Malicious Crypto Transaction Report 3 : Coinbene hacker’s money laundering flow analysis

(주)수호아이오 / 20. 10. 07. 오전 12:12

Hi, this is mara who is a data analyst of SOOHO.

In March 19, there was a hacking incident on Coinbene, Singapore’s cryptocurrency exchange, which led to the hijacking of large amounts of cryptocurrency. Most of the cryptocurrencies were Ethereum-based ERC tokens, which were withdrawn shortly afterwards to Huobi and the decentralized exchange, Etherdelta.

Since then, Ether has been sent from Etherdelta to accounts including Coinbene hacker’s. The amount of funds withdrawn from Etherdelta in the form of Ether is found to be over 10,817 ETH and is now flowing through the money laundering process to the Russian exchange Yobit. The last time it flowed into Yobit is November 16, and now there are still about 3,000 ETH remaining.

The figure below summarizes and diagrams the flow of Coinbene hacker’s funds.

Figure 1. Fund flow diagram

Red line: token flow

Black line: ether flow

Key figures

Amount taken from Coinbene : 107 Types of cryptocurrenies, KRW 5.8 billion

ether sent to wallet related to Coinbene hacker from Etherdelta : 10,817 ETH

Amount flowed into the Yobit: 8,740 ETH

Amount deposited in red wallet address : 3,030.5925156861 ETH

Flow of the cryptocurrencies

The below are the details of the movement of the cryptocurrencies.

The funds seized from Coinbene on March 25 were 107 types of cryptocurrencies, total KRW 5.8 billion.

A day after, the hacked funds were withdrawn from hackers’ wallets to Huobi and Etherdelta wallets starting March 26.

Among them, the Ethers were withdrawn from the wallet where the token was deposited with EtherDelta and gathered into 0x6bbd2c904161f0d09f27a5abe42ce47997e0e2fe. The total amount was 10,817 ETH.

Since then, Ether has been sent to 0x6bbd2c904161f0d09f27a5abe42ce47997e0e2fe and sent to 0x1cab134c69a361d880a33eb98237b5557ad4cd2 on September 20, and after that, a total of 26 transactions have flowed into Yobit through approximately 6,800 ETH. The remaining 4,000 ETH was sent back to the wallet 0x43b69c2927e53f8cccdcb2bbb73bf637215405c7.

Later, in November, hacker transferred some of the laundry funds to Yobit, remitted the remaining funds to another account, and then slowly flowed the funds into Yobit on over several times.

Finally, the funds that have not yet flowed into the exchange are around 3,030 ETH, which was sent to the wallet on November 17th at 0x698a98afbca7423b413b5f0f7efabbb08a773767 and is still kept in there.

In addition, on November 16, about 55 ETH flowed from the hacker’s account to the Binance. After 28 minutes, there was a record of withdrawal of approximately 53 ETH from Binance’s wallet to one of the money laundering accounts, 0x8d419c8b98885a899844dc74f0213431a620be2c, possibly withdrawing the funds back.

Therefore, each exchange should take action as soon as possible, including registration the wallet addresses below as blacklist.

Address list

Wallet address of Coinbene Hacker

0xb3df999c5dc026dea265aeb02b8519844c9b6d5e

2. Wallet address related to Yobit

0xfe51c743cc2bd9546b4fdfba6478c229229c5ad0

0xdbe9dfaf4a94da4cdc9da677048c2d5ae6cd401a

0xdbe9dfaf4a94da4cdc9da677048c2d5ae6cd401a

0x6709b9bba3eafdb5dd7d3d0cc3a1d5178a77bacf

0x2521b8f714bf17baf3d7462ed86544c8592638b5

0xe83031ff3ff1f8b6e12fb80566a489ffc93392af

0x8c67d5ad5b9f28bc6cb31c81afc4fcf5cbb9609c

0x8c3d690ed8289358b837366250ea4aea80f9e129

0x82e047410fc84f904261a993333209f01dc952ba

0xa95527fb3a5473adf67c5ffbd514191d504cf76c

0x8d797502dd801b7ebddbe9180d29ba7fc9607012

0x45f951ae837823ab4fcac62391418bce4bcdc16b

0x42aaba73a577a1a3a2bde883b77ad4b972e6852d

3. Wallet address related to Etherdelta

0x6ec8572dac56c5a400cf2a94eb629b3eae029550

0xc7124291ddbef24f800e90b8476e03284ad18757

0x8173e3d5bb53a9e869307e0e19b6a4b4927bfb1b

0xba351e7f0c630b3baa30a0ff38f6f4a333ef2133

0x3d2b314516a614c821e586fb0ea4e645c66ede4e

4. Wallet address related to Huobi

0x712ae2390e296311d69fcd143a2ad2117a7ca997

5. Wallet address related to Binance

0xd9ee699014aefd7084033255af0cab02367c5b70

6. Wallet address needed constant monitoring

0x698a98afbca7423b413b5f0f7efabbb08a773767

7. The wallet address took part in this money laundering process

0x652fcc141c14fb95e3160b49e94dd868b6d2cd9e

0x84b60e8265d1a7c51592cd017e830357f644c7df

0x1be8ff95af0a819a7cb2494739b9903145c46d31

0x9664c954933bebbe320a24221b75d1efce058020

0x1f67836a991cd319db778b80806071eb05b42b4b

0x257dab66a7afe1a694676838695c7af644728b56

0x1c0f883fc1fb85bb10655f1a63d947fca49a46d1

0x9f2da349b5cfba583f70d2e03c60397bc92f49b9

0x8d419c8b98885a899844dc74f0213431a620be2c

0xe0071cbf23231b60c43051407a6029a37ba946f5

0xd59688b87e56621696f5bc994e91f027883c60f8

0x4fa909ccde53d08bdeaef158a1726d4d16d42110

0x17989484435e3ec07a0364189f6095d13f05b3f4

0x43b69c2927e53f8cccdcb2bbb73bf637215405c7

0x1cab134c69a361d880a33eb98237b5557ad4cd26

0x6bbd2c904161f0d09f27a5abe42ce47997e0e2fe

0x5af89ddde021869679530dc77ceb5cdb72f7d5e0

0xff74e337fd08960843d94e08771cc1d2cda2ecb1

0xee278bea06d3be84f69ae2dd15a77fbdcb27bd86

0x8db0620362b5a83ff77734831ded9f2d25f949f3

0xd1917932a7db6af687b523d5db5d7f5c2734763f

0xeefe879ca85b53ae6f48ba5f0bf4a74a841d83d1

0xcc1966c28d2bd35a99aa6b674937c33af2608fdc

Thanks.

Please feel free to contact us if you need to analyze cryptocurrency transactions. (contact@sooho.io)

기업문화 엿볼 때, 더팀스

로그인

/