A Clue About the DAO Attacker’s Location?

Published on: Jun 21, 2016 Last edited: Jan 8, 2023

Where in the world is he/she? This first chart shows those transactions distributed by…

I used EthSlurp to scrape every transaction from The DAO since its inception. This first chart shows those transactions distributed by hour. There are more than 121,000 transactions:

As you can see, the transactions are relatively evenly distributed throughout the day. This is to be expected because the DAO token holders are presumably distributed evenly across the globe. This makes perfect sense.

So What?

Recently, a user called kumavis on TheDAO slack published a list of accounts that he thought may have been related to the attack on the DAO. Here is that list along with names kumavis provided for each account:

Let’s call this Suspect Set 1. These five accounts have made 795 transactions on the Ethereum blockchain.

In an unrelated but similar post, Johannes Pfeffer provided a larger list of possibly related accounts this very informative blog post: The Attack Story. Pfeffer’s larger list includes all of the accounts from Suspect Set 1 in addition to six other accounts. Pfeffer used his own names, but I marked the accounts on both lists in red. (Suggestion to community: we should come up with a list of definitive names to use for these accounts.)

There were 1,084 transactions on these eleven accounts. I charted the same hourly distribution on both Suspect Set 1 and Suspect Set 2, and while I cannot say for certain, I think I see a pattern.

Waking? Working? Sleeping?

One possibility is that this person gets up each morning, works on the blockchain all day, and then goes out to party at night. If they started work at 9:00 AM, this would put them somewhere in Russia, Kazakhstan, Pakistan, or India.

However, a better explanation — as many readers have pointed out — may be that this person gets off of work at 6:00 PM, sits down to work on Ethereum around 7:00 PM local time, and then goes to bed around 1:00 or 2:00 AM. This would put them somewhere near the west coast of the United States or Canada.

Of course, as with all things crypto, to know for sure is impossible. Is the information I’ve provided important or even pertinent? I don’t know. At least it’s something. I’d love to hear what you think. More information and the lists of transactions are here: http://daodeepdive.com/data/hack_data.

The data used in this post was provided by the EthSlurp software: http://ethslurp.com. If you find the information useful and wish to support our work, please consider visiting our site and sending us a tip.

Edit this page on GitHub