Analyzing Tornado Cash Transactions
We recently published On-chain Tracking: Peel Chain, a series on detecting crypto laundering techniques. Due to overwhelming demand, we decided to publish an article on how to identify stolen funds on Tornado.Cash.
What is Tornado Cash
Tornado.Cash is a fully decentralized, non-custodial protocol that improves transaction privacy by breaking the on-chain link between the sender and recipients’ addresses. To improve privacy, Tornado.Cash uses a smart contract that accepts ETH and other tokens from one address and allows them to withdraw to a different address. These smart contracts act as a pool that mixes all the deposited assets and generates a private key proving that you performed the deposit operation. Then, the sender can use this private key to withdraw the deposited funds into any address at the time of their choosing.
Tornado.Cash has gained popularity due to the rise in crypto incidents. It is often the go-to place for many hackers to store their stolen funds. In our previous articles, we discussed how we identified stolen funds based on the transactions’ behaviors. Today we will look at another incident of how we identify stolen funds using transaction behaviors.
Let’s start by analyzing a previous incident, however due to client confidentiality, we cannot disclose which project it was. The hacker was able to extract funds from the Ethereum, Binance Smart Chain, and Polygon network, before finally depositing it into Tornado.Cash.
Hackers address: (We will abbreviate the address to prevent the identity of the victim)
Using the SlowMist AML system, MistTrack, we created a general outline of the stolen funds.
From the chart above, we can determine that most of the funds were bridged or deposited into mixers. This is a key factor in helping us identify a pattern of the hacker.
Following that, we conducted an in-depth analysis of the funds and transaction behaviors. According to MistTrack, around 2450 ETH was first deposited in Tornado.Cash in 5 separate transactions of 10 ETH and 24 separate transactions of 100 ETH. Another 198 Eth was sent directly to FixedFloat to be swapped into other cryptos.
Our investigation began right after the funds were deposited. We started by concentrating on all transactions involving 100 ETH withdrawals. Since there were still a large number of withdrawals, we decided to limit our search further to specific time frames.
We decided to focus on the first ten 100 ETH withdrawals and their transactions. With the help of MistTrack, It wasn’t long until we found a withdrawal with some red flags.
According to MistTrack, the funds withdrawn from Tornado.Cash was split into 3 seperate transactions to be transferred into FixedFloat.
With only one sample, we couldn’t verify if this behavior belonged to the hacker. So we searched for other transactions within the same time frame. We quickly discovered three other withdrawal addresses that followed the same pattern. All these addresses received 100 ETH withdrawal from Tornado.Cash and were eventually all transferred to FixedFloat.
It wasn’t long until we discovered the remaining withdrawal address the hacker used.
The same hacker also stole over 365,247 Matic and deposited it into Tornado.Cash using 7 different transactions. Two 10,000 deposits and five 100,000 deposits.
The remaining 25,246 matic was transfer to this address(0x75a…5c1). When we track this address, the funds were also deposited into FixedFloat. Now that we know this is the preferred method by the hacker, we can look out for similar patterns of withdrawals from Tornado.Cash.
We started our investigation by tracking the first 100,000 Matic withdrawals following the transfer into Tornado.Cash. Since there weren’t that many withdrawals that met the requirements, it was relatively easy to track using MistTrack. We soon discovered one address that not only deposited funds into FixedFloat but also received funds from it.
It was only a matter of time before we discovered the rest of the funds. There were exactly 24 addresses that followed the same pattern within the time frame.
From the previous analysis, it seems that hackers have a unique preference for FixedFloat, but this has also become a handle to seize him.
Binance Smart Chain
Using the information we discovered above, we applied it to our hunt on the Binance Smart Chain. There are two addresses involved, let’s look at the first one (0x489..1F4).
The hacker transferred 1700 BNB to Tornado.Cash in 17 different transactions of 100 BNB.
We initially searched for transfers into FixedFloat, but we quickly realized that the hacker was no longer using that platform. We restarted our search and applied the same format as before.
During our investigation, addresses(0x152..fB2) caught our attention since all their funds transferred in were sent to SimpleSwap. It wasn’t long until we discovered the remaining funds.
Although the hacker changed their platform, the pattern stayed the same. All funds were sent directly to SimpleSwap, or sent in multiple transactions.
Another hacker address (0x24f…bB1) sent 50 BNB to Tornado.Cash in five separate transactions of 10 BNB.
Although this hacker chose another platform, the method they used was similar to the ones listed above.
We examined a real case scenario and explained how hackers used Tornado.Cash to hide stolen funds across various blockchains. They will first deposit their funds into Tornado.Cash and then it is either directly or indirectly transferred to another mixing platform such as FixedFloat, SimpleSwap, or Sideshift.ai. Obviously, this isn’t the only way to use Tornado.Cash to hide stolen funds. Follow us so you can learn to recognize other behaviors in the future.
Although it’s not impossible to do this on your own, it’s a lot easier with the right tools. That is why we created MistTrack, it contains over 200 millions addresses associated with exchanges around the world. It can identify various addresses from exchanges to hot wallets, and cold wallets. The MistTrack anti-money laundering system can also perform analysis and behavioral patterns on any wallets. This plays a crucial part in helping establish a pattern to connect to other unidentified wallets.