The latest storm in the Crypto Space: $150 Million USD KuCoin Hack

Sentinel Protocol Team
Sentinel Protocol
Published in
5 min readNov 8, 2020

2019 saw a record number of twelve crypto exchanges being hacked¹ and 2020 does not make any exception. As of September 25th 2020, KuCoin, a Singapore-based digital assets exchange, experienced a security breach that resulted in the loss of more than $150mil USD worth of crypto assets, making this the 4th largest crypto exchange hack to date.

As a result of the attack, two Ethereum wallets belonging to KuCoin have transferred more than 11,470 ETH to the hacker’s wallet. Also, more than 150 different types of Ethereum based tokens have been drained to the hacker wallet.

KuCoin CEO Johnny Lyu hosted a livestream at 12.30pm (UTC+8) on 26th September 2020 in order to update the community about the incident, and has been open to communication ever since. Also, the exchange has been receiving support from a great number of ERC20 projects that have frozen, paused, or reversed their smart contracts after the hack².

KuCoin has also updated the suspicious addresses list as follows:

ETH: 0xeb31973e0febf3e3d7058234a5ebbae1ab4b8c23

BTC: 1NRsEQRg5EjmJHbPUX7YADVPcPzCQBkyU7

LTC: LQtFoidy5TmLrPP77MZzgMRffqPsmRfMXE

XRP: r3mZvvHVLPtRWAujzBsAoXqH11jhwQZvzY

BSV: 15mC7zKbLyErSKzGRHpy6gyqS7GyRpWjEi

XLM: GBM3PJWNB5VKNOFXCDTTNXPMUNBMYTLAAPYDIIKLHUGMKX7ZGN2FNGFU

USDT: 1NRsEQRg5EjmJHbPUX7YADVPcPzCQBkyU7

TRX: TB3j1gUXaLXXq2bstiSMfjQ9R7Yh9DdDgK

At Uppsala Security, we proactively start investigations particularly when exchanges are the target of a hack, as they usually have a stronger impact on the wider decentralized community. An example of this is when we created a Live Monitoring Dashboard related to the Eterbase hack that took place in early September 2020. Solutions developed by our team at Uppsala Security, like the Live Monitoring Dashboard or the Crypto Analysis Transaction Visualization (CATV), are the backbone of our investigations.

The wallet in question involved in the KuCoin hack and the one that we will be focusing on in this article is 0xeB31973E0FeBF3e3D7058234a5eBbAe1aB4B8c23, where most of the funds went. It is important to mention that the funds were being exchanged in both decentralized (DEX) and centralized (CEX) exchanges. The virtual assets have reached various renowned exchanges such as Uniswap, Binance and OKEx, to name a few.

We have been monitoring and tracing the flow of funds related to the KuCoin hack over the past week and here’s part of our findings.

ETH End Wallets (Where the swapped ETH tokens ended up):

1. 0x00600423c03Ec4B46F9B8a28C66D42bdd1b19c36
2. 0xc48da0B07004C361081EEEA3903D049271C8c81a
3. 0x1A98fcebEBFEA4fFbd0d5Bf5e4650d71344F52Ab
4. 0x1d391A888D0a826E2E4c4Ecc81A8bb1366d685E2
5.0x8F58C8bFf5131a9ef1B28DD6A6e52eAd1ebC3A07
6. 0x0A4e6BF0de33d41B0fb28eE7905A83Ea11CdBd90
7. 0xDB2f0602e55030E92a975d28D0b74C7D3a446370
8. 0xf1C290329fB02f2230Ea9e7De360f45764D01306 (May be used for mixing)
9. 0x66478B534Ee1e03DB621FbD86276880D39303b2B
10. 0x310d734d9aADf4AF0c296d19B739d52e6B9b6d6c
11. 0x86A09Bb7a6d7e89Ca860decEd9785a4A091c868e
12. 0x3bb5618adb8f561aE9BB398B487A9F6CD2De398B
13. 0xDbF373E267f0B9808eD764AEfeB053B22d1b5542
14. 0x712304d7e7F69C63742eCcE936B214B269982454
15. 0xE3248073Ca128B6E7F5C10b0532e56F64E74b787

As it can be observed from the previously listed wallets, the hacker has distributed many different tokens through several wallets before exchanging the tokens for Ethereum (ETH).

At the start of the hack, the malicious actors leveraged Decentralized Exchanges to swap large amounts of tokens. Using the Uppsala Security Dashboard, we were able to identify the different exchanges used to swap different tokens, as indexed below.

Flow of funds of [SNX] token from the hacker wallet to Uniswap (annotated in purple)

By leveraging our Crypto Analysis Transaction Visualization Tool (CATV) tool we are able to generate a flow overview of the hacked funds within minutes.

The funds from the hacker wallet (0xeB31973E0FeBF3e3D7058234a5eBbAe1aB4B8c23) was being sent to a proxy wallet (0x1c3f856719a91735ccb78506bd504b17907ac814), which is then being split into 3 separate wallets before swapping the SNX tokens for ETH on Uniswap.

Flow of funds of [KNC] token from the hacker’s wallet to Tokenlon and Uniswap (annotated in purple)

In the above graph generated by our Crypto Analysis Transaction Visualization Tool (CATV), we are able to effectively tell how many tokens are being sent to the two exchanges.

486,328.6521 KNC being sent to Uniswap
540,390.45 KNC being sent to Tokenlon

We are also able to tell how much each individual exchange received from the hacker wallet.

The 2 pictures above state that 486,328.6521 KNC tokens are being sent to Uniswap while 540,390.45 KNC tokens are being sent to Tokenlon for swapping.

Flow of funds of [AGI] token from the hacker’s wallet to Uniswap, 1 inch exchange. DEX.AG (annotated in purple)

The flow of funds for AGI is more complicated as the funds are being mixed through a set of wallets. However, CATV makes it easier to map out the flow of funds and be able to pinpoint the end wallets where the tokens are deposited.

With the help of our Crypto Analysis Transaction Visualization tool (CATV), which addresses both end users and businesses, we were able to identify the pattern which the hacker used to transfer the funds and also to narrow down on which exchanges the tokens ended up. In the above cases, CATV has made it much easier to look at the overview of the funds and to have a clearer image of the hacker’s logic. Plus, the tool also offers the possibility of downloading the transaction details list for further analysis.

As of October 3rd 2020, KuCoin officials shared that they identified the suspects and that law enforcement agencies are involved in the investigation. At the current moment, the wallet where the hacker transferred the funds still holds over $90mil USD worth of cryptocurrencies.

Uppsala Security is headquartered in Singapore and has branch offices in Seoul, South Korea and Tokyo, Japan. Follow Uppsala Security on Telegram, LinkedIn, Twitter, Facebook and Medium.

--

--

Sentinel Protocol Team
Sentinel Protocol

Operating on blockchain technology, Sentinel Protocol harnesses collective cyber security intelligence to protect crypto assets against hackers, scams and fraud