Sentinel Protocol
Published in

Sentinel Protocol

Part II — Tracing TFL/LFG’s flow of funds: Debunking the LUNAtic conspiracy

Part 1? 👉 https://bit.ly/3OcD1ym

Since the Terra-Luna implosion, we witnessed many affected by the event and the wider community coming together to better understand what has happened. Our customers sought more information, and as a member of the community, we took our part to provide more insights based on on-chain data.

Again, we believe in on-chain data rather than conspiracy theories. The goal of this report is to provide evidence and leads to uncover more information and help the community find answers. To get to the actual truth, we need further cooperation from the exchanges and the community; and we invite everyone to join us in sharing and uncovering more information for all of those affected by the incident.

Part II: Tracing TFL/LFG’s Flow of Funds from UST to MIM to USDT

In this report, we will address the following notable wallets of interest:

  1. “Interchange Wallet A”: 0xa046a8660e66d178ee07ec97c585eeb6aa18c26c
    : Wallet where over 3 billion UST was converted into MIM and subsequently into USDT
  2. “Distribution Wallet A”: terra1zz2nf34fjkjygkg0kplkrr29ycxarmct6kafvj
    : Wallet that transferred approximately 2.36 billion UST to Interchange Wallet A
  3. “Exchange Wallet A”: 0x21ec2dbb3bfd2210a84bbc924466a70becddd572
    : Binance Ethereum deposit wallet that received over 1 billion USDT from Interchange Wallet A
  4. Binance user account Memo: 100055002 (terra1ncjg4a59x2pgvqy9qjyqprlj8lrwshm0wleht5)
    : Binance Terra deposit wallet that receives funds from the same wallets that are linked to Interchange Wallet A

Through this investigation, we examined the flow of funds and interactions between TFL/LFG-controlled accounts and the abovementioned accounts using on-chain data, and observed billions of funds being converted from UST to MIM to USDT, which ultimately ended up in various exchange accounts.

For what purpose were such large sums of USDT created, and what ultimately happened to this USDT deposited into these exchange accounts? Unfortunately, this is not something we can answer, as all we can provide are facts based on on-chain data. The wider community and investigating authorities will require further assistance from the exchanges to unveil more facts and relevant information about the ultimate use of funds, and we hope to foster more dialogue with the data gathered in this report.

Overview of TFL/LFG’s Flow of Funds from UST to MIM to USDT

Interchange Wallet A, and Distribution Wallet A

Taking a top-down approach, one of the areas we first looked into were the list of wallets where the highest volumes of Wrapped UST fund flows had occurred within the Ethereum mainnet, from 2020–12–01 to 2022–05–07 (the day when the de-pegging of UST began). We noticed that while the majority of the most active addresses were smart contract addresses associated with protocols such as Curve and Abracadabra, there was one (and only, among top receivers) private wallet: “0xa046a8” that had transacted a total of 3,572,269,662 Wrapped UST (see Figure 1 & Table 1). We are going to call this wallet “Interchange Wallet A,” and deep dive further into what it has done with these funds.

Figure 1: Top 9 wallets of Wrapped UST transfers volumes from 2020–12–01 to 2022–05–07

Source: Bitquery

Table 1: Top 9 wallets of Wrapped UST transfers from 2020–12–01 to 2022–05–07

First, we traced the source of funds into Interchange Wallet A within Ethereum mainnet, and identified 9 unique addresses as depositors of Wrapped UST into Interchange Wallet A (see Table 2). Following are the key observations:

  • The largest amount Interchange Wallet A received was 3,015,839,070 Wrapped UST, received via the Wormhole.
  • There is a transaction history of 30,000 Wrapped UST being deposited from Bithumb’s (a Korean exchange’s) User Wallet: “0x39dcc2” into Interchange Wallet A (see Figures 2 & 3). While the quantum of the deposit is not big relative to other depositors, what is unique about this transaction is that:
    a) The Wrapped UST deposit was made from an exchange user deposit wallet directly, which rarely occurs. (Normally, token withdrawals from an exchange would occur from a dedicated withdrawal wallet, not from a user deposit wallet directly.)
    b) Wrapped UST (or UST) was not a listed token in Bithumb.

Table 2: 9 unique depositors of UST into Interchange Wallet A on Ethereum mainnet

Figure 2: Bithumb User Wallet: “0x39dcc2” associated with Bithumb’s hot wallets

Figure 3: Transaction from Bithumb User Wallet: “0x39dcc2” to Interchange Wallet A

Source :https://etherscan.io/tx/0xcabe955dc05d120b96de18fa822a0ce950f87bd9ff359eb7c9de5aacbab893d4

Second, further tracing the source of funds into Interchange Wallet A on the Terra mainnet side, we observed that a total amount of 2,992,331,371 UST was deposited via Wormhole from 8 unique addresses (see Table 3). Following are the key observations:

  • “terra1zz” was the biggest depositor into Interchange Wallet A, having deposited 2,362,184,592 UST. We will call this wallet: “Distribution Wallet A.”

Table 3: 8 unique depositors of UST into Interchange Wallet A on Terra mainnet

  • “terra188”, dubbed by the community as one of the “Peg Defenders” was the second biggest depositor into Interchange Wallet A, having deposited 174,226,081 UST.

Figure 4: “terra188” dubbed as one of the “Peg Defenders” by the community

Source: https://twitter.com/resonancethis/status/1523609290938130433

Next, we examined further into where these funds deposited into Interchange Wallet A have moved to. Below are the key observations:

  • The total deposits and withdrawals of Interchange Wallet A showed that UST, MIM, and USDT were the most transacted tokens (see Figure 5).

Figure 5: Total in/outflow of Interchange Wallet A

  • We observed that a total amount of 3,015,839,069 UST had been deposited into Interchange Wallet A from null address “0x0000” since 2020–12–21 (see Figure 6).
  • We observed that some of early USTs were minted directly to Interchange Wallet A, implying a connection to TFL (see Figures 7).
  • We observed that the majority of the UST transfers via the Terra-Ethereum Wormhole were received post 2021–11–17 (see Figure 8).

Figure 6: Interchange Wallet A receiving large amounts of UST via Terra-Ethereum Wormhole

Source: Uppsala Crypto Analysis Transaction Visualization (CATV) tool

Figure 7: Interchange Wallet A receiving minted UST from Null Address “0x0000”

Source: https://etherscan.io/tx/0x502719a2023109a5e3581f7ba6f20504a1f69134aca38e9101682dee4a1e847f

Figure 8: UST inflow from Terra to Ethereum via Wormhole since 2021–11–17

Source: Uppsala Security Crypto Incident Response Center (CIRC)
  • We also observed that a total amount of 192,683,116 UST had been deposited into Interchange Wallet A from “Wormhole: Deployment 4” since 2020–12–24 (see Figure 9).

Figure 9: UST transfer from “Wormhole: Deployment 4”

Source: Uppsala Crypto Analysis Transaction Visualization (CATV) tool

Majority of the UST transfers via the “Wormhole: Deployment 4” were received post 2021–11–17 as well (see Figure 10).

Figure 10: UST inflow from Terra to Ethereum via Wormhole: Deployment 4 since 2020–12–21

Source: Uppsala Security Crypto Incident Response Center (CIRC)

It appears that “Degenbox strategy” (announced by Abracadabra on 2021–11–03) may have contributed to the increase in UST-MIM liquidity in Curve pools (see Figures 11 & 12), and we observed that Interchange Wallet A leveraged the abundant UST-MIM liquidity to swap UST->MIM->USDT since 2021–11–17 (see Figures 13, 14, 15 & 16):

Figure 11: UST Inflow to UST-MIM Pool

Source: Uppsala Security Crypto Incident Response Center (CIRC)

Figure 12: MIM Inflow to UST-MIM Pool

Source: Uppsala Security Crypto Incident Response Center (CIRC)
  • First, Interchange Wallet A had swapped a total amount of 3,266,132,160 UST into MIM via Curve Smart Contract: “0x55a8a3” since 2021–11–17 (see Figure 13).

Figure 13: Interchange Wallet A swapping UST to MIM via Curve Smart Contract: “0x55a8a3”

Source: Uppsala Crypto Analysis Transaction Visualization (CATV) tool
  • Second, Interchange Wallet A had received a total amount of 3,275,058,076 MIM from Curve Smart Contract: “0x55a8a3” since 2021–11–18 (see Figure 14).

Figure 14: Interchange Wallet A receiving MIM via Curve Smart Contract: “0x55a8a3”

Source: Uppsala Crypto Analysis Transaction Visualization (CATV) tool
  • Third, Interchange Wallet A had swapped a total amount of 3,030,100,998 MIM to USDT via Curve Smart Contract: “0x5a6a4d” since 2021–11–18 (see Figure 15).

Figure 15: Interchange Wallet A swapping MIM to USDT via Curve Smart Contract: “0x5a6a4d”

Source: Uppsala Crypto Analysis Transaction Visualization (CATV) tool
  • Fourth, Interchange Wallet A had received a total amount of 2,874,480,610 USDT from Curve Smart Contract: “0x5a6a4d” since 2021–11–18 (see Figure 16).

Figure 16: Interchange Wallet A receiving USDT via Curve Smart Contract: “0x5a6a4d”

Source: Uppsala Crypto Analysis Transaction Visualization (CATV) tool

USDT swapped from Interchange Wallet A were distributed to various exchanges including Binance, KuCoin, Huobi and OKX, as well as crypto trading firms (see Figure 17).

Figure 17: USDT being distributed from Interchange Wallet A to various exchanges and crypto trading firms

Source: Uppsala Crypto Analysis Transaction Visualization (CATV) tool

Exchange Wallet A

Among the various exchanges that Interchange Wallet A had distributed USDT into, we zoomed into where the biggest amount of USDT funds were sent to and identified Binance Deposit Wallet: “0x21ec2d” (“Exchange Wallet A’’), which had received a total amount of 1,089,393,518 USDT from Interchange Wallet A (see Figure 18).

Figure 18: USDT distribution highlights of Interchange Wallet A

Source: Uppsala Crypto Analysis Transaction Visualization (CATV) tool

Looking into Exchange Wallet A, we observed its association with LFG Reserve Wallet and other wallets with potential ties to TFL/LFG-related entities as below, which raises a possibility that Exchange Wallet A may be directly or indirectly owned by TFL/LFG or their related parties:

a) On 2022–01–28, Exchange Wallet A had received 60,000,000 USDT from “Luna Foundation Guard Reserve Wallet” (see Figure 19)

Figure 19: 60,000,000 USDT transaction from LFG Reserve Wallet to Exchange Wallet A

Source: https://etherscan.io/tx/0x10f2661f83c58593e7d7f88fc8e5eea70ab57fa2e47c9349f37286ca7fcc9a54

b) On 2022–05–08, one day after when the de-pegging of UST began, Exchange Wallet A had received 20,000 ETH from “0x6b671b,” an Ethereum wallet tied to Terra wallet: “terra188,” which was dubbed as one of the “Peg Defenders” by the community (see Figures 4, 20 & 21).

Figure 20: “terra188’s” (aka “Peg Defender’s”) link to “0x6b671b” on Wormhole smart contract

Figure 21: 20k ETH transfer from “Peg Defender”-linked address to the Exchange Wallet A

c) On 2018–10–15, Exchange Wallet A had received 117,705 BNB from “0x52032989864bb4cb17c7f9fad4c25b19d36ba7de” (see Figure 22), which is known in the community as Terra’s ICO wallet (source: https://coinpan.com/free/139851653)

Figure 22: BNB transfer from Terra’s ICO wallet “0x520329” to Exchange Wallet A

Our continued investigations into Exchange Wallet A also revealed the following:

  • On 2022–05–06, 1 day prior to the de-pegging of UST, a total amount of 300,000,000 USDT was deposited into Exchange Wallet A (see Figure 23).

Figure 23: 300m USDT deposit into Exchange Wallet A on 2022–05–06

The total funds transferred into and out of Exchange Wallet A (see Figure 24) show that Exchange Wallet A had received even larger amounts of USDT and other tokens than what Interchange Wallet A had sent. Then one might ask, what did the owner of Exchange Wallet A do with these funds?

Again, we do not know the final use of Exchange Wallet A’s USDT funds, as only the relevant exchange would be able to provide more information based on their internal records.

There have been questions raised in the community whether such USDT generated were linked to the price of LUNA, and while we are unable to provide any definitive answers, we collated charts that compare the amount of USDT inflow into Exchange Wallet A vs LUNA price moves (see Figure 25), as well as BTC price vs LUNA price moves from 2020–04–01 to 2022–05–07 (see Figure 26) below.

Figure 24: Total in/outflow of Exchange Wallet A

Source: Bitquery

Figure 25: USDT inflow to Exchange Wallet A vs LUNA price chart

Figure 26: BTC and LUNA price chart from 2020–04–01 to 2022–05–07

Binance user account Memo: 100055002

We reintroduce Binance user account Memo: “100055002”, which was uncovered in Part I of this report as an account with links to various wallets that are TFL/LFG-owned or appear to be directly or indirectly linked to TFL/LFG.

We observed Distribution Wallet A and other depositors into Interchange Wallet A also transacting with Memo: “100055002” — in fact, there are 5 exact-match addresses that have deposited UST into Interchange Wallet A also depositing significant amounts of UST into Memo: “100055002” (see Table 4), further connecting the ties between the clusters of TFL/LFG-linked wallets from Part I with these newly introduced wallets in Part II.

Table 4: Overlapping UST depositor addresses between Interchange Wallet A and Binance Memo: “100055002”

Conclusion

We addressed the following:

  1. Interchange Wallet A (“0xa046a8”):
    a) was the only private wallet among the top 9 wallets that have transacted Wrapped UST in Ethereum mainnet (rest were smart contracts).
    b) had received a total amount of 3bn+ UST, vast majority of which were received post 2021-11-17 via the Terra-Ethereum Wormhole. Majority of this UST was then swapped into MIM and subsequently into USDT.
    c) distributed USDT created in such a way to various exchanges including Binance, KuCoin, Huobi and OKX, as well as crypto trading firms.
    d) received Wrapped UST from Bithumb’s user deposit wallet directly; an unusual behavior for an exchange deposit wallet (also as Bithumb did not have Wrapped UST or UST listed).
  2. Distribution Wallet A (“terra1zz”):
    a) was the biggest depositor into Interchange Wallet A, having deposited 2,362,184,592 UST.
    b) was a notable depositor into Binance Memo: “100055002”, having deposited 201,440,296 UST.
  3. Exchange Wallet A (“0x21ec2d”):
    a) was the biggest recipient of USDT from Interchange Wallet A, having received a total amount of 1,089,393,518 USDT
    b) had also received significant amounts of USDT from LFG Reserve Wallet, ETH from an address dubbed by the community as one of the “Peg Defenders”, and BNB from what is known as Terra ICO wallet, demonstrating a notable link to TFL/LFG or related parties.
    c) received 300,000,000 USDT on 2022-05-06, 1 day prior to the de-pegging of UST.
  4. Binance user account Memo: “100055002”:
    a) had 5 overlapping UST depositors with Interchange Wallet A, one of which include Distribution Wallet A; further establishing the possibility that some or all of these accounts covered in Part I & II may be directly or indirectly controlled by the same or related entities, such as TFL or LFG.

Combining these findings with our observations from Part I, we summarize the connection and relationships between all the mentioned accounts and TFL/LFG-linked wallets as below:

Through this two-part series report, our aim was to provide evidence and leads for further investigation. We may not have all the answers or the ability to undo what has happened. However, through our on-chain analysis, we hope to foster continued dialogue and collaboration among the community members, so we can make better sense of what has happened and prevent/avoid similar incidents in the future. We ask for the help and cooperation from the exchanges and the wider community, and welcome all to join us to share their expertise in uncovering more relevant information about the incident.

About Uppsala Security

Uppsala Security built Sentinel Protocol, the first crowdsourced Threat Intelligence Platform powered by artificial intelligence, blockchain technology, and machine learning. Supporting the framework is a team of experienced cyber security professionals who have developed an award-winning suite of advanced tools and services for Crypto AML/CFT, Transaction Risk Management (KYC/KYT), Transaction Tracking, Regulatory Compliance, and Cybersecurity enabling organizations of every type and size to protect their crypto assets from malicious attacks and scams while meeting stringent regulatory compliance standards. Today Uppsala Security has over two thousand (2K+) users including government agencies, financial institutions and leading enterprises providing crypto exchanges, payment services, wallets, custodial services, gaming, and fintech solutions.

Uppsala Security is headquartered in Singapore, and has branch offices in Seoul, South Korea and Tokyo, Japan. You can follow Uppsala Security on Telegram,LinkedIn, Twitter, Facebook and Medium.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sentinel Protocol Team

Sentinel Protocol Team

Operating on blockchain technology, Sentinel Protocol harnesses collective cyber security intelligence to protect crypto assets against hackers, scams and fraud