Tracking the Stolen Assets from the Liquid Exchange Hacking: Laundering Process, Exchanges Involved, Post Tornado Cash?

Written by: Donovan, Team Manager (Threat Intelligence Operations)

Singapore, August 31st 2021 — On August 19th, Liquid Exchange unfortunately fell victim to a hack estimated to be worth around US$90M in stolen assets. The Japanese cryptocurrency exchange first announced the incident through Twitter, stating that their warm wallets had been compromised. A list of the hacker’s cryptocurrency addresses to which the stolen assets were transferred was also shared.

Announcement on Twitter

Initial list of Hacker’s Crypto Addresses

The stolen assets involved different blockchains including Bitcoin, Ethereum, TRON and XRP. Our team has been investigating the money flow with a focus on Ethereum Chain, and with the help of our tracking tools, have made various findings.

Through our investigations, we have found the modus operandi of the hacker to be relatively clear — to either 1) Swap the various stolen tokens for Ether and thereafter pass it through Tornado Cash, a transaction privacy mixer-like service, in a bid to launder the stolen assets, or 2) Transfer the stolen assets to Centralized Exchanges (CEX), presumably to encash them. The hacker appears to be focusing on the use of #1, with a minimal amount of stolen assets on the Ethereum Chain seen to hit known CEXs.

A total of 25 wallets were involved in this process on the Ethereum Chain, and our team has segregated them into 5 main categories for easier understanding — Initial, Swapping, Storage, To Exchange and Laundering Wallets.

1: Hacker’s Initial Wallets

Hacker 1: 0x5578840AAe68682a9779623Fa9e8714802B59946 (Liquid Exchange Hacker 1 on Etherscan)

Hacker 2: 0xEFB33ccafC98d5fDB27A6F5Ff17350CA76BF3b53 (Liquid Exchange Hacker 2 on Etherscan)

These Initial Wallets were the first wallets identified by Liquid Exchange. Most of the stolen assets, including all 69 different ERC-20 tokens were transferred to 0x5578, (Hacker 1), over multiple transactions. The swapping and laundering process was also facilitated through this main wallet.

Unlike Hacker 1, Hacker 2 received a total of about 538.274 Ether over a single transaction, with the funds still sitting in the wallet without further movement.

2: Swapping Wallets

Hacker 3: 0xFF0f573bdf4c23E41EA3ECD82efa66828706B711

Hacker 4: 0xEC06A00Df7fe291c9F872449385BD593E38d8133

Hacker 5: 0x262feb0550F3b6927ee5CBaa2fcfF77c1D270dbe

Hacker 6: 0xD66D9EC7f0D89E0E6698953a7f44158552fbaf8f

Hacker 7: 0xaf9bdc92c920415CBCB8572a2dCb8aaDE778312b

Hacker 8: 0xC4Af9d67850eD5523b876B2276656170689162cE

Hacker 9: 0x11cf04ee89C9EF56D9EF6126e914286770B8571f

Swapping Wallets are those wallets used by the hacker to swap stolen tokens for Ethereum. Stolen tokens from Hacker 1 were split across these seven (7) different wallets. Via these wallets, the hacker made use of various Decentralized Exchanges (DEX) or related services like 1inch, Uniswap, and SushiSwap to execute the swaps. The resulting Ethereum was either sent back to Hacker Wallet 1 after the swap or left sitting in the swapping wallets.

An excerpt of these swaps is seen below in a screenshot taken from the Swap Table on our Crypto Asset Monitor Service (CAMS). CAMS is our latest Crypto Asset monitoring tool which allows users to track digital assets in close to real time and monitor the results via an informative dashboard. It is currently commercially unreleased, but it is in the final stages of development and was used to aid in this investigation.

Swap Table taken from CAMS

3: Storage Wallets

Hacker 10: 0x5D3eED25350E5737c9377d5B4b9AF69ca0d3444C (SAND)

Hacker 11: 0x5D8eCEF85058b33Cc7130b975Cfe07B548feE50A (SAND, IDRT, UNI, ENJ, RSR, DENT)

Hacker 12: 0x5D2C9f717Da427a9c8Cc20c44EA57BA61d5bc457 (SNX)

Hacker 13: 0xE327405403D735BF88cD12543181B441e629b978 (WaBi)

Hacker 14: 0x1d5693804559484Ec5DDf2E9B5277F7434B0aD12 (WaBi)

Hacker 15: 0xCC6fAdeD04355924121E1666c22c6e323DE319d3 (WaBi)

Hacker 16: 0xc7e167Cf39737f4580F4427126Fe0BA72339222f (WaBi)

Storage wallets refers to those wallets where the hacker is consolidating stolen tokens with no further movement, and the intermediary wallets where the tokens passed through to reach them. 7 such wallets have been identified.

Various stolen assets originating from Hacker 1 flowed through Hacker 3 (0xFF0f5) to reach Hackers 10 (0x5D3e) and 11 (0x5D8e), and through Hacker 5 (0x262fe) to reach Hacker 12 (0x5D2C). Stolen WaBi tokens flowed from Hacker 1 through Hacker 9, 13, 14, 15 before ending up at Hacker 16 (0xc7e16).

4: To Exchange Wallets

Hacker 17: 0x23b4f411AC7D45be5380741bb10957cE11b0E483

Hacker 18: 0x583905662f2736bA8e867603B286E1345e201A7b

Hacker 19: 0xCcBb13AE65a39624cdCd2C96C973ae0370540e47

Hacker 20: 0x4811788fc28FdCf97099B07E71aef8Fdf899c679 (Huobi User Wallet)

Hacker 21: 0xF03D4a4529a47791B30156d3d381E19dd1A0C9fE

Hacker 22: 0xb514cC2b57b6A9a88e4DBf033a3A8d71c6b340eE (Bilaxy User Wallet)

We have detected stolen assets on the Ethereum chain to have also reached 2 CEXs — Huobi and Bilaxy Exchange. As seen in the screenshots taken from CAMS (Crypto Asset Monitor Service), 25,496,397.9 VIDY and 90,579.4 FSN were detected to have reached Hacker 20 (Huobi User Wallet), while 3,216,461.3 LND ended up at Hacker 22 (Bilaxy User Wallet).

Flagged Huobi User Wallet (Hacker 20: 0x48117) and related stolen assets deposited (CAMS)

Flagged Bilaxy User Wallet (Hacker 22: 0xb514cc) and related stolen assets deposited (CAMS)

The money flow from Hacker 1 to the 2 CEXs can be clearly seen below in the visualization from CATV (Crypto Analysis Transaction Visualization), our transaction visualization tool.

Money flow of stolen assets from Hacker 1 to Huobi (CATV)

Money flow of stolen assets from Liquid to Bilaxy (CATV)

5: Laundering Wallets

Hacker 23: 0x37A0D873E8B29fB5303E00e9300Ccb2EeB5A2786

Hacker 24: 0xb551160E088709076bB1c25A33028c040e790f61

After swapping the stolen tokens for Ether via the Swapping wallets and subsequently returning them to Hacker 1, the hacker started transferring Ether from Hacker 1 to the 2 Laundering Wallets.

These Laundering Wallets were used by the hacker to send Ether to Tornado Cash, a privacy service which effectively acts as a mixer. This was done presumably to launder the stolen assets and cover the hacker’s tracks. As of time of writing, approximately 9000 Ether from the Liquid Hacker has been passed through Tornado Cash.

Post Tornado Cash?

Hacker 25: 0xC4C6E460D0F659e99802208813A2Cc80a0F8B7Fe

Interestingly, we have detected Hacker 24 (Laundering Wallet) to have sent 6.7604 Ether to an address 0xC4C6E460D0F659e99802208813A2Cc80a0F8B7Fe (Hacker 25).

On analysing this address through CATV, we obtain the following.

Money flow of Ether from Tornado Cash and Hacker 9 ending up in Hacker 25 (CATV)

As seen above, besides the 6.7604 Ether sent by Hacker 24 which originated from Hacker 9, 0xC4C6E had also received Ether from 3 different wallets, all of which originated from Tornado Cash over 2 hops.

Based on the above observation, there could be various possible scenarios.

Scenario 1: 0xC4C6E owned by hacker, potential mistake made.

Firstly, 0xC46CE could be owned by the hacker, and he had sent the 6.7604 Ether and used the wallet to consolidate some of his laundered funds from Tornado Cash. This transfer of Ether might be a mistake on the hacker’s end, as it would essentially link part of the funds laundered through Tornado Cash back to the hacker.

The Ether in this wallet was subsequently swapped for renBTC through 1inch and Uniswap, and subsequently burnt through the Ren: BTC Gateway contract (0xe4b679400F0f267212D5D812B95f58C83243EE71). This operation in essence signals a cross-chain transfer of assets from Ethereum to the Bitcoin Chain.

Through analysis of these cross-chain transactions, we have uncovered the following 3 BTC addresses that received these assets amounting to a total of 99.22 BTC.

1. 16EjYD8gUJLAUvgzRhU9uwFh9zq1efLpzm
2. 15vp5bKz2HEyXozaj1Qj5bvErGmEHDJRnj
3. 15hGxz64gCPfUiLKbH7CTgGbk7wNKQw89G

The BTC has not been transferred out of these wallets as of time of writing.

Scenario 2: 0xC4C6E NOT owned by hacker, hacker trying to mislead.

That said, considering how meticulous and careful the hacker has been, we should not discount the possibility that the hacker was trying to throw investigators down the wrong path. The transfer of 6.7604 Ether happened after the funds from Tornado Cash were sent into 0xC4C6E. Therefore, it might be plausible that this wallet does not belong to the hacker but instead to another user of Tornado Cash — the 6.7604 Ether transfer could have simply been a decoy.

Other possible hacker wallets?

Through analyzing wallets that received Ether from Tornado Cash during the period after the hacker laundered money through the service (20th to 23rd August), we identified 2 unique wallets that have received large amounts of Ether.

1. 0x24D97E138AFb957eD2D752b93e48A6E00b4a6723
2. 0xAb24a1990B94A4A01314f774bC55c747e6167805

Each of these accounts received 3,000 Ether originating from Tornado Cash. On tracking the money flow from these accounts, we found that assets have ended up at 3 Binance user wallets, each of which received 1,500 Ether.

Binance User Wallets

1. 0x849d33d0Ae0E7DA506788b1e340BF08C395c88dB
2. 0x8646366D3ecCa3bC77dD20e8D581F3133374A084
3. 0x86Ba42e98eA77B55B80408d81aBf7eF86499806E

Even though we are unable to confirm that these wallets belong to the hacker due to the nature of Tornado Cash, we believe it is still worth looking into due to various factors. Based on profiling, we observe the following:

1. From the hacker’s activity on TRON and XRP the preference to segregate funds in equal numbers into new wallets.
2. Inflows into the identified wallets were large (6,000 Ether) and could be part of the ~9,000 Ether sent by the hacker into Tornado Cash.
3. Hacker was seen to have previously sent stolen assets on TRON and XRP to Binance too.

These are not concrete evidence to link these wallets to the hacker but could be an indication of a possible connection.

Continued Efforts

As of time of writing, many of the stolen tokens are still sitting in the hacker’s main wallet (Hacker 1), and the hacker is still in the process of swapping and laundering these tokens. Our team will continue to monitor the transaction flow of the stolen assets through the help of our tools and continue reaching out to the identified exchanges.

Here at Uppsala Security, we offer a comprehensive suite of tools that help you or your organization stay compliant in the Crypto space and keep your Crypto assets safe. We also provide Digital Asset Tracking Services to both individuals and companies who require help tracking down their assets.

You can find out more about CATV, our Transaction Visualization tool which was used in this investigation here.

If you require Digital Asset Tracking services, please visit our website at: https://uppsalasecurity.com/trackingsvc/.

About Uppsala Security Pte. Ltd.
Uppsala Security, is headquartered in Singapore and has branch offices in Seoul, South Korea and Tokyo, Japan. Uppsala Security built and operates the world’s first crowdsourced Threat Intelligence Platform known as the Sentinel Protocol, powered by blockchain technologies and A.I. Supporting the framework is a team of experienced security analysts and researchers committed to helping organizations realize safely interconnected experiences by deploying a suite of advanced Risk Management Solutions satisfying the crypto security needs of organizations and industry compliance standards worldwide.

To receive updates on our future product releases like CAMS, please subscribe to our social media channels on Telegram, LinkedIn, Twitter, Facebook and Medium.