“Malicious Actors Hiding in the Dark”: A Deeper Inspection of Malicious Actor Exchange User Wallets
By: Athul Harilal (Security Researcher), Koh Kai Xuan (Associate Security Analyst) and Nobel Tan (Head of Engineering & Product)
In our previous article¹, we investigated the techniques used by malicious actors to launder illicitly obtained funds from point of origin wallets to exchange user wallets or storage wallets, from analysis of 30000 malicious actor wallets belonging to more than 1500 incidents. Our investigation showed that malicious actors operate for durations of 6 months to encash illicit funds, by constantly relaying and mixing or tumbling of illicit funds over multiple wallets, to hide the link between point of origin wallets and exchange user wallets or storage wallets. This was also confirmed by our analysis that showed 61% of exchange user wallets to be unlinked.
After learning that 61% of exchange user wallets were hidden from their point of origin wallets, we sought to identify their association with known exchanges and uncover more details regarding their transactions. We also investigated the risk scores associated with these exchange user wallets using our machine learning based Crypto Analytics Risk Assessment (CARA) Tool², in order to understand if unlinking impacted their risk.
Overview of Our Findings
From our investigation, we narrowed down to 416 exchange user wallets that were highly suspicious because they continuously received funds from one or more malicious actor wallets or from tumblers and mixers. These wallets received 55338.52 ETH equivalent to 22.8 million USD as of writing the article. We associated 403 user wallets to 31 exchanges or similar services and 13 wallets could not be associated with any exchange, indicated as UNKNOWN. We have shared the full list of identified wallets for interested individuals, which can be found here.
Insights Deduced From Our Investigation
Figure 1 enlists the top 5 exchanges based on total Ethereum received from malicious actor wallets (Total ETH), number of exchange user wallets registered by malicious actors (Wallet Count), most recent transactions and average lifetime of the wallets in days (Lifetime).
We observe that Binance³ is the most popular exchange as it received 18.6% of the total ETH from 71 registered wallets and encountered frequent transactions as recent as writing of the article.
This is followed by Fiat Gateways⁴ that received 65% of the total ETH from 31 registered wallets operating more discreetly by transacting less frequently. A Fiat gateway⁵ is a decentralized infrastructure for converting cryptocurrency to fiat and vice versa, where fiat payments are processed using Paypal. This network looks to be lucrative to malicious actors as it provides them a quick avenue to obtain fiat. We also found 129 wallets associated with Cryptopia Exchange⁶, which was involved in a 16 million USD theft that led to its closure in May 2019⁷. We found malicious actor wallets that transacted 627.83 ETH.
We also observe exchanges or smart contracts such as Remitano, ReplaySafeSplit and BtcTurk receiving transactions as recent as August 2020. While the amount received is less compared to Fiat Gateway and Binance, they did receive significant amounts such as 801 ETH by Remitano. Similarly, we also observe long lived malicious actor wallets residing in exchanges such as BtcTurk (841 days), Poloniex (714 days) and Bibox(681 days).
Risk Score Distribution of Exchange User Wallets
Using our Crypto Analytics Risk Assessment (CARA) Tool that calculates the risk associated with a designated wallet based on machine learning, we computed the risk of 416 exchange user wallets in order to observe the impact of their risk scores due to unlinking of the wallet from initial malicious actor wallets used for laundering. From Table 1, we observe that 86.3% of the wallets were classified as either High Risk or Extreme High Risk wallets. While 12% of the wallets were seen to have Medium Risk and only 1.7% of the wallets had Low Risk. This shows that strong money laundering characteristics were observed in the majority of the wallets, irrespective of their unlinking from initial malicious actor wallets.
We identified 416 highly suspicious exchange user wallets of malicious actors belonging to 31 different exchanges that transacted a total of 55338.52 ETH. While Binance and Fiat Gateways were the most popular avenues for malicious actors, we also observed malicious actors engaging frequently in other exchanges or similar services such as Remitano, ReplaySafeSplit and reusing the same wallet for long durations such as 814 days observed in BtcTurk. Furthermore our machine learning based Crypto Analytics Risk Assessment tool identified strong money laundering characteristics in the majority of these wallets.
 ““Malicious Actors Hiding in the Dark”: An Overview of Money ….” 19 Feb. 2020, https://medium.com/sentinel-protocol/malicious-actors-hiding-in-the-dark-an-overview-of-money-laundering-techniques-employed-by-20129f02d194. Accessed 19 Aug. 2020.
 “CARA — Uppsala Security.” https://www.uppsalasecurity.com/cara. Accessed 19 Aug. 2020.
 “Binance.” https://www.binance.com/. Accessed 20 Aug. 2020.
 “Fiat Gateway — CoinList.” https://coinlist.co/build/chainlink/projects/6e5ee972-6e96-45d5-8156-e088ab965e11. Accessed 20 Aug. 2020.
 “chatch/fiat-gateway: Fiat gateway on Ethereum using … — GitHub.” 31 Oct. 2019, https://github.com/chatch/fiat-gateway. Accessed 1 Apr. 2020.
 “Cryptopia — Maintenance.” https://www.cryptopia.co.nz/. Accessed 1 Apr. 2020.
 “Cryptopia — Wikipedia.” https://en.wikipedia.org/wiki/Cryptopia. Accessed 1 Apr. 2020.