve been seeing a lot of Twitter FUD opining on miner capitulation in the last few days.
This got me thinking… could the selling by the PlusToken scammers have had an abnormal effect on this market cycle?
Sparked by the tx graph in this tweet, we have ID’d the Alameda BTC wallet cluster and likely Alameda FTX deposit address.
The likely FTX Intl deposit address processed 3300 BTC via FTX US on 6-Nov during the bank run, despite FTX management claims of “segregated entities”.
I am dropping the towel.
They may came from industry of finance.
I come from an industry of cyber-security.
You crossed my field.
Next time when you want to spoof the market from 28K to 69K for your political lobby think twice.
On July 29, 2019 Grayscale claims to have owned about 240k BTC.
Looking at the XAPO cluster for corresponding activity, we see a massive spike in volume from a handful of transactions that are likely the Grayscale custody rotation mentioned above.
Any blockchain analysis needs a “starting point”.
In this case we were able to obtain our starting point from information in the following Coindesk article.
We took these corresponding transactions and scoured the “nearby” graph in an effort to ID the addresses that are currently holding the associated Grayscale coins.
A subset of the graph can be viewed here.
~13k in new PlusToken mixer deposits in last 24 hrs.
Almost all previous mixer deposit change has entered mixing, confirming my theory.
Distributions still on/off. Much slower than September and November.
New report and full sit rep imminent.
We can see everything you do, so it's best not to pin your shitty wallet management on network fees (congestion, instability, whatever you wanna call it).
In total, we were able to attribute 432 addresses with a total balance of about 317,705 BTC to likely GBTC TXOs held by Coinbase Custody.
Note this is about 78k BTC more than GBTC held during the transition from XAPO to Coinbase Custody.
It may be possible to attribute additional blockchain addresses to GBTC based on the activity around these MM addresses or by performing an in depth volume and timing analysis around the Coinbase Custody cluster.
Recently I wrote a thread regarding the multi-billion dollar PlusToken scam it’s potential market impacts.
A few days later, the exchange rate fell out of bed and the bloggers attached themselves to this narrative for a few news cycles.
So what’s the status of the PT coins?
FBI Colonial Pipe/DarkSide ransom recovery has the BTC Twitter rumor mill in overdrive.
After getting acquainted with the on-chain activity, we can start to narrow down or remove some of these theories.
In Summary:
1 - We have been able to independently verify the credibility of G(BTC)’s holdings of 633k BTC using on-chain forensics and public data.
2 - Grayscale refuses to disclose their addresses for unknown reasons, despite an apparent willingness by Coinbase Custody.
"While you were doing what we told you to do (ie worthless degree and 6 figures of debt), we voted to bail ourselves out. Now you're working to fund my retirement."
While the TRC20 ETH was rehypothecated, 60k of the TRC20 BTC appear to have simply never been backed.
The likely unbacked tokens are currently parked in the JustLend protocol, implying an unbacked (non-existent) TVL of $1.8B, or roughly 50% of the current TVL.
My latest on PlusToken is available here.
More than a blog post or tweet thread.
Updates will be provided via OXT Research going forward.
Not a fan of my conclusions and want to make your own?
My methodology and data is provided, so you can.
We are excited to officially announce that
@ErgoBTC
has joined the Samourai team. Ergo made an impression on all of us with his excellent analysis of the PlusToken fund movements. He will be working closely with the
@oxt_btc
team on the freshly launched
Based on the history of the first destination address of the cryptoforhealth scam addresses, the scammers have a history of gambling on Bitmex and Coinbase usage.
This is peak crypto.
Destination Cluster>>>
Preliminary Notes >>>
Expanded labels for the LFG BTC address activity after running off with funds intended for defense of the UST depeg have been added to Arkham as a part of their bounty program.
Details and additional color on the attribution are provided below.
The Arkham Intel Exchange now has its first approved submission: new evidence of wallets owned by Do Kwon / Terraform Labs.
An anonymous on-chain sleuth and
@ErgoBTC
were the successful bounty hunters. The new labels are available for all to track here:
Part 2 Estimate: 634,639 BTC
G(BTC) Reported: 633,394 BTC
Based on the results of this analysis, we can conclude that Grayscale’s self-reporting is credible.
The logical conclusion of KYC and custodial exchanges is playing out now.
Censorship isn't being applied at the protocol layer, but at the interaction with the banking system.
@coinableS
@RMessitt
It looks like the funds had gone through a single weak Wasabi “mix” before mostly being deposited to Fixed Float (an instant swap exchange).
Most of the deposits are quite old, and unlikely to be recovered.
However...
With all the excitement, a short update on their BTC is warranted.
We have also seen just about all of the remaining unmixed coins ~22k on our watch list begin entering their mixer over the last few days.
The 140k (remaining) Mt Gox Coins
As the saga seems to be winding down with the planned release from the trust, it’s worth revisiting the coin status and some of the history behind the BTC addresses involved.
(1/n)
A few weeks ago, we were contacted by the friend of a
@Ledger
phishing victim.
The friend was actively trying to outbid the phisher on miner fees before the theft tx could be confirmed by miners.
They were unsuccessful and the coins sat unspent for a few weeks.
FTX International and FTX US BTC hot wallets drained and sent to the following address.
Address Balance = 3872 BTC.
FTX US Sweep:
FTX Int’l Hot Wallet Sweep Bookmark:
With the unsealing of the Avi Eisenberg DoJ compliant, we now have a second member of the inaugural (2022) class of the KYC Hall of Fame.
The class inductees:
- Avi Eisen as “Ukranian Woman”
- The DRPK Conspirators as “AI Generated T-shrit model with miss-proportioned hands”
I will update this thread with additional info as the situation develops.
Sidenote: Great that crypto dot com appears to be making its users whole, but sweet custodial honeypots (even with 2FA) continue to be targets for hackers. Not your keys, not your coins.
Previous spends of the BFX hack coins were methodically isolated, slowly mixed, or slowly sent to Hydra (DNM).
The most recent spends were swept to a *SINGLE* address.
The complete opposite in terms of privacy from previous activity.
While the mainstream bloggers are busy writing click bait headlines about Chinese miners the elephant...
*cough*
*cough*
... whale in the room is slowly dumping through Huobi.
3 - Grayscale's refusal to disclose addresses or participate in a Proof Of Reserve serves to invite more scrutiny of their activity from the community and users.
renBTC liquidity getting low 3777 BTC +/- despite a ton of mints today.
Assuming the remaining 200k ETH from the FTX drainer is bridged, I'm not sure how the liquidity incentive can cover the remaining +/- 10k BTC.
DoJ recovers +50k BTC from James Zhong obtained from a 2012 exploit on a Silk Road Wallet.
The majority of the coins (~49k BTC) traceable to the exploit are currently sitting in the following address.
Part 1 covers the basics.
Problem definition and ex's of change detection heuristics.
In Parts 2, 3, & 4:
- clustering & tx graphs
- the effects of external tx data
- OXT how-to's
- basic privacy defenses
- why & how coinjoins work
- how the SW features subvert CA
Stay tuned.
We're happy to share the first of a four part educational series by
@ErgoBTC
designed to take you from zero to hero in understanding the intricacies of bitcoin privacy, how chain analysis works and how to use
@oxt_btc
to audit your own transactions.
This is evidence that clearly flies in the face of the “Alameda, FTX Int’l, and FTX US are separate entities” story that was propagated by FTX management.
In fact, this may be evidence that Alameda was handling FTX US funds.
The BFX hack seizure.
A mountain of evidence in an apparent straightforward analysis.
>> Coins tracked across custodial entities sent to exchanges with the couples IDs.
Some thoughts from following the followers.
Let me get this straight, Chen Bo, the mastermind of PlusToken (arrested in June 2019), was entrusted with selling PlusToken's BTC, via a third party business, on behalf of the CCP?
As the saga continues, I suggest keeping an eye on the last address in this transaction trail.
It currently holds 6980 BTC and shows some a possible change in wallet behavior on 3 October.
One of the only real reason we can guess as to why Grayscale does not want to disclose their addresses is to avoid providing information about who their most frequent counterparties are (ie DCG, Genesis, etc).
We noted this abnormally large withdrawal from
@cryptocom
's payout wallet bc1q7cyrfmck2ffu2ud3rn5l5a8yv6f0chkp0zpemf via
Shortly after, several hundred withdrawals are consolidated into 4 outputs for 67.75 BTC.
Several media outlets reporting Hydra Market DNM servers have been seized by German LEAs.
The 543 BTC in Hydra's wallet has been emptied over a series of 88txs to the following address.
What is entropy & how can it be used to evaluate your Bitcoin transaction “privacy”?
Entropy is defined as:
A measure of disorder or randomness in a closed system.
It has many applications in dynamic systems and is most often used in physics but also applies to information.
This 54k BTC headline number implies the miner(s) have stocked up months of BTC without having to meet payout needs or electricity bills.
The number is so significant that it just feels off and I’m not convinced this is simple direct evidence of spot selling.
#Bitcoin
miners sent 54k $BTC to Binance in the past 3 weeks.
No significant change in BTC-USD open interest, suggesting less likelihood of filling collaterals to punt new long positions. Spot selling seems more likely, imo.
While we don’t know why Grayscale refuses to disclose their on-chain holdings, their refusal has lead to nonsense tweets from “the people in charge”.
These awkward moments that degrade trust could easily be avoided if Grayscale chose the path of transparency/Proof of Reserves.
So far the Kucoin hacker mixed:
~322 BTC with Chipmixer
~288 BTC partially mixed via Wasabi
~another 245 BTC pending partial Wasabi mixing?
Post-chipmixer distribution activity starts here.
Despite holding what they claim to hold, Grayscale have chosen to forgo using transparency to build trust at a time when trust in crypto is at an all time low.
Why?
@fluffypony
@BTCwillrule
No worries fluffy!
The rent seekers aren't going to directly cite the crazy Twitter nym using free block explorers (oxt/kycp) and a spreadsheet to beat them at their own game. ;)
Thread on Celisus Network BTC wallet clusters and balances.
TLDR >> The major Celsius address/clusters do not have significant balances. ~108k BTC were sent from CN through a single OTC/MM cluster (as advertised?). On-chain data cannot be used to deduce the true CN BTC balance.
I’ve spent some time digging into Fcoin’s reported on-chain activity based on this tweet.
The TxGraph implies transfer from cold storage to other exchange wallets as part of an exit scam.
WTF tracking on Fcoin's Bitcoin cold wallet shows the majority of its asset has been transferred to other exchanges ...address: 12rU7whLERNrkDb8bTe9VJJSKZvCXy7dj7
They said they can‘t withdraw for its users???
What a SHAMELESS scammer
(visualization done by
@ChainDotInfo
)
While it may be true that this is the only formally “declared” wallet controlled by the LFG, they seem to have failed to account for the trail of bread crumbs left by the change outputs used to fund their new declared wallet.
Issue 2 of the OXT Research PlusToken report is live. Follow along as we continue peeling back the layers of the PlusToken scam.
In this issue:
- a new destination for the PlusToken coins
- a new mixing partner is unmasked
- updated distribution
Free @
@janeygak
They're not in the business of testing for and preventing disease, but applying bandaids after the fact.
Did you ask for a fasting insulin test? Or you aren't worried about insulin based on your cholesterol ratios?
Sorry to temper the latest hopium, but this is an Upbit cold storage address/internal wallet.
The address receives exclusively from Upbit's deposit wallet cluster and spends exclusively to Upbits withdrawal wallet cluster.
With the recent
#OneCoin
website shutdown, the multi-billion dollar "crypto" ponzi scams seem to be a recurring event.
This is a thread intended to start a public record of possible associated bitcoin addresses.
For those asking, Coinbase wallet automatically splits large volume UTXOs to equal denominations.
+50% of the +1000 BTC txs we see go by are Coinbase doing their own internal wallet management.
Once you see it you can't unsee it.
Today's Tx vs March.
Normally, these whales avoid getting so easily tagged by the Coinbase deposit cluster, thanks to CB's unique deposit address scheme.
But we got an address reuser on our hands.
Gotta be careful goalseeking your narrative after the fact. cc @ clickbait jouno's and their daily price discussions.
But maybe this was the result of a single entity gobbling up 1% of total supply.
¯\_(ツ)_/¯
I’ve been seeing a lot of Twitter FUD opining on miner capitulation in the last few days.
This got me thinking… could the selling by the PlusToken scammers have had an abnormal effect on this market cycle?
This tumbler has been commonly used in hacks attributed to the DPRK Lazarus Group and more recently in the attempted laundering of BTC from to this summer's Darkside ransomware activity.
Another "Darkmatter" BTC update.
Moving towards identifying “parallel” wallets controlled by the same tumbler responsible for paying out to the entity depositing DM's BTC.
Over the last two weeks, 2x10k BTC txs were sent from Coinbase Custody to *possibly* the OTC/Prime wallet.
The entity spending these coins still holds some ~32,175 BTC and has given me an excuse to organize otherwise scattered observations in one place.
Our analysis shows that Grayscale has two preferred wallet clusters as counterparties:
- ANON-3499303328 for purchases/selling for management fees at [1NvE65r…]
- [1J65CQ4...] at ANON-2829758496
Even when the selling finishes I’m sure there will be more to this story.
Feel free to elaborate on your favorite Huobi/CCP/PlusToken conspiracy theories.