Identifying Exchanges Affected by Stolen Upbit ETH
By: Donovan Tan, Cybersecurity Researcher
On 27 November 2019, 342,000 ETH (worth ~$52mil USD) was moved from Upbit’s hot wallet (0x5e032243d507c743b061ef021e2ec7fcc6d3ab89) to an unidentified and suspicious wallet (0xa09871aeadf4994ca12f5c0b6056bbd1d343c029). Upbit has acknowledged the transaction to be an abnormal and unauthorized one, thereby classifying it as theft.
Since the theft, our Uppsala Security team has investigated and identified exchange-owned wallets that received funds from the perpetrator. Upon successful and swift identification, the affected exchanges could then be informed, allowing for timely intervention to freeze and regain control of the stolen funds.
Initially, the identification process was a straightforward one because the hacker did not make many transactions. The hacker sent small amounts of stolen ETH to exchanges such as Binance and Huobi shortly after the hack — possibly experimenting with ways to cash out. However, that changed over the next few days. The stolen funds were then spread across many more wallets in what seemed like an attempt by the hacker to throw the investigators off.
Thankfully, with the help of our Crypto Analysis Transaction Visualisation (CATV), we were able to obtain visibility into the complex transaction flows of the stolen funds, enabling us to carry out our investigation swiftly. Despite a large number of wallets involved in the transaction flows, we were able to narrow down our investigation using color-coded nodes based on extensive threat intelligence stored in the Threat Reputation Database (TRDB). For example, exchange wallets annotated in the TRDB were color-coded as pink nodes. Blacklisted wallets, on the other hand, including those that have been involved in previous scams, were color-coded as red.
In the following screenshot, we share how we used the CATV in our investigation to uncover some of the affected exchange-owned wallets.
Investigation 1: Russian Exchange 60cek, Huobi, and Binance Wallets
With the help of CATV, we discovered that the hacker was using 60cek, a Russian exchange. As seen from the screenshot above, Upbit Hacker 8.3 (0xAD00F), who received funds from Upbit Hacker 7.3 (0xe5fe63), transferred to 5 different addresses (circled in peach). In turn, these addresses sent the funds to 60cek’s wallet (0x69ffe5). These funds were subsequently sent to two Binance user wallets (0xd8ce1 and 0xaf486). Besides those two Binance user wallets that received the stolen funds through 60cek, a third one (0x742e92) also received funds from Upbit Hacker 8.3 through 2 unidentified wallets. The funds from these 3 Binance user wallets were subsequently transferred to Binance Hot Wallet (0x3f5ce5).
Besides 60cek and Binance, funds from Upbit Hacker 8.3 also ended up at a Huobi user wallet (0xad5177) after passing through 2 unidentified wallets.
Key Wallets involved in Investigation 1
Upbit Hacker 7.3: 0xe5fe638a211cfb45c2067f353e471f44de9571c0
Upbit Hacker 8.3: 0xad00f59e4105b5cb3b849c286bc0399eeabf183a
60cek: 0x69ffe5736e8c4053a48f03cbb58e9dd304db5945
Binance Hot wallet: 0x3f5ce5fbfe3e9af3971dd833d26ba9b5c936f0be
Binance User wallets:
- 0xd8ce1addb79b03389504b4ffd7d521c5f494681b
- 0xaf486c8af85df8e38b48f8ae0b43550c70a018bc
- 0x742e92d356ae3fec4b602eebc5a78bc3fec88e4e
Huobi Hot wallet: 0x5401dbf7da53e1c9dbf484e3d69505815f2f5e6e
Huobi User wallet: 0xad517717012aaf8bbbbdc4c11cf9c55c03e51d08
Investigation 2: More funds sent to 7 Binance User Wallets
As seen from the CATV graph above, the verified hacker’s wallet 0x82F4d (annotated as Upbit Hacker 7.5 on Etherscan) sent funds to 7 addresses, which have since been identified as user wallets of Binance. These 7 user wallets then proceeded to transfer the deposited ETH to Binance’s hot wallet (0x3f5CE). These transactions were worth 20 ETH each.
Key Wallets involved in Investigation 2
Upbit Hacker 7.5: 0x82F4d449973001c3a3a2C5Cc432ee31407A4e862
Binance Hot Wallet: 0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE
7 Binance user wallets:
- 0x2B9a95C4f3924465FdBcDeD0A79Cbd879830a04F
- 0x2ecb7cf6a9a05773ed759d42e603dcb9aafffe6f
- 0x2Bc3678d93E7C82Bc37Cc951B608cA5adE962e2B
- 0x20e3a9cf9f2d4773de24fb50b1eff25fed70acc3
- 0x2ec40a6A3cCA5E67C650051A41a4B51F590063CC
- 0x2ec6BDeCCbdec4657127b76B9FF74143CFe021D5
- 0x2bc812c70dcd634a07ce4fb9cd9ba4319fd9898d
As of time of publishing the article, the full list of affected exchange-owned wallets we uncovered are as follows:
Binance
0x31932e7fd5e7265180bb085ccf9867fddc106be3
0xd8ce1addb79b03389504b4ffd7d521c5f494681b
0x742E92d356Ae3FEC4B602eebC5A78bc3fEc88e4e
0x2B9a95C4f3924465FdBcDeD0A79Cbd879830a04F
0x2ecb7cf6a9a05773ed759d42e603dcb9aafffe6f
0x2Bc3678d93E7C82Bc37Cc951B608cA5adE962e2B
0x20e3a9cf9f2d4773de24fb50b1eff25fed70acc3
0x2ec40a6A3cCA5E67C650051A41a4B51F590063CC
0x2ec6BDeCCbdec4657127b76B9FF74143CFe021D5
0x2bc812c70dcd634a07ce4fb9cd9ba4319fd9898d
0xaf486c8af85df8e38b48f8ae0b43550c70a018bc
0x3468Ea24CaCB1173a858eaC4aB3be60eCbba8a34
Huobi
0xb28Bc69199A7ABF00B9Cb200356104cE1bDc4868
0x54c892fe1b7adaa4c1d35af029db4abfeaf97e0c
0xad517717012aaf8bbbbdc4c11cf9c55c03e51d08
Switchain
0xA96b536eEf496e21F5432FD258b6F78CF3673F74
60cek
0x69FfE5736e8C4053A48F03CBb58E9dD304db5945
LATOKEN
0x199f6a3f4748023819649580f171a823b26af792
0x11c94a7a8fd1079cecedfd83943291134b7a2c82
0x622ac3f3e0e57c6ac06b3fc67c845dd309084861
0x0A2D85e7Ae482F782c9f76cAc83BDe60F035eFdA
0xCAD6050be46f2d83a38843A209eFE2Ed9aF75825
0x6945977bd770C2eC1E7F4786b075b6129Db3e493
0xa65989400e04050882d6456919d723266fe2a3a9
0xec91d81c4410cb27a8b39256cb974bca30c8b515
We created a new dashboard (www.upbit-incident.uppsalasecurity.com) to track the latest Upbit incident. To get the latest updates on our investigation, head over to the dashboard or follow us on Twitter @UPPSentinel.
Have any thoughts to share or got questions for us? Feel free to visit the Uppsala Security Forum — https://forum.sentinelprotocol.io/t/upbit-incident-50m-usd-worth-of-eth-stolen/634.
Want to test out the CATV tool? You can do so here: https://portal.sentinelprotocol.io/transaction-tracking.