Hack Alert: Details On The Tether Treasury Wallet

On November 21, 2017, an announcement was released by the Tether team declaring that an unknown hacker managed to usurp $30,950,010 USDT. The statement reads, "Yesterday, we discovered that funds were improperly removed from the Tether treasury wallet through malicious action by an external attacker. Tether integrators must take immediate action … to prevent further ecosystem disruption."

Tether said that the stolen USDT has been flagged and are now irredeemable, and it believes the attacker is holding the stolen USDT in the following address:

16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r

Users are urged not to accept USDT from this address or any address downstream from it.

Tether said it has taken steps to suspend the Tether.to backend wallet service temporarily while it performs an investigation of the attack to ensure it does not happen again. A new build of Omni Core software will be provided to users in a bid to freeze the USDT in the above-referenced address. Tether said that the software will issue a change to the consensus protocols that Omni Core clients currently utilize; indicating that the fix "is effectively a temporary hard fork."

"We strongly urge all Tether integrators to install [the Omni Core upgrade] immediately to prevent the coins from entering the ecosystem. Again, any tokens from the attacker’s address will not be redeemed. Accordingly, any and all exchanges, wallets, and other Tether integrators should install this software immediately in order to prevent loss:
https://github.com/tetherto/omnicore/releases/tag/0.2.99.s"

The announcement went on to assert that "after the protocol upgrades to the Omni Layer are in place, Tether will reclaim the stolen tokens and return them to treasury." It also said that issuances of USDT haven't been affected by the attack, maintaining that the Tether reserve still fully backs all USDT. "The only tokens that will not be redeemed are the ones that were stolen from Tether treasury yesterday. Those tokens will be returned to treasury once the Omni Layer protocol enhancements are in place."

It didn't take long for members of the community to dig around and posit theories on who the culprit of the hack might be. One user put together a fairly extensive timeline that breaks down the incident beginning at a wallet address that transaction logs show was used to take 19,000 BTC from Bitstamp in 2015, according to the user’s research. After this actor sent fractional amounts of BTC to other addresses in what might have been tests to ensure the hack would work, around 10:53 a.m. on November 19, 2017, a series of transactions transferred 30,950,010 USDT and 5 BTC out of Tether’s treasury address. Eventually, the sum of these funds came to reside in the wallet address implicated in the company's official announcement.

In an interesting twist, according user who posted these findings, the culprit implicated in both the Tether hack and Bitstamp incident of 2015 appears to be the owner of another wallet that was used to steal 8500 BTC from Huobi in 2015, although this detail remains unsubstantiated. However, if this cyber sleuth is correct, the address associated with to the alleged Huobi theft is linked to the sale of small amounts of BTC on Localbitcoins, a site that helps people connect with one another to trade, buy, and sell crypto So, it may be possible for Localbitcoins to access logs from 2015 that are related to the wallet addresses uncovered by this cyber sleuth and thus identify the hacker.

ETHNews will continue to provide details about Tether's missing funds as they become available.