Auroracoin exposed

A month ago, Dogeconomist warned about the risks of Auroracoin. After examining the Auroracoin blockchain, signs of severe fraudulent activity can now be observed.

Blockchain data

In cryptocurrencies, transactions are validated by so-called miners. The set of the most recent transactions that haven’t yet been recorded previously are referred to as a block. Once a block is validated, it is added to the blockchain, a public ledger of all transactions. Blockchains can be viewed through blockchain explorers. The data used for this post contains the entire Auroracoin blockchain up until block 7809 (completed at 2014-04-05 16:02:11 UTC), collected from the Auroracoin Blockchain Explorer in Microsoft Excel using Visual Basic. The complete raw data file can be retrieved here (15 MB).

The big winners

Even though Auroracoin was set up to benefit the citizens of Iceland, in terms of dollar value, the biggest winners of Auroracoin are only a handful of mining pools. The following table shows the addresses with the most Auroracoins mined since inception.

Mined Auracoins

The two pools with the biggest number of coins mined, got 25 coins per block on average. The block reward halved on block 5400, which means they must have quit mining Auroracoins before this time. Block 5400 was completed on March 29, 2014. During most of the period preceding this block, Auroracoin was priced at roughly $20 on average. It can therefore be concluded that these two pools have been able to collect at least half a million dollars’ worth of Auroracoins. Even though this would make these two pools the biggest gainers of Auroracoin in general, the amount of coins they mined is only a fraction compared to those possibly fraudulently acquired from the original Airdrop coins. Icelanders can claim their share of these Airdrop coins as of March 25, 2014.

Signs of severe fraud

A close look at the Auroracoin blockchain reveals that it is far from the success it portrays itself to be. Airdrop coin claims can be extracted from the blockchain by looking at all transactions with a value of 31.8 coins. This follows from the statement at the Auroracoin webpage: “Icelanders will be awarded 31.8 (coins) each from March 25th 2014.” With this methodology, 30,619 transactions are identified as potential claims. This matches the number of transactions provided at the Auroracoin Blockchain Explorer up until block 7809 (shown below). This service keeps tracks of the number of claims following the same methodology.

Claim Statistics

This method doesn’t capture the exact number of claims, because it will also include normal transfers of 31.8 coins. This leads to a slight overstatement of the number of claims by 0.39% compared to the official number at the Auroracoin webpage (9.27% versus 8.88%). 0.21% can be identified as likely normal transfers, and the remaining bit is counted towards the number of real claims. There is no incentive to transfer this amount to the same address multiple times, which would make it look like an authentic claim. Possible fraudulent (or excess) claims are identified through filtering the addresses that received an amount of 31.8 coins more than once, coming from an address with a balance of more than 31.8 coins. This doesn’t include any potential fraudulent claims where a new address was used.

The success of this method can be demonstrated by an example of multiple claims by user thunderwolf at the official Auroracoin forum. On March 27, 2014 he writes: “anyone help 😕 I just claimed my 31.8 AUR but I can´t see it anywhere in my wallet AGJdxXN8pLDmKLfZHuDmRTFhCi7UuMQ3MU.” If all transactions on the blockchain going towards this address are extracted, it can be seen that this claim eventually was successful, and so were five others.

Claims by thunderwolf

The previous is just a small catch, compared to the top 10 addresses with the biggest numbers of claims. Together, these few addresses already claimed more coins than one third of the coins mined by the most successful mining pool.

Claims per address

The number of possible fraudulent claims has been high since the start of the Airdrop, and has experienced an increasing trend since. The number of new claims has dropped dramatically since the launch, and over half of the new claims can now be identified as potentially fraudulent claims. Both trends are captured by the following graph.

Claims versus fraud percentage

In total, at least 270,109 coins have been acquired through claims that show fraudulent activity. This corresponds to nearly 30% of the total number of claims. Again, this doesn’t even include the cases were another address might have been used to make a claim. Hence the number of “first time claims” in the table below doesn’t correspond to the number of authentic claims.

Auroracoin Transactions

Security failure

Considering the authentication methods put in place for claiming Airdrop coins, there could be a clear reason for possible fraud at this scale. Icelandic citizens are required to identify themselves with their kennitala (National Identification Number). In Iceland, this number is never used to actually authenticate a person. From the wiki: “Iceland makes unusually extensive and public use of its kennitölur, with businesses and educational institutions eschewing internal identification numbers in favour of the national system, and its use being mandated in banking transactions. Furthermore, online banking services in Iceland offer a lookup service to check names against numbers. Because of their public nature, kennitölur are not used for authentication.” Facebook is subsequently used to verify the person, but account data can be changed to reflect the publicly available information on a certain kennitala. A good example of the previous would be this publicly available election list with names, addresses and kennitala. It seems an invitation to commit fraud, although the method used to make multiple claims hasn’t been confirmed.

Update April 12, 2014: It should be stressed that an actual security breach isn’t required to commit fraud. Fraud is defined as using someone’s account data to ultimately only benefit yourself. This is further discussed in the follow-up article here.