Open in app

Sign in

Write

Sign in

Malicious Crypto Transaction Report 3 : Coinbene hacker’s money laundering flow analysis

Heejin Hwang
SOOHO Blog
Published in
3 min readDec 3, 2019

Hi, this is mara who is a data analyst of SOOHO.

In March 19, there was a hacking incident on Coinbene, Singapore’s cryptocurrency exchange, which led to the hijacking of large amounts of cryptocurrency. Most of the cryptocurrencies were Ethereum-based ERC tokens, which were withdrawn shortly afterwards to Huobi and the decentralized exchange, Etherdelta.

Since then, Ether has been sent from Etherdelta to accounts including Coinbene hacker’s. The amount of funds withdrawn from Etherdelta in the form of Ether is found to be over 10,817 ETH and is now flowing through the money laundering process to the Russian exchange Yobit. The last time it flowed into Yobit is November 16, and now there are still about 3,000 ETH remaining.

The figure below summarizes and diagrams the flow of Coinbene hacker’s funds.

Figure 1. Fund flow diagram
  • Red line: token flow
  • Black line: ether flow

Key figures

  • Amount taken from Coinbene : 107 Types of cryptocurrenies, KRW 5.8 billion
  • ether sent to wallet related to Coinbene hacker from Etherdelta : 10,817 ETH
  • Amount flowed into the Yobit: 8,740 ETH
  • Amount deposited in red wallet address : 3,030.5925156861 ETH

Flow of the cryptocurrencies

The below are the details of the movement of the cryptocurrencies.

  • The funds seized from Coinbene on March 25 were 107 types of cryptocurrencies, total KRW 5.8 billion.
  • A day after, the hacked funds were withdrawn from hackers’ wallets to Huobi and Etherdelta wallets starting March 26.
  • Among them, the Ethers were withdrawn from the wallet where the token was deposited with EtherDelta and gathered into 0x6bbd2c904161f0d09f27a5abe42ce47997e0e2fe. The total amount was 10,817 ETH.
  • Since then, Ether has been sent to 0x6bbd2c904161f0d09f27a5abe42ce47997e0e2fe and sent to 0x1cab134c69a361d880a33eb98237b5557ad4cd2 on September 20, and after that, a total of 26 transactions have flowed into Yobit through approximately 6,800 ETH. The remaining 4,000 ETH was sent back to the wallet 0x43b69c2927e53f8cccdcb2bbb73bf637215405c7.
  • Later, in November, hacker transferred some of the laundry funds to Yobit, remitted the remaining funds to another account, and then slowly flowed the funds into Yobit on over several times.
  • Finally, the funds that have not yet flowed into the exchange are around 3,030 ETH, which was sent to the wallet on November 17th at 0x698a98afbca7423b413b5f0f7efabbb08a773767 and is still kept in there.
  • In addition, on November 16, about 55 ETH flowed from the hacker’s account to the Binance. After 28 minutes, there was a record of withdrawal of approximately 53 ETH from Binance’s wallet to one of the money laundering accounts, 0x8d419c8b98885a899844dc74f0213431a620be2c, possibly withdrawing the funds back.

Therefore, each exchange should take action as soon as possible, including registration the wallet addresses below as blacklist.

Address list

  1. Wallet address of Coinbene Hacker
  • 0xb3df999c5dc026dea265aeb02b8519844c9b6d5e

2. Wallet address related to Yobit

  • 0xfe51c743cc2bd9546b4fdfba6478c229229c5ad0
  • 0xdbe9dfaf4a94da4cdc9da677048c2d5ae6cd401a
  • 0xdbe9dfaf4a94da4cdc9da677048c2d5ae6cd401a
  • 0x6709b9bba3eafdb5dd7d3d0cc3a1d5178a77bacf
  • 0x2521b8f714bf17baf3d7462ed86544c8592638b5
  • 0xe83031ff3ff1f8b6e12fb80566a489ffc93392af
  • 0x8c67d5ad5b9f28bc6cb31c81afc4fcf5cbb9609c
  • 0x8c3d690ed8289358b837366250ea4aea80f9e129
  • 0x82e047410fc84f904261a993333209f01dc952ba
  • 0xa95527fb3a5473adf67c5ffbd514191d504cf76c
  • 0x8d797502dd801b7ebddbe9180d29ba7fc9607012
  • 0x45f951ae837823ab4fcac62391418bce4bcdc16b
  • 0x42aaba73a577a1a3a2bde883b77ad4b972e6852d

3. Wallet address related to Etherdelta

  • 0x6ec8572dac56c5a400cf2a94eb629b3eae029550
  • 0xc7124291ddbef24f800e90b8476e03284ad18757
  • 0x8173e3d5bb53a9e869307e0e19b6a4b4927bfb1b
  • 0xba351e7f0c630b3baa30a0ff38f6f4a333ef2133
  • 0x3d2b314516a614c821e586fb0ea4e645c66ede4e

4. Wallet address related to Huobi

  • 0x712ae2390e296311d69fcd143a2ad2117a7ca997

5. Wallet address related to Binance

  • 0xd9ee699014aefd7084033255af0cab02367c5b70

6. Wallet address needed constant monitoring

  • 0x698a98afbca7423b413b5f0f7efabbb08a773767

7. The wallet address took part in this money laundering process

  • 0x652fcc141c14fb95e3160b49e94dd868b6d2cd9e
  • 0x84b60e8265d1a7c51592cd017e830357f644c7df
  • 0x1be8ff95af0a819a7cb2494739b9903145c46d31
  • 0x9664c954933bebbe320a24221b75d1efce058020
  • 0x1f67836a991cd319db778b80806071eb05b42b4b
  • 0x257dab66a7afe1a694676838695c7af644728b56
  • 0x1c0f883fc1fb85bb10655f1a63d947fca49a46d1
  • 0x9f2da349b5cfba583f70d2e03c60397bc92f49b9
  • 0x8d419c8b98885a899844dc74f0213431a620be2c
  • 0xe0071cbf23231b60c43051407a6029a37ba946f5
  • 0xd59688b87e56621696f5bc994e91f027883c60f8
  • 0x4fa909ccde53d08bdeaef158a1726d4d16d42110
  • 0x17989484435e3ec07a0364189f6095d13f05b3f4
  • 0x43b69c2927e53f8cccdcb2bbb73bf637215405c7
  • 0x1cab134c69a361d880a33eb98237b5557ad4cd26
  • 0x6bbd2c904161f0d09f27a5abe42ce47997e0e2fe
  • 0x5af89ddde021869679530dc77ceb5cdb72f7d5e0
  • 0xff74e337fd08960843d94e08771cc1d2cda2ecb1
  • 0xee278bea06d3be84f69ae2dd15a77fbdcb27bd86
  • 0x8db0620362b5a83ff77734831ded9f2d25f949f3
  • 0xd1917932a7db6af687b523d5db5d7f5c2734763f
  • 0xeefe879ca85b53ae6f48ba5f0bf4a74a841d83d1
  • 0xcc1966c28d2bd35a99aa6b674937c33af2608fdc

Thanks.

Please feel free to contact us if you need to analyze cryptocurrency transactions. (contact@sooho.io)

Ethereum
Compliance

--

--

Heejin Hwang
SOOHO Blog

Written by Heejin Hwang

5 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams