Crystal Blockchain Analytics: Investigation of the Bithumb Exchange Hack
October 31, 2018
In this report, Bitfury shares analysis completed by its Crystal Blockchain Analytics engineering team on the movement of bitcoin from the Bithumb exchange after its hack in June 2018. The attack resulted in the loss of $31 million, with 2,016 BTC lost. The Crystal team analyzed data published by Bithumb with the goal of uncovering the bitcoin wallet address of the hacker and the real-world entities that received the funds. Below, our team tracks the movement of funds from June 15 to August 31, 2018 and provides conclusions based on this data.
- 38 related addresses were found that received 2002.5 BTC in total.
- 1973.5 BTC were later sent to the Yobit exchange
- 29 BTC were sent to CoinGaming.io
On Wednesday, June 20, Bithumb officials stated that about $31M was stolen by unknown hackers from the Korean crypto exchange Bithumb. Four days before the hack, the exchange announced that it was transferring all assets to a cold wallet for security reasons.
The withdrawal of funds by users was temporarily suspended starting June 15, 2018 at 6:20 PM UTC. We decided to trace the movement of funds in the period of the four days prior to the hack.
We started by examining the more than 1 million addresses that belong to Bithumb and compiled a list of all the addresses that received funds during those four days. Only transactions committed from June 15 to June 20 were reviewed.
Until June 19, the movement of funds had two main patterns:
1. Many of the funds moved were accumulated to this address: 1LhWMukxP6QGhW6TMEZRcqEUW2bFMA4Rwx (referred to after this as address “1LhW”)
2. From the 1LhW address, transactions of large volume were sent to the address 18x5Wo3FLQN4t1DLZgV2MoAMWXmCYL9b7M (referred to after this as address “18x5”)
The 18x5 address is the exchange’s cold wallet. This is evidenced by its transaction history (rare transactions of large volumes from/to the Bithumb exchange addresses).
The pattern of fund movement changed on June 19, 2018 at 03:07 PM UTC. At this time, two transactions were initiated from the Bithumb wallets to the addresses 34muFC1sWsvJ5dzWCotNH4rpKSNfkSCYvD and 3DjdVF83hhXKXV8nUFWCF5chrdSAkgE6Ny with abnormally high commissions of 0.1 BTC. After this moment, there was a period of half an hour in which about 1,050 BTC were withdrawn and deposited in addresses that had not previously appeared in the blockchain. The withdrawal of funds to these addresses (38 addresses) lasted more than a day.
After that, the exchange stop using the buffer address 1LhW. Also, after June 19, 2018 at 05:01 PM UTC, the fee amounts for incoming transactions for the address 18x5 changed dramatically — first to 0.1 BTC, and then to 0.2 BTC.
Soon after this change, a message appeared on the official Exchange account on Twitter, warning users to avoid depositing funds.
High transaction fees for the withdrawal of funds from the exchange addresses continued the entire day, sometimes reaching as high as 2 BTC, higher than the output volume.
Such behavior provoked a global increase of transaction fees and bitcoin network congestion on June 19–20.
All the funds withdrawn from the Bithumb wallets for the period from June 16 to June 20 were received by 39 wallets (we excluded several dozens of change addresses with small amounts from the results of the calculation).
One of these 39 addresses is the cold wallet of the exchange(18x5), which received most of the funds. The remaining 38 addresses have unidentified owners. These addresses received 2002.52 BTC within the day on June 19–20. (With transaction fees totaling to 48.126 BTC)
Based on the information given above, it is our professional opinion that there are two possible options:
1) The set of 38 addresses to which funds were withdrawn belongs to the hackers.
Criminals, having access to the system or the database with private keys, began to make transfers to their addresses starting on June 19, 2018 at 03:07 PM UTC. High commissions (0.1 BTC) are logical in this case if you want to quickly withdraw as much as possible. After a while, the exchange noticed the theft and started raising transaction fees when transferring to a cold wallet (sometimes much higher than the transactions of hackers had). By the end of the day on June 20, the exchange managed to solve security problems.
The loss in bitcoins was, as stated by Bithumb, 2,016 BTC. This number is very close to the amount we calculated (obtained by a group of unknown addresses), 2,002.52 BTC, which also indicates that this option is likely.
2) All the addresses we considered belong to the exchange.
Another possible option is that the theft could have occurred from wallets that are not in our database. Given that Bithumb is cooperating with law enforcement agencies in the investigation of this case, as well as the fact that they recently passed licensing procedure, the possibility that the exchange provided false information is unlikely.
Tracking the Funds
These addresses were monitored further and the withdrawal of funds started on August 2. First, there was a large transaction of 1000 BTC. We launched tracking of this transaction and, according to its results, money was sent to two addresses belonging to Yobit exchange within transactions of approximately 30 BTC. The visualization of money flow can be seen in the figure below.
The address 1JwpFNKhBMHytJZtJCe7NhZ8CCZNs69NJ1 on top of the graph, which belongs to Yobit, received 603 BTC. Another Yobit address, 13jHABthiyHHtviHe9ZxjtK8KcEANzhjBT, received 396 BTC via the same chain of transactions.
The remaining funds were sent directly to Yobit addresses. Below you may see the list of its addresses and amounts received:
- 1DBRZgDZYnmLWLUpLMgBo1P12v9TnCL8qr — 100 BTC
- 13rgFLyKYQduTwhJkkD83WDLVNMXs4fwPp — 100 BTC
- 1A6wuQGYPbEEb9cy76tdSQHmm5fi5wvzHK — 344 BTC
- 1JquU8Hp6nAhom5c3UDBa9QM5iv1W2Wf2b — 433 BTC
After the withdrawal to Yobit, there were 29 BTC left in 3 addresses, possibly belonging to the hacker. They started moving on August 31. The funds were divided into parts — approximately two BTC each — and were sent to CoinGaming.io. The visualization of money flow can be seen in the figure below:
As a result, CoinGaming.io received 29 BTC from the stolen funds. In the appendix, you can see the list of the hacker’s addresses, which sent funds to CoinGaming.io and the list of addresses, which sent funds to Yobit.
Considering the movement patterns of the funds, we assume that the 38 addresses we identified belong to the hacker. A majority of the stolen funds were sent to the Yobit exchange.