The cryptocurrency world’s first public look at the sophisticated hacking operation in its midst, which Fredericton crypto-sleuthing startup Gray Wolf Analytics is playing a key role in investigating, came via a Twitter thread from an anonymous industry account.

The April 18 thread described a successful and widespread effort to hack the digital “wallets” of cryptocurrency owners and steal their assets. Twitter user and security researcher @tayvano_z estimated that more than $12 million worth of the currency Etherium at current exchange rates was stolen in less than four months. The true scale of the problem is even greater; whatever tools the hackers are using, they actually work against numerous different cryptocurrencies.

Even before the news was publicized on Twitter, the crypto community was already in the process of forming an investigative consortium of cybersecurity and digital forensics companies under the corporate umbrella of Blockmage, an international group of researchers and analysts. Additional members of the investigative team include New York’s ConsenSys and Toronto's ChainSafe, among others.

“There have been three waves of attacks that have basically gained unauthorized control of users’ wallets and drained them,” said Gray Wolf Growth Lead Chedi Mbaga, who has led the company’s investigative efforts in the case.

“We knew the (type of) blockchain that this threat actor was targeting. And we also knew that there had been recent news publications about similar attacks on other blockchains.”

Cryptocurrencies are digital financial instruments, the ownership of which is tracked via public ledgers called blockchains and tied to wallet addresses that are roughly analogous to brokerage accounts. If a hacker gains access to a user’s wallet, they can simply take the contents. But the industry’s high-tech nature means cryptocurrency owners tend to be technologically literate, with investigators describing most of the recent heist victims as having “above-average security hygiene.”

Profit-motivated hackers usually pick easy targets — people using old smartphones that no longer receive security updates, for example. The fact the crypto hackers have been able to successfully steal from more sophisticated internet users not just once, but at scale, highlights the unusual nature of their operation.

Gray Wolf joined the Blockmage investigation at the suggestion of one of the startup’s existing clients. At the time, an entity that lost $9.3 million to the hackers was in the process of running a security audit to determine how the theft had occurred. Mbaga took a different approach, using historical information about similar incidents to build a profile of who might be responsible.

The sensitivity of the ongoing investigation limits how many details Gray Wolf can share, but Mbaga’s analysis concluded that the hack was likely tied to other, ongoing criminal activities in the space — a suspicion that was all but confirmed when more news emerged the following day about other, related incidents. Those early insights led to Gray Wolf being asked to join the investigation on a more permanent basis.

“They don’t know how this happened,” said Gray Wolf CEO Matthew Sampson of the state of the investigation at the time. “Several of the people who fell victim to this, they’ve had forensic scans of their devices that found nothing of note. (Mbaga) found the most evidence-backed explanation of what happened, then literally a day later some information came out that further strengthened what he found.”

The blockchains — digital ledgers — that underpin cryptocurrencies are designed such that information, once added, is inexorably incorporated into the mass of data accessible by anyone interacting with the currency. That makes it possible for hackers to spread malware by injecting it into the blockchain, and since cryptocurrencies are anonymous by design, it can be difficult to unmask the source of the malicious code.

The entities responsible for hacks can also vary widely, from petty criminals to state actors. North Korea, for example, has made a rogue state cottage industry of cryptocurrency theft, including a recent, $133 million heist from clients of Estonian company Atomic Wallet.

Mbaga and his fellow investigators, however, are making progress on identifying their own culprits, with a plan to eventually provide the entirety of their findings to law enforcement. Some members of the Blockmage working group are focusing on identifying and liasing with additional victims, who are still coming forward, while others are focusing on internal, technical work and then reporting back with their findings.

“If you’re able to trace the flow of funds to a destination, you get in touch with the service that facilitated the deposit of the crypto and say, ‘We’re flagging that this address might be related to criminal activity,’ in which case they will either freeze those funds or stop that person from interacting with their service,” said Mbaga.

“You would also present a report to law enforcement, like say the F.B.I. … And then they can go and issue subpoenas to the (cryptocurrency) exchanges themselves in order to get the customer data and press charges.”

Gray Wolf in particular has identified 102 wallet addresses associated with the hacks, collectively containing about $7.8 million of Etherium. Mbaga and his colleagues have also uncovered evidence that the hacks are all relying on permutations of the same core technology, offering investigators yet more clues.

“The sophistication is growing — sophistication in terms of cyber crime, sophistication in terms of moving digital assets,” said Gray Wolf chairman Dhirendra Shukla, adding that his company’s methodology involves a combination of both software tools and human investigative work.

“What Matthew (Sampson) and Chedi (Mbaga) are doing, it’s a little bit unconventional … But if we were not doing this, we would not be able to get the deep insights of what is happening and how things are moving.”