Crypto Compliance Series: How funds are laundered without mixing platforms

There are different mixing platforms for different networks, such as Wasabi for Bitcoin and Tornadocash for Ethereum. These platforms are used by money launders to hide their funds from the public. However, not every network has these platforms. Today we will investigate how funds are laundered on the Tron network using a previous incident.

About TRON

TRON is a blockchain-based decentralized digital platform with its own cryptocurrency, called Tronix or TRX. TRON was founded in 2017 by a Singapore non-profit organization named the TRON Foundation, led by CEO Justin Sun. Their goal is to become a host for a global entertainment system that is cost-effective in sharing digital content. In 2019, USDT was introduced to the TRC-20 protocol on TRON, and TRC20-USDT was born.

Case Study

The unfortunate victim contacted us after realizing he imported his private key to a counterfeit wallet app and lost 5,326,747 in USDT or over $5.3 million.

Hackers Address:

TDs3USWcG5ua4jkGNMGgNZrXrPgw8UMMCt

We will begin this investigation by performing general analysis of the address using our anti-money laundering tracking tool, MistTrack.

https://misttrack.io/

Looking at the hackers’ accounts as a whole, we can see that they utilized them for both transfers and swaps. You’ll learn later that they even appear to have a strong preference for one particular exchange. At the same time, we can draw some judgments regarding their active time periods based on the transaction time frames.

Part I

Let’s look at some transactions. According to MistTrack, the hackers moved the stolen USDT to six different addresses and exchanged them using JustSwap (now renamed SunSwap).

They also used this address to directly exchange 73 USDT for 684.76 TRX.

There are six addresses that received funds from the hackers’ address, but we’ll focus on TGF…TA7 for now. After this address received 2,663,373.5 in USDT, it converted to TRX through JustSwap. It was then transferred to the address TUe…F7g in six separate transactions.

This process was repeated for the remaining five addresses that received funds from the hacker’s address.

Part II

Continuing our investigation, let’s focus on the address TAn…Fe7 for now. They transferred 75 TRX to TJa…5Zq and transferred 65.6 TRX from their to TQ8..Cv7.

The remaining 5,064,327.58 TRX was transferred to JustSwap and exchanged for 526,850.6 USDT before finally being transferred to the address TJa…5Zq.

Next, TJa…5Zq transfers USDT to the address TQ8…Cv 7 and it proceeds to transfer USDT to two new addresses.

After conducting a thorough investigation of the two new addresses, we discovered a whale wallet with a signification amount of funds as well as numerous transactions. Several transactions involved transfers to exchanges like Binance, Gateio, MEXC, ZB, Huobi, and OKX. We believe these addresses belong to professional money launderers based on our experience and the behaviors of these transactions.

Part III

After analyzing five addresses from Part I I , most of the funds was laundered the same way as above. However, the last address TUe…F7g was slightly different than before.

Instead of transferring to the same address after converting TRX back to USDT, they decided to break it up into six different addresses.

However, it wasn’t that much different than before. Take TRo…2EN from one of the receiving addresses as an example: This address converts USDT to TRX again, and transfers it to the address TXQ…oZm again. Sound familiar?

TXQ…oZm swaps TRX to USDT, transfers it to TEC…41q (yes, it was swapped again using JustSwap), and finally arrives as USDT to the whale address listed above. The same method was used for other addresses.

The hackers had continuously exchanged the stolen USDT back and forth with TRX to avoid tracking. Although they tried their best to hide their track, we can still trace the origin of the hacker’s account with the exchange address involved.

Summary

The purpose of this article is to expose techniques used by hackers to launder their illicit funds. During this incident, a hacker on the Tron network continuously swapped USDT and TRX back and forth to make it difficult to track. However, everything is recorded on the blockchain, all it took was some elbow grease.

It also helped that we were able to investigate this incident using MistTrack. MistTrack uses on-chain analytics to create transaction flow charts, making it easier to conduct investigations. It also contains a database of over 200 million addresses that’s been tagged. These tags included addresses belonging to top exchanges around the world, thousands of entity addresses, hundreds of thousands of threat intelligence data, and over 90 million addresses associated with malicious activity.

We decided to release MistTrack to the public recently, you can sign up at https://misttrack.io/ and use it for free.

--

--

--

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Difference between XSS and CSRF attacks

Bling airdrop

How to Protect your Website against Content Theft?

The #bounty program is running on #GameJetNetwork

Abusing ACL Permissions to Overwrite other User’s Uploaded Files/Videos on s3 Bucket

A look at Civil Society Organisations in Tanzania & Cyber Security. Part TWO.

Block all Ads with a Pi-Hole

{UPDATE} Цветоблоки Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SlowMist

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

More from Medium

Aave V3’s Price Oracle Manipulation Vulnerability

Optimism Smart Contract Breakdown

Tutorial 1. Part 3.

Diamonds Are a Proxy’s Best Friends