This time the topic is the mixer Tornado.Cash.
Tornado.Cash has also become more and more “famous” as the hacker theft of coins intensifies, and most hackers mercilessly turn “dirty coins” to Tornado.Cash after making a profit. We have discussed Tornado.Cash’s anonymity in: SlowMist AML: “Uncovering” Tornado.Cash’s Anonymity. Today, let’s take a real case to see how this hacker laundered money through Tornado.Cash.
Tornado.Cash is a fully decentralized, non-custodial protocol that improves transaction privacy by breaking the on-chain link between source and destination addresses. To protect privacy, Tornado.Cash uses a smart contract that accepts deposits of ETH and other tokens from one address and allows them to withdraw to a different address, i.e. send ETH and other tokens to any address. These smart contracts act as a pool that mixes all deposited assets, and when you put funds into the pool (i.e. deposit), a private credential (random key) is generated, proving that you performed the deposit operation. Then, this private credential is used as the private key for your withdrawal, and the contract transfers ETH or other tokens to the designated recipient address, and the same user can use different withdrawal addresses.
What I want to analyze today is a real case. When the victim platform found us (inconvenient to disclose the details), the stolen funds on the three chains of Ethereum, BSC, and Polygon were all transferred to Tornado.Cash by hackers, so we mainly analyze Tornado.Cash part.
(In order to protect the victim platform, the addresses in the article have been processed)
With the help of the SlowMist MistTrack anti-money laundering tracking system, we first perform a general feature analysis of the address.
From some of the results, we can see that the most used hackers in trading behaviors are Bridge and Mixer, which are very important for us to analyze hacker portraits.
Next, we conduct an in-depth analysis of the funds and behaviors on Ethereum: According to the analysis of the SlowMist MistTrack anti-money laundering tracking system, the hackers transferred 2450 ETH to Tornado.Cash in batches in the form of 5×10 ETH+24×100 ETH, and transferred 198 ETH to Tornado.Cash. FixedFloat, which keeps us on track for the Tornado.Cash part.
Since we want to try to trace the address that the hacker transferred from Tornado.Cash, we have to start from the point in time when the first funds on Ethereum were transferred to Tornado.Cash, we found that between the first 10 ETH and the second 10 ETH The time span is large, so we start with a small span of 100 ETH.
Locate the transaction corresponding to the Tornado.Cash: 100 ETH contract, and find that there are many addresses transferred from Tornado.Cash. After the analysis of SlowMist MistTrack, we screened out the addresses that meet the timeline and transaction characteristics. Of course, there are still many addresses, which requires us to continue to analyze. But soon the first address (0x40F…952) that made us suspicious appeared.
According to the analysis of SlowMist MistTrack, the address (0x40F…952) transferred the ETH that Tornado.Cash transferred to it to the address (0x8a1…Ca7), and then divided the ETH into three and transferred it to FixedFloat.
Of course, this may also be a coincidence, we need to continue to verify.
Continuing the analysis, it is found that three addresses have the same characteristics:
A→B→(multiple strokes) FixedFloat
A → (multiple strokes) FixedFloat
With such feature evidence, we have analyzed the addresses that meet the features, and there are exactly 24 addresses, which are in line with our assumptions.
As shown in the figure below, the hacker transferred part of the 365,247 MATIC of profit to Tornado.Cash in 7 times.
The remaining 25,246.722 MATIC was transferred to the address (0x75a…5c1), and then traced this part of the funds, we found that the hacker transferred 25,246.721 MATIC to FixedFloat, which made us wonder if the hacker would launder the coins in the same way on Polygon.
We first locate the Tornado: 100,000 MATIC contract and the transactions corresponding to the last three transactions in the above figure. At the same time, we found that there are not many addresses transferred from the Tornado.Cash contract. At this time, we can analyze them one by one.
Very quickly, we found the first address that we thought was problematic (0x12e…69e). We saw the familiar FixedFloat address. Not only did FixedFloat transfer MATIC to the address (0x12e…69e), but also the receiving addresses that transferred funds from the address (0x12e…69e) also transferred MATIC to FixedFloat.
After analyzing other addresses, it is found that they are all the same money laundering method, so I won’t repeat them here. From the previous analysis, it seems that hackers have a unique preference for FixedFloat, but this has also become a handle to seize him.
Now let’s analyze the BSC part. There are two hacker addresses on BSC, let’s first look at the address (0x489…1F4):
The hacker’s address transferred 1700 ETH to Tornado.Cash in 17 times, and the time range is relatively consistent. Just when we thought hackers were going to repeat their tricks, it turns out that’s not the case. Similarly, after the analysis and screening of SlowMist MistTrack, we screened out the addresses that meet the timeline and transaction characteristics, and then made breakthroughs one by one.
During the analysis, the address (0x152…fB2) came to our attention. As shown in the figure, according to SlowMist MistTrack, the address transferred the ETH that Tornado.Cash transferred to it to SimpleSwap.
After continuing the analysis, it was found that although the hacker changed the platform, the characteristics of the method were still similar:
Another hacker address (0x24f…bB1) went to Tornado.Cash in units of 10 BNB.
In the laundering method of this address, the hacker chose another platform, but the method is still similar. No more analysis here.
This article mainly starts with a real case, analyzes and draws how hackers on different chains try to use Tornado.Cash to wash the stolen funds. The method of washing money this time is very similar, and the main feature is to withdraw funds from Tornado.Cash. After the currency is transferred, it is transferred to the commonly used currency mixing platform (FixedFloat/SimpleSwap/Sideshift.ai) either directly or through a layer of intermediate addresses. Of course, this is just one of the ways to launder money through Tornado.Cash, and more methods are still waiting for us to discover.
If you want to analyze the results more efficiently and accurately, you must use tools. With over 200 million wallet address tags, SlowMist MistTrack anti-money laundering tracking system can identify various wallet addresses on mainstream trading platforms around the world, such as user recharge addresses, warm wallet addresses, hot wallet addresses, cold wallet addresses, etc. The MistTrack anti-money laundering tracking system can perform feature analysis and behavioral portraits on any wallet address, which plays a crucial role in the anti-money laundering analysis and evaluation work. Strong technical support.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/on-chain-tracking-tornado-cash-of-popular-science-of-money-laundering/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.