QuadrigaCX: Where did the money go? Part I
An investigation based on Money Flow Graph Analysis in Ethereum Blockchain utilizing Bloxy’s Coinpath® capabilities.
The article demonstrates the capabilities of graph analysis over the Ethereum blockchain. We tried to solve the problem of finding the end destinations of money from the set of addresses.
A particular interest was to find the destination of funds, sent from the address. Potentially we wanted to find so-called “cold wallets”, typically storing the amounts of money and randomly touched, like a treasury.
Wall Street Journal: “Bloxy also tracked Quadriga’s funds to Shapeshift.”
Pre-requisites
We used the source set of addresses from the following post from twitter: [1]. Probably it relates to the case investigation [2] of QuadrigaCX cryptocurrency exchange, claiming to lose keys from their cold wallets due to the death of their director.
A similar investigation was done on bitcoin blockchain [3], we decided to apply our existing technologies of Bloxy platform for Ethereum investigation of the same topic.
The list of addresses from the post [1] constituted from just 3 addresses:
- 0x027beefcbad782faf69fad12dee97ed894c68549
- 0x0ee4e2d09aec35bdf08083b649033ac0a41aa75e
- 0xb6aac3b56ff818496b747ea57fcbe42a9aae6218
Source Address Statistics
The first 2 addresses were active from 2016 to the middle of 2017 and then became inactive.
The last address started activity at 06/2017 and active till now:
0x027beefcbad782faf69fad12dee97ed894c68549
0x0ee4e2d09aec35bdf08083b649033ac0a41aa75e
0xb6aac3b56ff818496b747ea57fcbe42a9aae6218
Correlation with Other Addresses
We will try to investigate if the set of 3 addresses really covers all interested source addresses, or there are some other addresses in use?
The following table shows the number of addresses sending/receiving Ether to these addresses:
We took the list of users from these addresses and queried for other addresses they use. First, we are interested in other addresses, used by the same set of users most frequently.
Taking Senders users list for 0x027… and 0x0ee… (“inactive addresses”) as the base set, we get the following result:
This list shows the addresses, used by the same users as the original addresses. We see here the strongest correlation with the 0xb6… address, which is pretty natural ( as most users probably migrated to the new exchange address after upgrade in 2017).
A Proxy which is not Proxy
The second address in the list is related to Quadriga exchange and was used as a proxy for safe payments. Look at its statistics:
0x1e143b2588705dfea63a17f2032ca123df995ce0
The page immediately indicates that it is really somehow connected with Quadriga addresses:
Also notable is quite large balance on the smart contract:
The proxy should have zero balance, but this is definitely not zero, but 67K ETH. Let’s fetch transactions that left a balance on this address:
All these transaction senders seem like lost their funds. Example of the transaction is the following: https://bloxy.info/tx/0x93f851fe87b966afe56584b24e47f136d33d0f6a4ca6c261d66b424c96b098d2
Compare this with the regular proxy transaction, that should look like: https://bloxy.info/tx/0x2c49f6c3ddc93e0187d7e0333666c40630003a2720bc22efd87f0f932e195691
Look like address sends Ether to this contract and do not get it back: https://bloxy.info/txs/transfers_from/0x24bc2e8ab12f8082795ff6bea478245fc0532b29?currency_id=1
As the contract has no withdrawn function, there is no way to get it back in Ether. This address made similar transactions for high Ether amounts, and we do not have a good explanation for why it happened.
The result of this activity is 67K Ether balance on this smart contract, which, unfortunately, is not withdrawable now.
Money Flow Analysis
We found, that the 3 addresses that we took originally, do not have any “siblings”, that we may be interested in. Now is the time to answer the original question — where the money from these addresses actually gone?
Fortunately, at Bloxy.info we have a ready to use public API to perform such kind of analysis, named Money Flow API , namely its
/api/money_flow/distribution
/api/money_flow/distribution_transactions
Methods. The first one generates aggregated balances on the endpoint addresses, while the second generates the full list of transactions. For the analysis we used the parameter depth_limit=10, meaning we go by transactions up to the tenth level.
The results with annotations are presented below:
0x0ee4e2d09aec35bdf08083b649033ac0a41aa75e Distribution
0x027beefcbad782faf69fad12dee97ed894c68549 Distribution
0xb6aac3b56ff818496b747ea57fcbe42a9aae6218 Distribution
What does distribution mean?
It is not uncommon, that the money destination ends on exchanges. Especially taking into account that the original addresses are of exchange. So traders move funds between exchanges, and we see them here as destinations, as the trace lost there.
Among destination exchanges notable Kraken, Binance, Shapeshift, and of course, Quadriga itself.
Some addresses, that we failed to identify is marked with a question mark.
Where is the cold wallet?
The only address from the destinations, that can be considered as the cold wallet is:
0xd9518342a44e7dfdcd363f28f1ad19e568e2eb85
Statistics look like it gets transfers, but never spent them:
Current balance is 6.5K Ethers.
It is closely related to the Quadriga wallet, and the graph shows the flow of money between them:
Conclusion
We identified main destinations of the money using the standard publically available Bloxy.info Money flow API. Manual investigation of this problem and finding the destination wallet would take much manual work and time. In this example, it took approximately 1 minute for one address for API call.
References
[1] https://twitter.com/tayvano_/status/1092596193018834944
[2] https://www.coindesk.com/quadriga-creditor-protection-filing
[3] https://blog.zerononcense.com/2019/02/04/quadrigacx-chain-analysis-report-pt-1-bitcoin-wallets/
[4] Money Flow API https://bloxy.info/api_methods#money_flow
This article was composed of the data and by analytical tools from Bloxy.info analytical engine BLADE. Bloxy.info web site provides a set of tools for analytics, traders, companies and crypto enthusiasts.
The tools include BLADE, a set of APIs, coinpath®, dashboards, and search engine. All information is available on the Bloxy website, providing accurate data, indexed directly from the blockchain live node.
Bloxy’s mission is to make blockchain more transparent and accessible to people and businesses. Please, make a reference to the source of data when referencing this article.
