Open in app

Sign in

Write

Sign in

MistTrack AML, the swiss army knife of Anti- Money Laundering tools

SlowMist
7 min readFeb 11, 2022

With the rise in popularity of Crypto projects, so has the incidents in Crypto. Whether it’s in Defi, Cross-chain bridges, NFT or exchanges have all seen their fair share of losses. In this article, we will go over how some of these hacks occurred and how to track down the stolen funds. Due to the nature of Crypto, it’s often associated with money laundering. Along with new regulations and recent improvements in AML(anti-money laundering) software and the nature of blockchain, it’s become easier to track and identify these transitions.

Using our MistTrack AML system, we will review two incidents from last year to understand how they attempted to launder stolen funds and where the funds were.

XSURGE Incident

At 3:13 AM on August 17, 2021, XSURGE released a statement in regards to discovering a vulnerability in the SurgeBNB token. It stated that since the SurgeBNB contract is immutable and renounced, there was no way to patch this token. Users were strongly advised to migrate out of SurgereBNB as soon as possible, as the exploits could be triggered at any time.

Unfortunately by 3:59 AM, the team Xsurge team confirmed an attack. These were the related address:

Additional address involved in the incident:

Fund Flow Analysis

The incident was caused by a reentrancy vulnerability in the sell function of the contract. This allowed the hacker to obtain additional SURGE tokens for arbitrage. Let’s look at how they got away with the funds and where it is now.

Take the contract created by attacker 1 as an example:

The attacker 1 first created a contract on 19:39:29 (UTC) on August 16th on the BSC( Binance Smart Chain). He borrowed 10,000 BNB via a flashloan and used arbitrage to obtain 12,161 BNB. Next, he repeated the same process with five other contracts, making 13,112 BNB.

The attacker immediately proceeded to transfer the funds to separate wallets before finally depositing them into an exchange. Let’s see how they accomplish this.

First, they split over 13,000 BNB and hundreds of ETH into 30 different addresses in Table 1.

Table 1

Using blockchain analysis, we were able to see what each individual address did:

1.Some exchanged BNB for ETH and transferred it directly to Binance or in batches.

2.Others move the funds around to various new address before exchange for ETH and transferring it to Binance.

3.If the address already had ETH, it was transferred directly to Binance.

After reviewing all the transactions from the 30 address, over 13,112 worth of BNB was transferred to Binance.

Some food for thought: It’s not difficult to see how the hacker tried to launders these funds. They first transferred to multiple wallets, created layers of transactions, exchanged them for other assets, and then finally deposited into exchanges. Even though it’s now in a centralized exchange, Binance has no clue these were stolen funds. That is why exchanges( decentralized and centralized) must work together to share information. That is the only way to recover stolen funds.

Let’s look at another incident:

StableMagnet Rugpull

In the early morning of June 23rd, 2021, an AMM( automated market maker) project named StableMagnet rugpull over $24 million from its users. Before the incident, some users even received warnings from anonymous organizations suggesting that this would happen; however, no actions were taken. Along with the rugpull, they shut down all websites and social media accounts. Afterward, users launched an investigation with the help of blockchain security experts and Binance exchange.

The address in question: 0x8bea99d414c9c50beb456c3c971e8936b151cb39.

Rugpull Fund Flow Analysis

After a quick analysis, it was discovered that this project was created for a rugpull from the start. The contract had a backdoor in the function Library SwapUtils Library that allowed them to directly take funds from the pool. Let’s look at how it started.

Based on the above transaction, the project stole over $8 million BSC- USD pairs, over $7.2 Million in USDC, and $7 million in BUSD. Once they had access to this, they immediately began transferring it.

Let’s see how they tried to hide the funds:

We can see that they exchanged $1,137,821 BUSD to $1,137,477 and $781,878 BUSD to $781,457 worth of BSC -USDC.

It was then distributed as BUSD, USDC, and BSC-USD in equal amounts to the following address in Table 2:

Table 2

Once these funds were separated, some were exchanged, some were moved to other blockchains and some were sent directly to Binance. Let’s look at what they did with each asset.

BUSD

According to blockchain analysis, some of the BUSD in Table 2 was exchanged for 91 anyBTC and bridge to address A(bc1…gp0).

Some were exchanged for 60 anyBTC and bridge to address B(bc1…kfu).

USDC

Some USDC in Table 2 were exchanged for anyETH and then bridge to these five addresses.

Another portion of USDC in Table 2 is exchanged for anyETH and then bridged to these five addresses.

Next, ETH was transferred to address C(0xfa9…d7b) and address D(0x456…b9f).

Of these two addresses, a small number were transferred to the addresses in Table 1, and most of them were transferred to Tornado.Cash.

USDT was exchanged for DAI, part of it was transferred to the new address, and part of it was transferred to the mixing platform Tornado.Cash.

BSC-USD

The funds listed in Table 2 have been directly transferred to Binance in batches.

The Recovery

A few days after the incident, Binance and the investigating team provided evidence that the suspect in question might be hiding in Hong Kong. Even though the suspect was given a chance to cooperate, they still refused. The victims then turned the evidence over to Hong Kong and the United Kingdom authorities. The British police took immediate action and proceeded with the case. The suspect was apprehended by all parties working together, and 90% of the funds were recovered. This was the first case where victims of Defi attacks had their funds returned with the help of authorities.

Afterthoughts: It’s easy to see a pattern for laundering crypto — services like Tornado.Cash, Defi platforms, and some No KYC exchanges are favorite places to launder crypto. With the help from British authorities, most of the funds were recovered in this incident. As the crypto space grows, we must continue to regulate and provide support to law enforcement agencies to recover from attacks like this in the future.

Summary

Based on the incidents above, it seems like Binance is the favored exchange among hackers. As the world’s leading Crypto exchange, Binance received criticism from countries around the world. That is why on August 6, 2021, Binance CEO Changpeng Zhao tweeted that they will shift to a more active approach when it comes to compliance and regulations. They also launched a series of security policies to support the movement.

As an industry-leading security company, we pay close attention to every incident. All address related to the incident is collected and stored on our private database. This is used to help maintain the most up-to-date information for our AML system. At present, our malicious address library contains hundreds of thousands of addresses and millions of tags for these addresses. This ensures that the most comprehensive AML system is created to help our clients.

Our MistTrack AML system monitors activities on-chain and reports them in real-time. If you wish to learn more about this product, please feel free to reach out to our team for a free demonstration.

Aml
Hacking
Blockchain

--

--

SlowMist

Written by SlowMist

2.7K Followers

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams