[PSA/Article] Investigating Agora wallets; cold stash of at least 24,000 BTC

Hey all,

I've been using Wallet Explorer to investigate Agora's wallets, and I've found some intriguing/concerning stuff.

Around 24,000 BTC accumulating in addresses that may be controlled by Agora

There are currently around 23,960 BTC sitting in storage addresses that I suspect are controlled by Agora. The bulk of this money seems to be drawn in large chunks from Agora deposit addresses (I'm basing this on Wallet Explorer), so it doesn't appear to be standard market fees. And most of the storage addresses are basically receive-only, so it's unlikely they have any operational use. Of course, there's no way to conclusively prove Agora owns these addresses, but considering (a) the size of the transactions (millions of dollars in the last few months), (b) their uniqueness compared to other Agora transactions, and (c) the fact that the bitcoins are just sitting there, its hard to imagine where else these coins would be going.

(EDIT: Apparently I'm not the first person to suspect this, see impost_r's post from December: http://www.reddit.com/r/DarkNetMarkets/comments/2o4qf6/addresses_agora_controlled_addresses_sent_large/. Note that the balance of these addresses has increased by nearly 14,000 BTC since then!)

For example, after being funded with 536.8 BTC of Agora money on 11/25/14, this address has been receiving 50 BTC chunks regularly since 12/5/14: http://www.walletexplorer.com/address/1923qxU74HWWz75LgWTsPE4FT9Zyd6n6bv. It's balance is currently 14636.8468236. Here's a similar address with a balance of 2350: http://www.walletexplorer.com/address/152p1VPp2UYceP9BLtJRLoMgoErQRCryTt.

Other storage addresses that seem to be controlled by Agora:

I'd like to see what percentage of Agora deposits is going to these storage addresses (to determine whether whether it's reasonable profit taking or something more nefarious) but Wallet Explorer doesn't offer a way to filter by incoming transactions. Anyone have a program that can do that? Also, some of the activity in these addresses seems to coincide with downtime in late November (and the current downtime), so the timing is worth looking into further.

Getting a little crazy now: Possible Agora-SR2 connection?

(Edit: This is more of an aside, just something interesting I saw. Not necessarily connected to the stuff above!)

This could use double checking, but it looks like substantial amounts of BTC were sent directly from Silk Road 2 to Agora's operators in the days and weeks leading up to the SR2 seizure.

Of course I could be interpreting this wrong (and Wallet Explorer could be wrong!), so if anyone wants to take a look and share your thoughts, I'd appreciate it.

This is all I have time for at the moment, but I have a bunch of notes on this stuff so can provide more info when I get a chance later. In the meantime, please feel free to tell me if you spot something I missed!


Comments


[28 Points] None:

Everyday after I wake up, I check this sub reddit for my juicy drama of the day. I've been doing this everyday for over a year. Let me tell you something.

I am never disappoint.


[23 Points] DankNetMarkets:

Calling /u/vendor_bbmc !

Calling /u/BTVA !

Calling /u/sheeproadreloaded2 !

Have fun you two :)


[15 Points] Canna-Juice:

Things such as these are why I truly love this community.
(to be clear, NOT the possible correlation and shenanigans, rather the investigative/self-policing nature of its users)


[7 Points] FriendlyDrugAddict:

It's because of agora built in tumblur system isn't it? The ones you send don't even go to your wallet they get sent to a different one and agora sends you different coins from a different wallet...


[6 Points] kenobi12:

Can someone ELI5?


[6 Points] None:

Puts a tin foil hat

Puts sunglasses

Grabs popcorn and tokes on G13

This is going to be fun.


[5 Points] sapiophile:

Could the smaller chunks from "SR2" actually just be from a vendor on SR2?


[3 Points] lamarrotems:

How do you know these are Agora controlled wallets?


[2 Points] None:

One huge problem with using websites to do "blockchain analysis" is the view you are getting just guesses what the output of a transaction is. For example, I spend .1 BTC on some Venison on SilkRoad1 but I use an address that has 10,000 BTC in it. Because of the way bitcoin's change mechanism works, I have to send .1 BTC to SR1 and 9,999.9 BTC to myself. The wallet explorer will likely interpet this as me withdrawing 10,000 BTC from silkroad. This is what Dratel wanted to bring in experts to talk about; it is the reason why most blockchain detectives have no idea what they are actually talking about.


[2 Points] AussieCryptoCurrency:

Getting a little crazy now: Possible Agora-SR2 connection?

Perhaps a vendor uses both?


[2 Points] None:

Grabs more popcorn

What the actual fuck is going on?


[1 Points] impost_r:

Repost: http://www.reddit.com/r/DarkNetMarkets/comments/2o4qf6/addresses_agora_controlled_addresses_sent_large/

:) I couldn't find anything interesting back then, though it's interesting to see that the coins haven't moved.


[1 Points] sharpshooter789:

No, your calculations are not remotely correct. I wrote a script to extract the final balance from blockchain.info and then I added the values.

The real balance is: 9,148.10060001

The OP is correct. The wording was a little strange so I didn't include one address in my calculation. The exact balance is 23,784.94742361 BTC.

This is for the nerds:

#!/bin/bash
#first create a file named addresses.txt and put a list of bitcoin addresses in it
num=0
for i in $(cat addresses.txt); do
    curl “https://blockchain.info/address/$i” > page${num}
    num=$((num+1))
done

egrep '<span data-c=\"[0-9]+\">' page{0..6} | grep final | grep -o '[0-9,.]* BTC' | sed 's/BTC//' | tr -d ', ' | tr '\n' '+' | sed -e '$a\' | sed 's/.$//'

This will output a list a numbers with a '+' as a delimiter. Copy that list and use bc to calculate the final like this:

bc -l <<< “<paste text here>”

The reason I had to use bc separately is grep kept including control characters for color and I was to lazy to fix it. Also, I am aware the code is very crude; I don't do this stuff on a daily basis so I don't need something efficient.


[0 Points] throwahooawayyfoe:

So whoever owns the 1MAqD... address (looks like it might be Agora) also owns the addresses receiving money from SR2 just prior to its fall.

Congratulations! You've found a wallet owned by an exchange, probably BTC-e.