Identifying Exchanges Affected by Stolen Upbit ETH

Sentinel Protocol Team
Sentinel Protocol
Published in
4 min readDec 6, 2019

By: Donovan Tan, Cybersecurity Researcher

On 27 November 2019, 342,000 ETH (worth ~$52mil USD) was moved from Upbit’s hot wallet (0x5e032243d507c743b061ef021e2ec7fcc6d3ab89) to an unidentified and suspicious wallet (0xa09871aeadf4994ca12f5c0b6056bbd1d343c029). Upbit has acknowledged the transaction to be an abnormal and unauthorized one, thereby classifying it as theft.

Since the theft, our Uppsala Security team has investigated and identified exchange-owned wallets that received funds from the perpetrator. Upon successful and swift identification, the affected exchanges could then be informed, allowing for timely intervention to freeze and regain control of the stolen funds.

Initially, the identification process was a straightforward one because the hacker did not make many transactions. The hacker sent small amounts of stolen ETH to exchanges such as Binance and Huobi shortly after the hack — possibly experimenting with ways to cash out. However, that changed over the next few days. The stolen funds were then spread across many more wallets in what seemed like an attempt by the hacker to throw the investigators off.

Transaction flows generated by the CATV (10 hops from Upbit hacker’s first wallet 0xa09871) above give a glimpse into the complexity of the cryptocurrency movement related to the hacking incident.

Thankfully, with the help of our Crypto Analysis Transaction Visualisation (CATV), we were able to obtain visibility into the complex transaction flows of the stolen funds, enabling us to carry out our investigation swiftly. Despite a large number of wallets involved in the transaction flows, we were able to narrow down our investigation using color-coded nodes based on extensive threat intelligence stored in the Threat Reputation Database (TRDB). For example, exchange wallets annotated in the TRDB were color-coded as pink nodes. Blacklisted wallets, on the other hand, including those that have been involved in previous scams, were color-coded as red.

In the following screenshot, we share how we used the CATV in our investigation to uncover some of the affected exchange-owned wallets.

Investigation 1: Russian Exchange 60cek, Huobi, and Binance Wallets

With the help of CATV, we discovered that the hacker was using 60cek, a Russian exchange. As seen from the screenshot above, Upbit Hacker 8.3 (0xAD00F), who received funds from Upbit Hacker 7.3 (0xe5fe63), transferred to 5 different addresses (circled in peach). In turn, these addresses sent the funds to 60cek’s wallet (0x69ffe5). These funds were subsequently sent to two Binance user wallets (0xd8ce1 and 0xaf486). Besides those two Binance user wallets that received the stolen funds through 60cek, a third one (0x742e92) also received funds from Upbit Hacker 8.3 through 2 unidentified wallets. The funds from these 3 Binance user wallets were subsequently transferred to Binance Hot Wallet (0x3f5ce5).

Besides 60cek and Binance, funds from Upbit Hacker 8.3 also ended up at a Huobi user wallet (0xad5177) after passing through 2 unidentified wallets.

Key Wallets involved in Investigation 1

Upbit Hacker 7.3: 0xe5fe638a211cfb45c2067f353e471f44de9571c0

Upbit Hacker 8.3: 0xad00f59e4105b5cb3b849c286bc0399eeabf183a

60cek: 0x69ffe5736e8c4053a48f03cbb58e9dd304db5945

Binance Hot wallet: 0x3f5ce5fbfe3e9af3971dd833d26ba9b5c936f0be

Binance User wallets:

  1. 0xd8ce1addb79b03389504b4ffd7d521c5f494681b
  2. 0xaf486c8af85df8e38b48f8ae0b43550c70a018bc
  3. 0x742e92d356ae3fec4b602eebc5a78bc3fec88e4e

Huobi Hot wallet: 0x5401dbf7da53e1c9dbf484e3d69505815f2f5e6e

Huobi User wallet: 0xad517717012aaf8bbbbdc4c11cf9c55c03e51d08

Investigation 2: More funds sent to 7 Binance User Wallets

As seen from the CATV graph above, the verified hacker’s wallet 0x82F4d (annotated as Upbit Hacker 7.5 on Etherscan) sent funds to 7 addresses, which have since been identified as user wallets of Binance. These 7 user wallets then proceeded to transfer the deposited ETH to Binance’s hot wallet (0x3f5CE). These transactions were worth 20 ETH each.

Key Wallets involved in Investigation 2

Upbit Hacker 7.5: 0x82F4d449973001c3a3a2C5Cc432ee31407A4e862

Binance Hot Wallet: 0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE

7 Binance user wallets:

  1. 0x2B9a95C4f3924465FdBcDeD0A79Cbd879830a04F
  2. 0x2ecb7cf6a9a05773ed759d42e603dcb9aafffe6f
  3. 0x2Bc3678d93E7C82Bc37Cc951B608cA5adE962e2B
  4. 0x20e3a9cf9f2d4773de24fb50b1eff25fed70acc3
  5. 0x2ec40a6A3cCA5E67C650051A41a4B51F590063CC
  6. 0x2ec6BDeCCbdec4657127b76B9FF74143CFe021D5
  7. 0x2bc812c70dcd634a07ce4fb9cd9ba4319fd9898d

As of time of publishing the article, the full list of affected exchange-owned wallets we uncovered are as follows:

Binance

0x31932e7fd5e7265180bb085ccf9867fddc106be3

0xd8ce1addb79b03389504b4ffd7d521c5f494681b

0x742E92d356Ae3FEC4B602eebC5A78bc3fEc88e4e

0x2B9a95C4f3924465FdBcDeD0A79Cbd879830a04F

0x2ecb7cf6a9a05773ed759d42e603dcb9aafffe6f

0x2Bc3678d93E7C82Bc37Cc951B608cA5adE962e2B

0x20e3a9cf9f2d4773de24fb50b1eff25fed70acc3

0x2ec40a6A3cCA5E67C650051A41a4B51F590063CC

0x2ec6BDeCCbdec4657127b76B9FF74143CFe021D5

0x2bc812c70dcd634a07ce4fb9cd9ba4319fd9898d

0xaf486c8af85df8e38b48f8ae0b43550c70a018bc

0x3468Ea24CaCB1173a858eaC4aB3be60eCbba8a34

Huobi

0xb28Bc69199A7ABF00B9Cb200356104cE1bDc4868

0x54c892fe1b7adaa4c1d35af029db4abfeaf97e0c

0xad517717012aaf8bbbbdc4c11cf9c55c03e51d08

Switchain

0xA96b536eEf496e21F5432FD258b6F78CF3673F74

60cek

0x69FfE5736e8C4053A48F03CBb58E9dD304db5945

LATOKEN

0x199f6a3f4748023819649580f171a823b26af792

0x11c94a7a8fd1079cecedfd83943291134b7a2c82

0x622ac3f3e0e57c6ac06b3fc67c845dd309084861

0x0A2D85e7Ae482F782c9f76cAc83BDe60F035eFdA

0xCAD6050be46f2d83a38843A209eFE2Ed9aF75825

0x6945977bd770C2eC1E7F4786b075b6129Db3e493

0xa65989400e04050882d6456919d723266fe2a3a9

0xec91d81c4410cb27a8b39256cb974bca30c8b515

We created a new dashboard (www.upbit-incident.uppsalasecurity.com) to track the latest Upbit incident. To get the latest updates on our investigation, head over to the dashboard or follow us on Twitter @UPPSentinel.

Have any thoughts to share or got questions for us? Feel free to visit the Uppsala Security Forum — https://forum.sentinelprotocol.io/t/upbit-incident-50m-usd-worth-of-eth-stolen/634.

Want to test out the CATV tool? You can do so here: https://portal.sentinelprotocol.io/transaction-tracking.

--

--

Sentinel Protocol Team
Sentinel Protocol

Operating on blockchain technology, Sentinel Protocol harnesses collective cyber security intelligence to protect crypto assets against hackers, scams and fraud