MistTrack Analysis of the $90 Million Stolen from Liquid Exchange

On August 19, 2021, the Japanese crypto trading exchange Liquid reported being a victim of a cyberattack. Over $90 Million in cryptocurrencies were stolen from their hot wallet as a result of this incident. The hacker was able to withdraw over 70 different cryptocurrencies such as Btc, Eth. Trx, etc.

According to our MistTrack AML, Over $4.6 million were stolen in BTC, $32.16 million in ETC, 42.9 million in ERC-20 tokens, $230,000 in TRX, $1.6 million in TRC-20 tokens and over $10.9 million in XRP. These values were based on the day of the incident.

We will be tracking these incidents into the following blockchains, Bitcoin, Ethereum, Tron and XRP blockchain.

MistTrack Analysis of Bitcoin Funds

According to the MistTrack analysis, we notice that the hacker tried to use the peel chain method to hide the funds. It’s a technique used to launder a large amount of crypto through a series of small transactions until eventually, it’s transferred to an exchange or cold wallet.

Take the attacker address (1Fx…f7q) as an example

Over 107.5 BTC was transferred to this address (1Fx…f7q) from Liquid exchange. It was then transferred to 7 different addresses in the amounts listed below.

We created this flow chart to show how this peel chain method works. We started with the address (1Ja…rGs) and tracked down some addresses connected to it.

Following the red box above, we continued to track some of these transactions until it’s deposited into an exchange or no further transactions. Again these are some of the transaction, not all.

As you can see, using this method, the hacker left .0027 BTC in this address (1aB…yDD), while 0.0143 BTC was deposited into a Kraken exchange.

The hacker repeated this process with other BTC wallets he controls, never connecting it directly to the original wallets. MistTrack will continue to monitor, tag, and record all wallets associated with this incident.

MistTrack Analysis of Ethereum Funds

After an in-depth analysis of several addresses in the above figure, the SlowMist AML team summarized several ways that attackers deal with ETH/ERC20 tokens.

1.Some of the ERC-20 tokens from the various wallets were first sent to exchanges like Uniswap, Sushi, etc. It was then exchanged for ETH and finally deposited into the first address (0x5…946).

2.Some ERC-20 tokens were sent directly to trading platforms, while others were sent directly to the first address (0x5…946) and remind there.

3.The attacker then proceeded to send ETH from address1 (0x5…946) in various amounts to multiple addresses before finally depositing a total of 16,000 ETHs into Tornado.Cash.

Over 538.27 ETH remained in address2 (0xEFB…b53).

4.We tracked some of the deposit into Tornado.Cash and match them with large transactions that were withdrawal in the same time frame. We concluded that 5,600 ETH were transfer to six different ETH addresses.

Out of the 5,600 ETH, 5,430 ETH were deposited to these three accounts below:

Most of the funds from three address were exchanged for renBTC and the bridged to the Bitcoin network. Then using the peel chain method to not raise any red flags.

Transactions from one of the address (0xC4C…7Fe):

Using MistTrack analysis, we track down one of the address (14N…13H) on the Bitcoin blockchain after the bridge. This address started out with 87.7 BTC, but using the same pee chainl method, they were made smaller after a series of transactions and deposited into a wallet generated by Wasabi.

MistTrack Analysis of Tron Funds

Tron Address: TSpcue3bDfZNTP1CutrRrDxRPeEvWhuXbp

According to MistTrack, all of the TRC-20 funds were exchanged for TRX and then eventually sending all funds in a series of transaction to Huobi and Binance.

MistTrack Analysis of XRP Funds

XRP address: rfapBqj7rUkGju7oHTwBwhEyXgwkEM4yby

A total of 11,508,495 XRP were transferred to three addresses from this incident. Details below.

These funds were then transfer to Binance, Huobi and Poloniex exchange.

Summary

During this incident, the attacker stole over 70 different cryptocurrencies from Liquid exchange and applied various money laundering techniques to hide their trail. However, thank to our MistTrack AML system we were still able to track down these funds do exchanges or other crypto mixing platforms.

According to our MistTrack analysis, majority of the funds are still in the hands of the attacker. The following were transferred to centralized trading platforms.

TRX: 21,244,326.3

XRP: 11,508,516

ETH address1 (0x5…946) currently still has 8.9 ETH and a variety of ERC-20 tokens worth nearly $5.4 million. ETH address2 (0xe…b53) was untouched and still has 538.27 ETH. We will continue to monitor these address and report any suspicious activites.

As the crypto industry continues to grow, so will the exploits in this space. Hackers can try their best to cover their tracks, but they’re no match for our AML system MistTrack. By integrating the this system with their platform, it can be notified instantly of any stolen fund. Thus preventing the project from engaging in any money laundering activity as well as staying vigilant of suspicious activities.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SlowMist

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.