Cryptopia Hack Analysis
By Keith Dallara on ALTCOIN MAGAZINE
January 15th, 2019 saw the announcement of another hack of a crypto exchange, New Zealand’s Cryptopia. Information is scarce about the nature and magnitude of the hack, but reports cited here and here, indicate that it involved a significant amounts of funds.
At ChainRadar.io, we have built a suite of tools to provide data and analytics of public blockchains. We use these tools to prevent hacks like this through proactive monitoring of exchange wallets. In this case, we decided do some forensic investigation of the recent activity at Cryptopia. Since our current set of tools are built around Ethereum, we will look at the movement of Ethereum from Cryptopia.
First, let’s look at withdrawals of Ethereum from the main Cryptopia wallet (address 0x5baeac0a0417a05733884852aa068b706967e790).
Right away we can see that there was unusual withdrawal activity on Jan 13. Jan 13th saw withdrawals of 19,574 ETH. All other days in January saw an average of 615 ETH withdrawn, so a magnitude 32X increase.
NOTE on dates: for our analysis we’re using days starting at UTC midnight. Since Cryptopia is at UTC +13, our active day of Jan 13 aligns with their report of suspicious activity on Jan 14.
Perhaps this was an industry wide trend (like the “Proof of Keys” movement scheduled for January 3rd). We decided to run similar analysis of withdrawals on some other exchanges to see if they showed large movements on Jan 13.
From these charts we can see that both Binance and Poloniex had relatively steady amounts of withdrawals during this time. Poloniex’s show somewhat more variance, but nothing like a 32X increase. They averaged about 13,000 Eth withdrawn per day, with the max day only 2.7X the average day.
We then looked closer at the destination of all withdrawals during this period from Cryptopia. The following pie chart shows the distribution of withdrawals during this period:
This looks pretty conclusive, 75% of withdrawn funds over the period were sent to one address, 0xc8b759860149542a98a3eb57c14aadf59d6d89b9. As we will show a little later a total of 20,753 ETH were moved to that single address. It’s possible that this is an address selected by the Cryptopia team to secure their funds, but let’s look more closely at the activity in this address to determine that.
First we observe that all the outgoing transactions from 0xc8b759860149542a98a3eb57c14aadf59d6d89b9 go to a single address, 0xaA923Cd02364Bb8A4c3d6F894178d2e12231655C. Below is a table showing all the outgoing transactions (Apologies for using screen shots here, we haven’t found a good way to embed the real data in Medium).
One thing to note here is that 28,774 ETH get sent to 0xaA923Cd02364Bb8A4c3d6F894178d2e12231655C, but we know that only 20,753 ETH were moved from the Cryptopia wallet to this address. Maybe if we can find the source of that other ~7,000 ETH we could learn something else about who did this.
Here is a portion of the incoming transactions to 0xc8b759860149542a98a3eb57c14aadf59d6d89b9 ordered by transfer amount.
We included only a portion of the incoming transactions here because 0xc8b759860149542a98a3eb57c14aadf59d6d89b9 has over 76,000 incoming transactions, all of which happened on Jan 13th or later. It is certainly a long tail of incoming transactions that comprises the additional 7,000 ETH. Most of the transactions are quite small (only about 50 are greater than 1 ETH).
Given this profile, we feel confident saying that 0xc8b759860149542a98a3eb57c14aadf59d6d89b is not a safe haven or cold storage address used by the Cryptopia team. It would be very unusual for an exchange to make many frequent small transfers to cold storage, especially if they were quickly trying to secure funds from a hacker.
We have spent some time reviewing this large number of small transfers. What we have found is that many of them are transfers from other exchanges (Binance, Bitfinex, Kraken, and Bittrex wallets all appear).
We also see a large number of transactions that are like this one, 0x5080664fa772d4daa3b2683ef969a27147bf2a03d319a510f4fb892a259a63f4. The input to this transaction 0x7EcA7592632FE36977C82c964c0F6131CB652524 is an address that receives a large number of deposits from Ethermine. There are also many cases where the input is one use address which gets all its inputs from a mining pool. In this transaction it is again Ethermine 0x77c646be8d2bfe7d44c93b7e5a173575a701555fb8032bd861a4f618261358df.
Here are a few of the many transactions that lead back to Ethermine.
To summarize our findings, the majority of funds from the Cryptopia wallet were moved first to 0xc8b759860149542a98a3eb57c14aadf59d6d89b9 and then to 0xaA923Cd02364Bb8A4c3d6F894178d2e12231655C. 0xaA923Cd02364Bb8A4c3d6F894178d2e12231655C still holds 28,773 ETH as of this writing. The owner of 0xc8b759860149542a98a3eb57c14aadf59d6d89b9 seems highly likely to be a member of the Ethermine mining pool and likely had accounts at Bitfinex, Binance, Kraken, and Bittrex. Hopefully law enforcement can track down more information on the hackers from those entities.
Keith Dallara is the Founder of ChainRadar.io. ChainRadar has built proprietary tools to analyze public blockchains. We have the ability to proactively monitor the Ethereum blockchain for malicious actors. We can examine and report on transactions involving tokens, token transfers, DEXs, dApps and other specialized smart contracts. See our website for some examples of sample data we provide.
Before moving on, make sure to press follow, leave a clap or 46, share today’s highlight and if you missed the last article, click here.
Read about the Altcoin Magazine Mastermind Event here.
Follow us on Twitter, InvestFeed, Facebook, Instagram, LinkedIn, and join our Discord and Telegram.
The purpose of ALTCOIN MAGAZINE is to educate the world on crypto and to bring it to the hands and the minds of the masses.
