Tracing the WannaCry 2.0 Monero Transactions

MAYC/Getty Images

Leaked slides belonging to Chainalysis recently surfaced. They include the claim that Monero transactions related to the WannaCry 2.0 ransomware were traced as they were converted back to the transparent BTC and BCH blockchains. Here, I demonstrate how the WannaCry 2.0 funds were traceable using publicly-available information.

Coindesk has reported more widely on the content of the slides and the new pieces of information contained therein. Here, I focus on one specific Monero-related claim. According to a translation of these slides that was posted on Twitter, Chainalysis is touting their ability to trace Monero transactions, citing the WannaCry 2.0 ransomware attack. The translation reads “Wannacry 2.0: funds tracked from BTC to XMR and back to BTC and BCH after 3 months.” Here, I’ll show how the BTC to XMR to BCH transactions can be tracked using publicly available block explorers and an API.

Translated text from the leaked slides mentions tracing WannaCry 2.0 funds from BTC to XMR and back to Bitcoin Cash (BCH).
Screenshot of part of the wannashift.json file provided on github which shows the amount of XMR sent from ShapeShift as well as the outgoing transaction ID.
One of the transactions sent from ShapeShift to the Lazarus group after converting stolen BTC to XMR. At this point, we know that the XMR sent to the outputs in the magenta square are controlled by either ShapeShift (change TXOs) or Lazarus.
Outgoing XMR transactions from ShapeShift. At this point, we believe that at least 1 TXO from each transaction in the ‘Outputs’ column went to Lazarus and 1 TXO went to ShapeShift as a change TXO. In most cases, there is a 3rd TXO which could have gone to either Lazarus or ShapeShift (we later learn that it always went Lazarus).
Screenshot of a transaction which is spending a total of 7 inputs. The first two inputs and their rings are shown. Each input has a separate “ring” consisting of 1 TXO being spent, and 4 decoys. One of the ring members is necessarily the real TXO being spent. Ostensibly, each ring member has a similar probability of being the real TXO being used as an input.
Transactions in bold spent 2 or more TXOs flagged from the Lazarus BTC →ShapeShift →XMR transactions. The bolded TXID beginning with ‘9e0476’ is an example of a false positive (see endnotes).
3 transactions which spent multiple flagged outputs known to be associated with Lazarus’ ShapeShift transactions, as well as the outputs (TXOs) of these transactions.
Example of a ShapeShift API query for one of Lazarus’ XMR deposits shows that 60 XMR was deposited and 8.5513396 BCH was withdrawn to 13tz3oD75Y4jcGds6rPJawnxHjXduTmpap. The ‘address’ field (yellow) is actually a payment ID and not the deposit address.
A transaction on the Monero blockchain in which Lazarus sent 60 XMR to ShapeShift in exchange for BCH. The real input (an output of one of the consolidation transactions) is highlighted in red. The payment ID is highlighted in yellow. Clicking the hash of the ring member will take a user to the transaction which outputted the TXO.
Table showing all of Lazarus’ XMR→ShapeShift→BCH transactions
A transaction graph showing Lazarus’ Monero transactions. Large dots are transactions. Small dots represent TXOs for the transactions they’re connected to. TXOs are also connected to the transactions which used spent them as inputs. [Top] Blue transactions show all of the XMR outputs received by Lazarus from ShapeShift. Most TXOs went to Lazarus but each transaction had at least 1 TXO that is presumed to be a change TXO. The three consolidation transactions (pink) spent 14 TXOs known to come from ShapeShift. The three consolidation generated 20 TXOs. Many of the TXOs were spent by 3 peeling chains (purple, red, yellow) consisting of 2–4 transactions all of which sent 60 XMR to ShapeShift in exchange for BCH, except for two which sent 58 XMR.
  1. Möser, M., et al. An Empirical Analysis of Traceability in the Monero Blockchain. PPET. (2017). https://arxiv.org/pdf/1704.04299/
  2. Ehrenhofer, J., Response to “An Empirical Analysis of Traceability in the Monero Blockchain”, Version 2. Monero Research Labs. (2018). https://www.getmonero.org/2018/03/29/response-to-an-empirical-analysis-of-traceability.html
  3. Ehrenhofer, J., Noether, S. 09: Poisoned Outputs (EAE Attack). Breaking Monero. (2019). https://www.monerooutreach.org/breaking-monero/poisoned-outputs.html
  4. Berr, J. “WannaCry” ransomware attack losses could reach $4 billion. MoneyWatch. (2017). https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/
  5. Greenberg, A. The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet. Wired. (2020). https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/
  6. Neutrino Research Team. WannaShift to Monero. (2017). https://www.neutrino.nu/Research_WannaShift_to_Monero.html
  7. Advanced Obfuscation Techniques: Mixing, CoinJoins, Chain Hopping, and Privacy Coins. Chainalysis. (2020). https://go.chainalysis.com/advanced-obfuscation-techniques-webinar-recording.html
  8. https://www.justice.gov/opa/press-release/file/1092091/download (pdf page 114.)
  9. Hinteregger, A. Haselhofer, B., An Empirical Analysis of Monero Cross-Chain Traceability. International Conference on Financial Cryptography and Data Security. (2019). https://arxiv.org/pdf/1812.02808.pdf
  10. Krawiec-Thayer, M.P., et al. Fingerprinting a flood: forensic statistical analysis of the mid-2021 Monero transaction volume anomaly. Medium. (2021). https://mitchellpkt.medium.com/fingerprinting-a-flood-forensic-statistical-analysis-of-the-mid-2021-monero-transaction-volume-a19cbf41ce60
  11. https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and

--

--

Princeton ’12 (Chemistry), Stanford ’21 (Structural Biology PhD), Currently analyzing blockchains

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nick Bax

Nick Bax

Princeton ’12 (Chemistry), Stanford ’21 (Structural Biology PhD), Currently analyzing blockchains