Sentinel Protocol
Published in

Sentinel Protocol

Identifying Exchanges Affected by Stolen Upbit ETH

By: Donovan Tan, Cybersecurity Researcher

On 27 November 2019, 342,000 ETH (worth ~$52mil USD) was moved from Upbit’s hot wallet (0x5e032243d507c743b061ef021e2ec7fcc6d3ab89) to an unidentified and suspicious wallet (0xa09871aeadf4994ca12f5c0b6056bbd1d343c029). Upbit has acknowledged the transaction to be an abnormal and unauthorized one, thereby classifying it as theft.

Since the theft, our Uppsala Security team has investigated and identified exchange-owned wallets that received funds from the perpetrator. Upon successful and swift identification, the affected exchanges could then be informed, allowing for timely intervention to freeze and regain control of the stolen funds.

Initially, the identification process was a straightforward one because the hacker did not make many transactions. The hacker sent small amounts of stolen ETH to exchanges such as Binance and Huobi shortly after the hack — possibly experimenting with ways to cash out. However, that changed over the next few days. The stolen funds were then spread across many more wallets in what seemed like an attempt by the hacker to throw the investigators off.

Transaction flows generated by the CATV (10 hops from Upbit hacker’s first wallet 0xa09871) above give a glimpse into the complexity of the cryptocurrency movement related to the hacking incident.

Thankfully, with the help of our Crypto Analysis Transaction Visualisation (CATV), we were able to obtain visibility into the complex transaction flows of the stolen funds, enabling us to carry out our investigation swiftly. Despite a large number of wallets involved in the transaction flows, we were able to narrow down our investigation using color-coded nodes based on extensive threat intelligence stored in the Threat Reputation Database (TRDB). For example, exchange wallets annotated in the TRDB were color-coded as pink nodes. Blacklisted wallets, on the other hand, including those that have been involved in previous scams, were color-coded as red.

In the following screenshot, we share how we used the CATV in our investigation to uncover some of the affected exchange-owned wallets.

Investigation 1: Russian Exchange 60cek, Huobi, and Binance Wallets

With the help of CATV, we discovered that the hacker was using 60cek, a Russian exchange. As seen from the screenshot above, Upbit Hacker 8.3 (0xAD00F), who received funds from Upbit Hacker 7.3 (0xe5fe63), transferred to 5 different addresses (circled in peach). In turn, these addresses sent the funds to 60cek’s wallet (0x69ffe5). These funds were subsequently sent to two Binance user wallets (0xd8ce1 and 0xaf486). Besides those two Binance user wallets that received the stolen funds through 60cek, a third one (0x742e92) also received funds from Upbit Hacker 8.3 through 2 unidentified wallets. The funds from these 3 Binance user wallets were subsequently transferred to Binance Hot Wallet (0x3f5ce5).

Besides 60cek and Binance, funds from Upbit Hacker 8.3 also ended up at a Huobi user wallet (0xad5177) after passing through 2 unidentified wallets.

Key Wallets involved in Investigation 1

Upbit Hacker 7.3: 0xe5fe638a211cfb45c2067f353e471f44de9571c0

Upbit Hacker 8.3: 0xad00f59e4105b5cb3b849c286bc0399eeabf183a

60cek: 0x69ffe5736e8c4053a48f03cbb58e9dd304db5945

Binance Hot wallet: 0x3f5ce5fbfe3e9af3971dd833d26ba9b5c936f0be

Binance User wallets:

  1. 0xd8ce1addb79b03389504b4ffd7d521c5f494681b
  2. 0xaf486c8af85df8e38b48f8ae0b43550c70a018bc
  3. 0x742e92d356ae3fec4b602eebc5a78bc3fec88e4e

Huobi Hot wallet: 0x5401dbf7da53e1c9dbf484e3d69505815f2f5e6e

Huobi User wallet: 0xad517717012aaf8bbbbdc4c11cf9c55c03e51d08

Investigation 2: More funds sent to 7 Binance User Wallets

As seen from the CATV graph above, the verified hacker’s wallet 0x82F4d (annotated as Upbit Hacker 7.5 on Etherscan) sent funds to 7 addresses, which have since been identified as user wallets of Binance. These 7 user wallets then proceeded to transfer the deposited ETH to Binance’s hot wallet (0x3f5CE). These transactions were worth 20 ETH each.

Key Wallets involved in Investigation 2

Upbit Hacker 7.5: 0x82F4d449973001c3a3a2C5Cc432ee31407A4e862

Binance Hot Wallet: 0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE

7 Binance user wallets:

  1. 0x2B9a95C4f3924465FdBcDeD0A79Cbd879830a04F
  2. 0x2ecb7cf6a9a05773ed759d42e603dcb9aafffe6f
  3. 0x2Bc3678d93E7C82Bc37Cc951B608cA5adE962e2B
  4. 0x20e3a9cf9f2d4773de24fb50b1eff25fed70acc3
  5. 0x2ec40a6A3cCA5E67C650051A41a4B51F590063CC
  6. 0x2ec6BDeCCbdec4657127b76B9FF74143CFe021D5
  7. 0x2bc812c70dcd634a07ce4fb9cd9ba4319fd9898d

As of time of publishing the article, the full list of affected exchange-owned wallets we uncovered are as follows:































We created a new dashboard ( to track the latest Upbit incident. To get the latest updates on our investigation, head over to the dashboard or follow us on Twitter @UPPSentinel.

Have any thoughts to share or got questions for us? Feel free to visit the Uppsala Security Forum —

Want to test out the CATV tool? You can do so here:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sentinel Protocol Team

Operating on blockchain technology, Sentinel Protocol harnesses collective cyber security intelligence to protect crypto assets against hackers, scams and fraud