Someone paid $2.6 million transaction fee twice: PlusToken Trail

Photo by chrissie kremer on Unsplash

TL;DR This seems like a failed attempt to launder PlusToken money.

The most expensive transactions in the Ethereum history

An unknown Ethereum address had transferred 0.55 ETH ($128) with the transaction fee of 10,668.7 ETH (~$2.6 mln) on June 10. At the time of writing, the fee is still kept by SparkPool, the pool that mined the transaction, which has repeatedly offered to return the fee to its owner. But if the owner doesn’t get in touch with the pool before 15:30 June 17th (GMT+8), the fee will be distributed among the miners.

The day after the first transaction, this Ethereum address transferred 350 ETH ($82,000) with the same transaction fee of 10,668.7 ETH (~$2.6 mln). This time, the mining pool Ethermine got the fee and, initially, aimed to return it to its owner. However, after not being contacted for four days, it decided to distribute it to the miners.

Gas price distribution among all transactions of address, Dune Analytics

Both transactions have abnormally high transaction fees connected to one sender address. Likely, the incentives for high fees are identical as well. Let’s check it out.

Crucial facts about this mysterious Ethereum address:

• The address is new — the first incoming transaction to it is dated June 7, which is just a few days before the first abnormal transaction;
• The address shows evidence of automated operation activity because of enormously high in and out transactions with gas price equal to 60 Gwei;
• Many of the in and out transactions are connected to Korean exchanges, primarily with Upbit;
• During the fist costly transaction, ETH was sent to the Bithumb deposit wallet, while the second one was tied to an Upbit deposit wallet;
• The values of most of the transactions sent from the address are not rounded, so it is unlikely that the address would be used by an exchange;
• Mining pools that mined the transaction differ for each transaction (SparkPool and Ethermine);
• Until the second abnormal transaction, transactions occurred with an interval of one minute without halting, despite the first loss of $2.5 million.

My major theory was the connection of the Ethereum address with new Bithumb custody because of huge money flow from Bithumb hot wallet to our mysterious address as well as Bithumb’s recent wallet migration. Besides, the majority of transactions went through addresses that have sent a transaction to the address belonging to Bithumb.

ETH flows of the investigated address, Dune Analytics

Such a pattern is a common thing for exchanges and other services, where each client needs its wallet. It also appeared that Upbit was more actively in contact with the investigated address in comparison with other Korean exchanges. Besides, both receivers and senders quite often are the same exchanges. In the case of receivers, it is odd that ETH goes directly to the exchange’s client deposit wallet.

The connection between Upbit, recipient of the second unusual transactions and likely a mixing service, Ethereum Blockchain

The graph above shows how funds from the receiver of the second transaction (one of the deposit addresses of Upbit) are transferring to Upbit hot wallets which previously funded our sender through single-use addresses. For the chart, single-use addresses were chosen randomly as their amount is enormous. All of the above facts suggest the possible work of a cryptocurrency mixing service (hereafter, mixer) likely associated with a person or an entity in South Korea.

Probable offender

Connections with PlusToken, Asian Ponzi Scheme, were found during the transaction research on that mixer. Elementus found that this project had collected nearly 10 million ETH, which a bit later was found on exchanges, mainly Asian ones.

PlusToken ETH Outflows, Elementus

To prevent clients’ money laundering, the exchanges should apply anti-money laundering (AML) methods. However, it can be much more complicated in the case of PlusToken because participants have faced problems with money withdrawal only since June 2019, when the Ponzi scheme has already been live for more than a year. By that point, money could have been transferred to several exchanges and be widely diversified across wallets, without any attention.

Currently, PlusToken’s known address holds ~790k ETH. The rest of ETH, as was already mentioned, had been allocated across various wallets, not limited to exchange ones, from where it was transferred to the investigated address.

Connections between PlusToken and likely a mixer, Ethereum Blockchain

The graph above shows that some routes from the PlusToken to the investigated account come through addresses with low activity and appear on Upbit. As mentioned above, ETH from the Upbit hot wallets ends up in the address with uncommon transactions using single-use wallets. Transactions that go through Upbit were explored because their addresses were less used in comparison with other exchanges, which also has reduced the number of their deposits.

Another type of connection between PlusToken and likely a mixer, Ethereum Blockchain

Looking at the next graph, the PlusToken address also leads to exchanges deposit wallets that received money from the investigated wallet. In the example above, ETH from PlusToken goes through the address that could be mistakenly tagged as an exchange. However, it is likely a mixer that received money from various PlusToken wallets to clean their further track. To confuse the investigation of that address, an unknown WOR token was issued as well, which was hereafter distributed from the mixer address. Immediately after the end of the distribution, the token was never used again.

Broken laundromat

Summarizing all the above, the address that sent two transactions with a fee of $5 million is probably a bot that is laundering money, which can be connected to PlusToken. The majority of bot’s transactions are withdrawals and deposits to several Korean exchanges.

One more pro argument for the illegal money origin is the contact absence between the address owner and pools that received fees. The Ethermine pool has already begun fee distribution to its miners, SparkPool will do the same in less than a day, so the blackmailing hypothesis is in a question.

Nonetheless, abnormal transactions can be explained as a fast laundering attempt using refunds from miners. If it indeed is PlusToken, they are able to pay a great sum of money for the connection break with their address. Similar successful cases happened last year, where the owner only had to send a transaction from the same address or sign a message with their private key. However, if this was like that, then the attempt had failed.

All in all, exchanges such as Upbit, Bithumb, and Coinone should additionally inspect clients’ accounts which interacted with the address potentially acting as a mixer.