On August 19, 2021, more than 90 million U.S. dollars worth of encrypted assets in the Liquid Hot Wallet of the Japanese Exchange were stolen. According to PeckShield’s statistics, there are approximately 4.8 million U.S. dollars in BTC (107.43 pieces), 32.5 million U.S. dollars in ETH, US$44.9 million in ERC-20 tokens (nearly a hundred tokens: AAVE , UNI, LINK, SNX, USDC ), US$1.83 million in TRON (including USDT-TRON and 2,393,334.86 TRON), and US$12.9 million in XRP (11,467,479) Pieces).
According to CoinHolmes, an anti-money laundering situational awareness system of PeckShield, as of now, ETH tokens have not changed and are still locked in the attacker’s address.
After the attacker succeeds, he first quickly transfers ERC-20 tokens to UniSwap, SushiSwap, 1inch and other DEXs (decentralized exchanges), and exchanges nearly a hundred tokens obtained through DEXs into ETH or through the Ren cross-chain bridge converted into BTC, then redeemed by ETH go across the chain bridge Ethernet Square , and finally mixed coin Tornado.cash outflow, the whole process is very adept from the chain, which can also be disposed of ERC-20 from the first generation of the attacker Currency to see.
Since some of the stolen ERC-20 tokens have poor liquidity and are likely to be blocked by the issuer’s freezing, transaction rollbacks, or hard forks, the attacker first transfers these tokens in turn. DEXs that do not require KYC, registration and login, are ready to use, and then convert most of the tokens into mainstream tokens ETH, pool them to a new address, and then flow out from the privacy protocol Tornado.cash.
It can be seen from Etherscan that since 4:19 on August 19, the attacker started the “value-first” sweeping exchange. First, the stablecoins such as USDT, USDC, DAI, etc. were emptied, and then the tokens were rushed. Transfer them to DEXs before freezing.
This is the second security incident in which a centralized institution was stolen and money laundered through a decentralized institution so far. According to the statistics of PeckShield, there are only a handful of cases of money laundering through decentralized services after centralized institutions have been stolen, but similar money laundering methods have been attacked and run away by DeFi Protocols (decentralized protocols). Shows a growing trend.
Emerging Money Laundering Trilogy
After the attacker succeeded, he roughly divided the money laundering process into three steps:
1. Batch transfer: transfer the stolen ERC-20 assets to DEXs to avoid freezing and rollback, and at the same time integrate the stolen assets to prepare for the next step of cleaning;
2. Batch exchange: Exchange ERC-20 tokens into ETH or BTC through DEXs or cross-chain bridge, and place encrypted assets through the cross-chain bridge to prepare for batch transfer to the privacy agreement;
3. Concealment stage: transfer the placed ETH or BTC to Tornado Cash, Typhoon, Wasabi Wallet and other currency mixing tools to confuse the source of the asset and the ultimate beneficiary, erase the traces of illicit assets, and confuse the source of the asset to escape tracking.
Tornado Cash is a private transaction middleware implemented on Ethereum based on zero-knowledge proof. It uses zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), which can send ETH and ERC20 tokens (currently supports DAI, cDAI, USDC, USDT, WBTC) to any address in an untraceable manner.
In practical applications, when the user deposits encrypted currency in the privacy pool, he can obtain a deposit certificate. After that, the user can withdraw the previously deposited encrypted currency from any address through the deposit certificate. Since the data transferred when the deposit certificate is generated and used does not include the certificate itself, it can be guaranteed that the two transfers of deposits and withdrawals are completely independent. In addition, due to the existence of the relay service, the Ethereum address at the time of withdrawal does not even need to have the ETH to pay the transfer fee, that is, the withdrawal can be made to a completely blank address.
In fact, Tornado Cash is not an unbreakable privacy agreement. The StableMagnet Finance runaway case of the DeFi protocol uncovered by the British police some time ago reflects that under the linkage of security companies, exchanges, communities, and the police, the attacker’s assets are continuously tracked through the CoinHolmes anti-money laundering situational awareness system, and items are continuously collected in the community. In the case of information and active cooperation with the police, the police can identify the members involved in the case by analyzing and tracking the clues of community feedback, and with the help of physical evidence, force the members involved in the case to return the ETH stored in Tornado Cash.
According to CoinHolmes tracking, the attacker transferred more than 10 million XRP to his address four times, and then transferred them to Binance, Huobi, Poloniex and other exchanges in three batches.
After tracking this information through the anti-money laundering situation system, Liquid urgently contacted these centralized agencies to set up a blacklist of the attacker’s address, in order to urgently freeze the stolen XRP assets.
But before that, the attacker had already converted part of XRP into BTC through the exchange. According to the CoinHolmes anti-money laundering situation system, these XRP had been converted into 192 BTC and flowed out through the decentralized coin mixer Wasabi wallet.
Wasabi Wallet uses the “CoinJoin” method to aggregate the transactions of multiple users into a large transaction, which contains multiple inputs and outputs. As the number of participating users grows, the privacy and reliability become stronger. In addition, Wasabi Wallet also uses “block filters” to further disrupt transaction information by downloading entire data blocks to enhance privacy and censorship resistance, which poses challenges for relevant law enforcement agencies to track the flow of such funds.
With the strict supervision of the money laundering situation of the centralized institutions by the regulatory authorities, the centralized institutions continue to increase the KYC demand, which has caused a heavy blow to the centralized money laundering channels, and the decentralized tools are becoming more and more favored by criminals. Of non-French capital began to turn to decentralized channels for money laundering. PeckShield recommends that relevant law enforcement agencies introduce new regulatory tools and technologies to further effectively curb money laundering using virtual currencies.
As of September 6, CoinHolmes has monitored that the attacker’s BTC address has changed, and a total of 90 BTC has been transferred. CoinHolmes will continue to monitor the transfer of stolen crypto assets.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/attackers-work-hard-to-quickly-explain-the-decentralized-tool-whitewashing-liquid-stolen-more-than-90-million-us-dollars/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.