The analysis of ETC 51% attack from SlowMist Team

5 min readJan 9, 2019


Beijing time On January 06, 2019, we warned of the possibility of the ETC 51% attack in SlowMist Zone based on the information analysis of SlowMist Zone Intelligence and the BTI (Blockchain Threat Intelligence) system.

The next day, we got ETC official, Coinbase official response and analysis.

ETC release official Twitter:

“Chinese blockchain security firm SlowMist sent out an alert that the Ethereum Classic (ETC) network might have been targeted by a 51% attack.” Exclusive: One $ETC Private Pool Claimed over 51% Network Hashrate — Reported via @SlowMist_Team

Coinbase release official blog:

Jan. 7, 10:27pm PT:The Coinbase has identified a total of 15 attacks, 12 of them included double spend, totaling 219,500 ETC (about $1.1 million)

On January 08, 2019, the news was received. The official confirmed the ETC’s 51% attack. 7 transactions were detected rollback. There are four of them, and the attackers have traded a total of 54200 ETC, their txHash are:





The ETC wallet addresses which owned and manipulated by the attacker are:




Since January 06, 2019, we began to continue to focus and track based on the BTI system, related disclosed intelligence and related blockchain explorer:

Tracking found that the address that intersected the malicious wallet address 0x3ccc8f7415e09bead930dc2b23617bd39ced2c06

for the first time was 0x24FdD25367E4A7Ae25EEf779652D5F1b336E31da

Based on this address, we continue to track and find the address at the first point in time:



2019–01–05 19:58:15 UTC

0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE is Binance wallet address:

In other words, the attacker extracted a large number of ETC from the Binance wallet to:


And then, transfer the coin to the account:


According to the exclusive information provided to us by, the Bitrue wallet address is 0x2c9a81a120d11a4c2db041d4ec377a4c6c401e69

According to this, we trace the attack:

Query block height: 7254355

Block: 7254430

We found that the original transaction in the follow figure on the block did not exist.

AT this point, the attacker completes the first 4000 ETC attack on Bitrue.

The same as another 9000 ETC attack on Bitrue

Bitrue was confirmed on Twitter:

We continue to track forward


2019–01–06 03:26:56 UTC

Query block height:


2019–01–06 03:27:11 UTC

Query block height:

And then the attacker completed the first 600 ETC attack on 0xbbe16859214e2c0ef0b7857b11f3681adedf6034

It is consistent with the information posted on the Coinbase blog:

Based on continuous tracking, we found that, in view of the increase in block confirmations and the ban on malicious wallet addresses by exchanges, the attacker’s 51% attack on ETC is in UTC 2019–01–08 04:30:17 (Beijing time 2019–01- 08 12:30:17 ) has stopped after that.We think that every large attack from the attacker must be backed up by adequate cost and under consideration of the risk,involving the money spent and time cost before the attack and during the attack,the countervailing traceability costs of money laundering after the attack. Through our intelligence analysis, the identity of the attacker can be finally located if the relevant exchanges are willing to assist.

At the same time, we believe that due to the recent decline in blockchain funding, the net mining power of the whole network has declined. You have really felt the impact of the 51% on ETC, and it is foreseeable that the attack will be increase rapidly with the cost of attack reduced. t is particularly recommended to add a risk control mechanism to the following token that have profitable space.

Reference address: (note that the data of this website is for reference only, absolutely can not be sloppy to represent the real attack situation)

Remarks: wallet address:

0x0d0707963952f2fba59dd06f2b425ace40b492fe gives the ETC wallet address owned and manipulated by the suspected attacker:




Bitrue wallet address:


Attacked address:






Involving miners or large investor:

We have the first time to add these malicious wallet address and malicious associated address to BTI and made available to partners to prevent an attacker from further attack other exchanges. And provide intelligence to partners to prevent attackers from further attacking other exchanges. Finally, we recommend that all digital asset services platform block transfers from the above malicious wallet addresses. And strengthen the risk control, maintain a high degree of attention, and be alert to double spend attacks that may erupt at any time.

If you have any questions, please contact us directly at




SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.