Update (September 4, 2018): The day after this article was published and circulated, Justin Tabb tweeted about receiving email correspondence regarding a SIM swap investigation. If you choose to continue reading the article, please do so with this timely development in mind.
A few days ago, I wrote a piece detailing my suspicions about Substratum's AMPX ICO. After the post hit #1 on the cryptocurrency subreddit*, it got over 50,000 page views and I received dozens of emails and messages from people around the world who shared my perspective.
One particular email from CC in Sweden got my attention, so I decided to look into it. He told me he “started feeling weird about Substratum” after their Twitter account allegedly got hacked back in May 2018. The tweet was a Coinbase listing announcement and stayed online for ~21 minutes before the Substratum team regained control of the account and deleted the tweet. In those 21 minutes, the price of SUB increased 20% and crashed back to pre-pump levels. Here's a screenshot of the tweet, which was posted on May 2, 2018 at 2:58 PM EST (6:58 PM UTC).
Here's a screenshot of Substratum's response tweet 21 minutes later at 12:19 PM JST (7:19 PM UTC).
These tweets don't reveal anything truly useful or definitive, but here are a few small things I noticed. I'll refer to the hacked tweet as “Tweet A” and Substratum's tweet as “Tweet B”.
- Tweet A uses “ERC20” instead of “ERC-20”. This probably doesn't mean anything, but whoever runs Substratum's Twitter account exclusively uses ERC20 as well — examples here, here, here, and here.
- Tweet A does not have punctuation at the end of the last sentence in the tweet. This happens in many of Substratum's and Justin Tabb's own tweets as well — examples here, here, here, here, and here.
- Tweet B uses two spaces after each period and the sentences are perfectly constructed. After browsing Substratum's Twitter account for 10 minutes, I was unable to find another tweet with a similar sentence structure, making it seem like Tweet B was purposely crafted to look different from Tweet A.
Again, I don't think the above observations reveal anything malicious, but they do present some interesting correlations when it comes to writing style, which is often subconscious.
Examining Substratum's ETH Wallets
Substratum's ETH crowdsale wallet (SubstratumCrowdsale) can be viewed here, and it currently contains 11,629 ETH. The screenshot below shows three transactions that I'm interested in. All three were made on April 29, 2018, and transaction details can be found here, here, and here.
The first (bottom) transaction consisted of 200 ETH being sent from SubstratumCrowdsale to a Gemini address. This doesn't raise any red flags because Substratum has an established history of sending ETH to Gemini for liquidation to USD. On this occasion, however, 200 ETH is sent back to SubstratumCrowdsale a few minutes later, as shown by the second (middle) transaction. Finally, the 200 ETH is sent again, but this time to a different address. This behavior suggests someone sent 200 ETH to Gemini as usual, before realizing whatever he or she wanted to do with the ETH was not possible on Gemini. Thus, the ETH was sent back to SubstratumCrowdsale before sent off to somewhere else. Interesting. So where did the 200 ETH end up?
I don't know what to make of this wallet. It looks like some kind of “holding wallet,” so I'll just call it SubstratumHoldingA from now on. The screenshot below shows two transactions in SubstratumHoldingA that I'm interested in, and transaction details can be found here and here.
These two transactions were also made on April 29, 2018, and they ended up here - a wallet I'll refer to as SubstratumHoldingB. Here's a screenshot of the transactions in SubstratumHoldingB.
As you can see, the two incoming transactions for 140.2 ETH and 5 ETH are from SubstratumHoldingA. The 145.2 ETH is then split into many smaller transactions and sent to various destinations. Don't worry, I have compiled a spreadsheet (with help from KH) of the 18 outgoing transactions made on April 29, 2018.
The spreadsheet shows the path for each transaction from SubstratumHoldingB, which all went through several layers of seemingly meaningless obfuscation before ending up at an exchange. Some transaction paths ended in dead ends where I was unable to determine the next hop without making too many assumptions. Based on the nature of these dead ends, I suspect the ETH was sent to a decentralized exchange for further obfuscation. I have highlighted dead ends in red. Some transactions were included in grouped transactions before being sent to the exchange, and these are highlighted in orange. Finally, transactions highlighted in green were sent to an exchange for certain.
Click here to view the spreadsheet, and once again, thank you to KH for helping out with this!
As you can see in the spreadsheet, the transactions went through many layers of obfuscation before arriving at Binance, Bittrex, Bitfinex, and Cobinhood. Since I don't have the exchanges’ records, it's impossible for me to tell if the ETH was sent somewhere else after being deposited. For the purpose of this post, let's assume 140 ETH made it to Binance.
SUB-ETH Price Action from April 29 — May 2
The screenshot below shows a 30m price chart of SUB-ETH on Binance.
- A — 4/29 10:30:00 — 11:29:59 PM UTC
- B — 4/29 11:30:00 — 11:59:59 PM UTC
- C — 4/29 12:30:00 — 12:59:59 AM UTC
A shows the timeframe when ~145.2 ETH was transferred from SubstratumCrowdsale to SubHoldingA. B shows the timeframe when transactions originating from SubHoldingB were obfuscated and sent to exchanges.** C** shows a large green candle and volume spike that does not reflect the previous price and volume trend. In other words, there was a large buy around half an hour after Substratum sent ETH to Binance.
Let's take a closer look on the 5m chart.
- A — 4/29 12:35:00 -12:39:59 AM UTC
- B — 4/29 12:45:00 -12:49:59 AM UTC
- C — 4/29 12:50:00 — 12:54:59 AM UTC
A on this chart represents five minutes after the start of C on the previous chart. Based on transaction details provided by Etherscan, we know that the transactions to Binance were sent around 11:30 PM UTC. In the price chart above, we can see three large buys in the span of twenty minutes. The volumes for candles A, B, and C are 51.22K SUB, 26.198K SUB, and 57.074K SUB, respectively. If we include the red candle in the middle, the total volume in these four candles comes out to ~172,000 SUB. Just for reference, the average price (O+C/2) of SUB on April 29, 2018 was 0.00116568 ETH, which means 140 ETH could purchase ~120,000 SUB.
For a macro look, let's look at the 1h chart for SUB-ETH. A shows the volume activity from 12:00AM to 1:00AM UTC — immediately after Substratum deposited ETH to Binance.
Now, let's fast forward to May 2, 2018, the day of the hacked tweet. Below is a 5m chart of SUB-ETH.
- A — 5/2 6:55:00 — 6:59:59 PM UTC
- B — 5/2 7:00:00 — 7:04:59 PM UTC
- C — 5/2 7:05:00 — 7:09:59 PM UTC
- D — 5/2 7:15:00 — 7:19:59 PM UTC
A contains the Coinbase listing tweet at 6:58 PM UTC, and first responders were able to buy in causing a small spike in volume. B is where the pump actually happens with a price increase of approximately 20%. Five minutes later, C dumps back down to where the pump started. Interestingly enough, another nine minutes pass before Substratum tweeted that the Coinbase announcement the result of a hacked account at 7:19 PM UTC, inside** D**.
Here's the weird thing. During the time between B and D, the public did not know the Coinbase listing was the result of a hacked account (it wasn't announced until 14 minutes later), so why did the price dump in those 15 minutes? You would assume a Coinbase announcement would send any coin into the stratosphere, and we've seen this happen. Remember Bitcoin Cash? Secondly, why didn't Substratum communicate on any other social media channels between B and** D**? Lastly, the tweet at 7:19 PM UTC happens right as the price returns to pre-pump levels. Perfect timing.
I am aware that Substratum was running a 1,000 SUB competition in early May, but I still find all this to be a little suspicious. No accusations here, just my interpretation of the wallet activity and price action.
- 140 ETH was equivalent to over 120,000 SUB. Were 120 winners supposed to receive 1,000 SUB each?
- What's up with the multi-layer obfuscation before hitting the exchange? This is obviously not standard protocol as we can see from the usual Gemini liquidation transactions.
- What happened between B and** D**?
All of this could very well be nothing, but I don't believe in coincidences when money (lots of it) is involved.
* This Reddit post linking to my post was made by u/limdur, and the title “Substratum is doing a second ICO after 1 year and starting to look like a major scam” is not mine. I have suspicions about the direction of the company, but I did not call Substratum a scam anywhere in the post.