Not too long ago, we published an article in regards to the Bitfinex incident. It mentioned how the stolen funds were laundered using a technique called peel chain. We received lots of questions about this method and how it works, so we decided to write an educational piece to inform our readers. In this article, we will go over what the peel chain method is and how it was used to launder stolen funds.
What is peel chain
Peel chains are a method of laundering large sums of cryptocurrency through a series of transactions. The stolen funds are often split into two separate addresses, peeling off a small amount each time they’re transferred. This process is repeated over and over until it reaches its final destination.
Peel Chain in action
We will be using our AML (Anti-Money Laundering) system MistTrack to analyze how the peel chain method was used to launder the stolen funds from the Bitfinex incident.
Some background info on the Biffinex incident: on August 3, 2016, Bitfinex suffered from an exchange hack, resulting in the loss of 119775 Bitcoins. At the time of the incident, it was only worth around $60 million, but it is worth over $4.5 billion today. The stolen funds were initially deposited into 2072 different addresses, which were marked with MistTrack as shown below:
The stolen funds remain untouched until January of 2017. It then started to slowly transfer out of these wallets using the peel chain method. We’ll start with one of these addresses and track the transfer of funds along the way.
Starting with this address 19Xs96FQJ5mMbb7Xf7NXMDeHbsHqY1HBDM:
According to MistTrack, almost 30 BTC were transferred from the exchange to this address. It was then sent through two other addresses before landing at a third (3CA… AcW) address to begin the peeling process.
Peeling process
Looking at the flowchart below, we can see that the address (3CA…AcW) started the peeling process by sending the funds into address 1 and 2.
Address 3CA…AcW -> 30.6675
Address 1 -> 2.27 btc
Address 3 -> 0.165 btc
Address 5 -> 0.0385 btc
Address 6 -> 0.1262 btc
Address 4 -> 2.1107 btc
Address 7 -> 0.3877 btc
Address 8 -> 1.7227 btc
Address 2 28.39 btc
Following that, each address branched off into two new addresses, repeating the peeling process until it reached the designated address.
Identifying Wallets
Zooming out, we can see the hacker was very malticulate in the peeling process. Most of these funds were transferred multiple times before arriving at the designated address.
Each wallet created two additional wallets that slowly shaved off a small portion with every transfer. The funds from address 1 eventually ended up in cold storages, Wasabi wallets( Bitcoin privacy wallet), or Hydra market( Russian darknet market).
Let’s look at how the peel chain is used for larger transactions. This time we will be following this address : 1BprR3VRh8AsJVXFR8uNzzZJnyMhF1gyQE
According to the Bitcoin explorer, over 271.22 BTC was transferred to this address from the incident. Let’s see what happened next, we’ll be following the larger branch of transfers in this example as well.
Each wallet branched off into two additional wallets, peeling off a small amount with every transfer. We had to omit some transactions since there was a large number of transfers.
This process continued until it was down to about 1 btc that was deposited into Hydra Market. As you can see how one address can branch into hundreds of transactions and wallets using this method.
In the end, the peel chain technique usually contains the following characteristics:
-Usually start with a single address with stolen funds
- Continuously gets split into two new addresses, one large, one small
- Final deposits are usually cold storage, exchanges, darknet markets, or privacy wallets
Summary
Hackers frequently use the peel chain method due to its complexity. When done right, the small amounts transferred into exchanges rarely raise any red flags. This also makes it extremely difficult to track down.
Most complex and lengthy Peel Chains techniques are facilitated with programs to automate the process. However, we can also use scripts and tracking tools for situations like this. That is why we created MistTrack, an anti-money laundering tracking system under the SlowMist AML umbrella. It also contains a database of over 100,000 malicious addresses across various blockchains as reference. These tools were developed to assist exchanges, individuals, and the blockchain community to track and monitor stolen funds in real time.
