Identifying Exchanges Affected by Stolen Upbit ETH
By: Donovan Tan, Cybersecurity Researcher
On 27 November 2019, 342,000 ETH (worth ~$52mil USD) was moved from Upbit’s hot wallet (0x5e032243d507c743b061ef021e2ec7fcc6d3ab89) to an unidentified and suspicious wallet (0xa09871aeadf4994ca12f5c0b6056bbd1d343c029). Upbit has acknowledged the transaction to be an abnormal and unauthorized one, thereby classifying it as theft.
Since the theft, our Uppsala Security team has investigated and identified exchange-owned wallets that received funds from the perpetrator. Upon successful and swift identification, the affected exchanges could then be informed, allowing for timely intervention to freeze and regain control of the stolen funds.
Initially, the identification process was a straightforward one because the hacker did not make many transactions. The hacker sent small amounts of stolen ETH to exchanges such as Binance and Huobi shortly after the hack — possibly experimenting with ways to cash out. However, that changed over the next few days. The stolen funds were then spread across many more wallets in what seemed like an attempt by the hacker to throw the investigators off.
Thankfully, with the help of our Crypto Analysis Transaction Visualisation (CATV), we were able to obtain visibility into the complex transaction flows of the stolen funds, enabling us to carry out our investigation swiftly. Despite a large number of wallets involved in the transaction flows, we were able to narrow down our investigation using color-coded nodes based on extensive threat intelligence stored in the Threat Reputation Database (TRDB). For example, exchange wallets annotated in the TRDB were color-coded as pink nodes. Blacklisted wallets, on the other hand, including those that have been involved in previous scams, were color-coded as red.
In the following screenshot, we share how we used the CATV in our investigation to uncover some of the affected exchange-owned wallets.
Investigation 1: Russian Exchange 60cek, Huobi, and Binance Wallets
With the help of CATV, we discovered that the hacker was using 60cek, a Russian exchange. As seen from the screenshot above, Upbit Hacker 8.3 (0xAD00F), who received funds from Upbit Hacker 7.3 (0xe5fe63), transferred to 5 different addresses (circled in peach). In turn, these addresses sent the funds to 60cek’s wallet (0x69ffe5). These funds were subsequently sent to two Binance user wallets (0xd8ce1 and 0xaf486). Besides those two Binance user wallets that received the stolen funds through 60cek, a third one (0x742e92) also received funds from Upbit Hacker 8.3 through 2 unidentified wallets. The funds from these 3 Binance user wallets were subsequently transferred to Binance Hot Wallet (0x3f5ce5).
Besides 60cek and Binance, funds from Upbit Hacker 8.3 also ended up at a Huobi user wallet (0xad5177) after passing through 2 unidentified wallets.
Key Wallets involved in Investigation 1
Upbit Hacker 7.3: 0xe5fe638a211cfb45c2067f353e471f44de9571c0
Upbit Hacker 8.3: 0xad00f59e4105b5cb3b849c286bc0399eeabf183a
Binance Hot wallet: 0x3f5ce5fbfe3e9af3971dd833d26ba9b5c936f0be
Binance User wallets:
Huobi Hot wallet: 0x5401dbf7da53e1c9dbf484e3d69505815f2f5e6e
Huobi User wallet: 0xad517717012aaf8bbbbdc4c11cf9c55c03e51d08
Investigation 2: More funds sent to 7 Binance User Wallets
As seen from the CATV graph above, the verified hacker’s wallet 0x82F4d (annotated as Upbit Hacker 7.5 on Etherscan) sent funds to 7 addresses, which have since been identified as user wallets of Binance. These 7 user wallets then proceeded to transfer the deposited ETH to Binance’s hot wallet (0x3f5CE). These transactions were worth 20 ETH each.
Key Wallets involved in Investigation 2
Upbit Hacker 7.5: 0x82F4d449973001c3a3a2C5Cc432ee31407A4e862
Binance Hot Wallet: 0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE
7 Binance user wallets:
As of time of publishing the article, the full list of affected exchange-owned wallets we uncovered are as follows:
We created a new dashboard (www.upbit-incident.uppsalasecurity.com) to track the latest Upbit incident. To get the latest updates on our investigation, head over to the dashboard or follow us on Twitter @UPPSentinel.
Have any thoughts to share or got questions for us? Feel free to visit the Uppsala Security Forum — https://forum.sentinelprotocol.io/t/upbit-incident-50m-usd-worth-of-eth-stolen/634.
Want to test out the CATV tool? You can do so here: https://portal.sentinelprotocol.io/transaction-tracking.