Tracking the PlusToken Whale: Attempted Bitcoin Mixing and Its Impact on Wasabi Wallet

ErgoBTC
11 min readOct 23, 2019

--

Recently, I found some odd whale behavior merging hundreds of Wasabi mix outputs.

Following the whale’s trail led to thousands of BTC reportedly controlled by the massive scam, PlusToken.

If you were going to mix thousands of BTC, this is not the way to do it.

From hell’s heart I stab at thee; for hate’s sake I spit my last breath at thee. Ye damned whale. — Captain Ahab

TLDR SUMMARY

  • An entity with links to PlusToken, attempted to mix more than 50,000 BTC between early August and mid-September.
  • The majority of these coins were run through a poor quality “self-shuffling” algorithm before merging and sending to exchanges.
  • The remaining BTC were forced through the Wasabi wallet mixer as part of Sybil behavior before merging and sending to exchanges.
  • The majority of the poorly mixed coins were sent directly to Huobi.

PlusToken SCAM

PlusToken was a popular high yield investment (ponzi) scheme operating largely in Asia. Promises of high returns and stake in a “decentralized” ETH token (PLUScoin) drew in deposits of Bitcoin, Ethereum, BCash, Litecoin, RippleCoin, DOGE, and Dash from unsuspecting speculators.

The scam went largely unnoticed in the west while drawing in a self-reported 2.4 to 3 million users, an estimated $2.9 billion dollars of investments, and over 200,000 BTC.

That was until June 27th when six members of the PlusToken scam were arrested in Vanuatu.

PlusToken Scammer Mugshots

In late June, several coincidental events took place around the time of the arrests including:

27 June Coincidences: PlusToken Addresses, Clusters, and Local Price Top

During the arrests, authorities reportedly seized a portion of the cryptocurrencies controlled by PlusToken. However, some of the PlusToken horde was not recovered due to mult-signature security employed by the scammers.

So if you were a marked scammer with thousands of BTC, how would you cash out on the 100% transparent blockchain?

ANALYSIS FOCUS

In early September, I noticed odd whale behavior merging thousands of BTC from Wasabi mix outputs. Further evaluation of the source of these funds led to the discovery of Sybil-like behavior on the Wasabi wallet mixer.

After I shared the source of the Sybil behavior on Twitter, blockchain analyst and developer of oxt.me LaurentMT indicated possible links between the source address and PlusToken. He was kind enough to produce a diagram showing the flows of funds between several OXT clusters and addresses with reported ties to PlusToken and Huobi.

PlusToken — Addresses and Clusters Mixing Through Wasabi Mixer

The following entities made large deposits into the Wasabi mixer between 7 August and 9 September:

ATTEMPTED BITCOIN MIXING

Tracking the entities above revealed repeated mixing patterns including:

  • Receiving of large amounts of BTC (often >3000 BTC) to a single address
  • Branching off the reused address in large batches of 500 to 6000 BTC
  • Samourai Wallet like ricochet transaction hops followed by splitting patterns
  • Attempted mixing of the split BTC through a poor quality tumbler and the Wasabi Wallet mixer

These patterns are partially illustrated in the abbreviated history of address [1Li4m…] below.

OXT Transaction Graph — Address [1Li4m…] History

ATTEMPTED MIXING VIA “Self-Shuffling”

I call this process “self-shuffling”, because it resembles a coinjoin transaction. Effectively, this is a traceable process of repeated UTXO splitting and merging.

It’s likely that the self-shuffling is an algorithmic tumbler due to the huge number of transactions and repeated patterns involved in the process.

OXT’s transaction graph is useful for visualizing the self-shuffling.

OXT Transaction Graph — Self-Shuffling Process

These self-shuffling transactions are missing the following key attributes of an ideal coinjoin transaction:

  • No address reuse
  • The breaking of all deterministic links between inputs and outputs. Note: A deterministic link is a 100% certain linkage between transaction inputs and outputs defined by CoinJoin Sudoku
  • The introduction of multiple transaction interpretations

The deficiencies in the self-shuffling process are easily visualized using kycp.org.

KYCP Transaction Privacy Graph — Self-Shuffle Transaction

Again, the goal of an ideal mixing transaction is to break all deterministic links between inputs and outputs. The self-shuffling process does not accomplish this.

As a result, these inputs and outputs are 100% linkable.

To make matters worse, after the self-shuffling process, the previously split outputs are merged in large batches of more than 50 BTC. The large outputs are typically sent to Huobi within a few transactions. Again, providing additional evidence of common ownership.

I did not track all of these transactions, but an example can be found here.

Self-Shuffle Volume Estimate

A summary of the whale self-shuffle flows from the entities of interest is presented in the table below.

A total of approximately 35,000 BTC was self-shuffled.

Whale Self-Shuffle Flows

During this analysis, additional sources of “self-shuffling” were noted, but not tallied. There are likely several thousand additional BTC involved in this process.

ATTEMPTED MIXING VIA WASABI MIXER

I originally noted the whale behavior due to odd Wasabi postmix spending.

Abnormally High Address Reuse

Specifically, many postmix transactions that suffered from abnormally high amounts of address reuse. Here is an example.

KYCP Transaction Privacy Graph — Whale PostMix Address Reuse

As you can see, this whale postmix transaction experienced 100% address reuse among mix outputs.

I did not perform a thorough analysis of each postmix transaction, but address reuse among clustered transactions declined significantly after September 3rd.

Wasabi Whale PostMix Behavior

The merging of mix outputs followed similar patterns that are easily clustered using the merged input heuristic. Here is the general pattern:

PostMix Transaction (Merge #1):

  • Merging of mix outputs into transactions of 10 to 25 BTC , frequently with a change output.

Merge #2:

  • Merging of postmix (Merge #1) transaction outputs into transactions with outputs from 20 to 225 BTC and a change output. The large outputs were typically payed directly to Huobi.

Merge #3:

  • Merging of postmix (Merge #1) transaction outputs and change from Merge #2, with a large payment of 20 to 225 BTC sent to Huobi.

An example of this behavior is presented below.

OXT Transaction Graph — PostMix Cluster Process (Mix TxIDs 1 & 2)

The repeated patterns, merging of change outputs, and common payment endpoint indicate common ownership of these funds. A portion of the postmix cluster is shown below.

OXT Transaction Graph — Larger Postmix Cluster (MixTx ID)

I originally noted a postmix whale cluster of 2600 BTC. The transaction graph above shows roughly 6500 BTC.

Current estimates of the whale’s postmix cluster are 10,084 BTC.

I can be contacted to provide a list of the merged TxIDs to any interested parties.

Wasabi Mixer Sybil-Like Behavior

After noting the original 2600 BTC postmix cluster, I found TxID [00164…]. This transaction was a significant source of BTC entering the Wasabi mixer.

TxID [00164…] included the following properties:

  • A massive split of 3272 BTC into 284 outputs off of address [1Li4m…]
  • Outputs ranging from approximately 8 to 14 BTC
  • 104 outputs from TxID [00164…] went through the self-shuffling process
  • The remaining 180 outputs (a total of 2045 BTC) were deposited into Wasabi after exactly 3 transactions
  • Wasabi mixes after TxID [00164…] received multiple deposits from TxID [00164…]

This could be described as a Sybil attack. For a mixing service, a Sybil attack is often defined as one user pretending to be many. In this case, the whale is pretending to be many different mix participants by running multiple mixing clients.

However, I refer to this as “Sybil behavior” because the intent of the behavior is often considered in the definition.

I do not believe this behavior was malicious, but it is certainly damaging to user privacy.

Here is a breakdown of the mixes receiving deposits from TxID [00164…]. This was a preliminary attempt to estimate the number of mixing clients the whale was using. I also included unmixed change outputs from previous mixes receiving deposits originating from address [1Li4m..].

Sybil Behavior Overview — TxID [00164…] and [1Li4m…]

Typical input counts from [1Li4m…] ranged from 12 to 18. Splitting the difference yields approximately 15 mix clients.

Here is an example mix receiving 15 deposits from TxID [00164…]. The inputs greater than 12 BTC can be followed back to TxID [00164…].

Evaluating the whale’s flow of funds between early August and mid-September led to additional evidence supporting the 15 client estimate. Another Sybil example from address [1Li4m…] is shown below.

Wasabi Mixer Sybil Behavior from Address [1Li4m…] (Mix TxID)

Inflated Privacy Metrics

Wasabi mixes break deterministic links for identical sized outputs. Identical Wasabi mix outputs are assigned a privacy metric (anonymity set) equal to the number of identical outputs for each denomination of a mix.

The base mix output denomination is ~0.1 BTC. The 0.1 mix outputs can be used to estimate the maximum number of users participating in a Wasabi mix.

The following graph shows a portion of the Wasabi mixer history. It includes the 24 mix average of the 0.1 BTC outputs for each mix. In addition, it includes an estimate of the upper-bound for new BTC entering mixing.

Wasabi Mixer History — Base Denomination Mix Outputs and Mixer Inflows Courtesy of LaurentMT

This chart illustrates the following:

  • A significant increase in new BTC entering the mixer starting 7 August
  • Prior to the 7 August in flow spike, the 24 mix average of 0.1 outputs ranged from 55 to 75
  • After the in flow spike, the 24 mix average of 0.1 outputs increased to between 70 and 90
  • An increase of 15, providing additional evidence for the 15 mix client estimate

This client estimate should be considered a lower bound. It is possible that the whale was operating additional clients among the anonymity set outputs over the noted time period.

This behavior does not “de-anonymize” normal users in the 0.1 mix outputs, but it does result in an artificially inflated anonymity set metric over the noted period.

A similar chart for the non-base mix denominations is shown below.

Wasabi Mixer History Non-Base Denomination Courtesy of LaurentMT

For the larger mix outputs, the whale was mostly mixing with itself and inflating anonymity sets, with a few exceptions.

Isolated De-Anonymization of Large Outputs

The term “de-anonymization” is used to describe the revealing of ownership of mixed UTXOs to any entity. However, this term does not account for varying degrees of de-anonymization.

An example of de-anonymization can be found in mix TxID [6e57c…].

This mix has 15 inputs greater than 8 BTC. Of the 15 inputs larger than 8 BTC all but one (Input 94) originate from address [1Li4m…].

As a result, Input 94’s 3.2 mix output is automatically de-anonymized to the whale. This is a direct result of the whale’s Sybil behavior.

After the mix, the whale merged every 3.2 mix output but one into it’s large postmix cluster. Leaving output 212 identifiable as belonging to Input 94. The whale’s poor postmix spending patterns effectively de-anonymize Input 94’s mix output to everyone observing the blockchain.

This is why deterring any Sybil behavior and enforcing best practices during postmix spending is critical for protecting user privacy.

Further analysis of the whale’s postmix behavior is required.

Wasabi Whale BTC Inflows

So how many BTC did the whale force through the Wasabi mixer as part of the Sybil behavior? — 19,000 BTC

Over 11,200 BTC originated from address [1Li4m…] alone.

The breakdown of whale in flows into the Wasabi mixer are presented below.

Whale In Flows to Wasabi Mixer

With in flows around 19,000 BTC and the large postmix cluster noted above totaling 10,000 BTC, the postmix cluster is missing roughly 9,000 BTC.

I recently found an unexplored portion of the cluster which accounts for some of the missing BTC. It is also possible that a portion of the whale’s coins left the mixer in early August and late September.

SUMMARY

  • An entity with links to PlusToken, attempted to mix approximately 54,000 BTC between early August and mid-September.
  • 35,000 BTC were “self-shuffled” through a poor-quality algorithmic mixing service before being merged and sent to exchanges.
  • 19,000 BTC were similarly forced through the Wasabi mixer in Sybil behavior before being merged and sent to exchanges.
  • Most of these poorly mixed coins were sent directly to Huobi.

CONCLUSIONS

PlusToken Implications

  • The flow of funds between the entities in this study require additional analysis for links to PlusToken and Huobi.
  • If the publicly reported addresses are controlled by PlusToken, this process is an attempted mixing of funds before selling on exchanges.
  • I was able to track this behavior due to the use of an inadequate tumbling service and poor postmix spending patterns out of the Wasabi mixer.
  • I find it hard to believe that Huobi is unaware of the in flows of thousands of BTC.
  • At the time of writing, there are still approximately 20,000 BTC in addresses and clusters associated with this analysis that have not moved since mid-September. I will be watching these coins.

Self-Shuffling

  • The self-shuffling behavior is likely algorithmic due to the high volume of BTC, number of inputs/outputs, and number of transactions involved.
  • This is an inadequate tumbling service that does not mix coins.
  • Evaluating the blockchain for similar patterns may give clues about the possible identity of the mixing service.

Wasabi Mixer Impacts

  • Additional research on the effects of whales on retail sized mixers is required, particularly an analysis of the whale’s postmix spending behavior.
  • I doubt the ability of any retail sized mixer to deter such expensive Sybil behavior. But, revision of fee structures can discourage users from running multiple simultaneous mixing clients to protect user privacy.
  • The whale’s postmix spending patterns are particularly damaging to user privacy and in rare cases result in “de-anonymization”. Active enforcement of best practices during postmix spending is necessary for preserving the privacy of all users.

POSTSCRIPT

Thanks to LaurentMT for providing data, peer review, and most importantly his time in assisting with this report.

For more from me you can find me on Twitter.

I can be contacted to provide a list of relevant transactions to any interested parties.

Update #1 (23-Oct-19): After some valuable feedback on the terminology in the original article, I have replaced the word “launder” with “mix.” The use of “laundering” in this context was intended to convey obfuscation of STOLEN funds, it is very important to keep this term separate from “coinjoin.” Thank you to those who provided feedback.

--

--

ErgoBTC

I enjoy problem solving and Bitcoin. PGP:0x03725426399F158E +floralfrog718