MistTrack Case 01 — TornadoCash Withdrawal Analysis
This series is a case study of the MistTrack investigate service.
Hackers attacked a project and transferred all stolen funds to TornadoCash, prompting the project party to seek assistance from MistTrack.We discovered the withdrawal address set by performing an analysis of TornadoCash transactions and demixing the funds from other users. After a few days of waiting, some of the stolen funds were finally transferred to an exchange. We sent an on-chain message to the hacker’s withdrawal address, requesting the return of stolen funds or facing legal action. The stolen funds were returned to the team within nine hours.
MistTrack played a vital role in Case 01 by following the following steps:
1. Establish Trust Between Parties
2. Tracking of Stolen Funds
3. Hacker Profile Analysis
4. TornadoCash Withdrawal Analysis
5. Monitoring of TornadoCash Withdrawals
6. On-chain Communication
7. Enforcement agency involvement and support when necessary
Tracking of Stolen Funds
After receiving the team’s request for assistance, we immediately started an investigation and analysis into this incident.
During our analysis, we concluded that all stolen funds were transferred to TornadoCash.
Hacker Profile Analysis
MistTrack’s analysis of the hackers profile based on these key points.
- Gas fee souce
- Tools used
- Operational timeline
- Hacker profile
- Pre-attack analysis
The initial funding from this attack originated from TornadoCash, as you can see below.
To avoid detection, stolen funds are frequently swapped, bridged, or even laundered using sophisticated techniques. This can be done with a variety of tools, such as xxSwap, etc., before it’s deposited to TornadoCash.
TornadoCash Withdrawal Analysis
Based on the information provided above, the TornadoCash Withdrawal Analysis is the key that Case 01 was able to solve.
The tool depicted below is used in the withdrawal analysis process. It aided in the sorting of TornadoCash withdrawal addresses that meet the filtering criteria.
After obtaining the list of withdrawal addresses, we classified the withdrawal addresses by the following characteristics:
- Active time period
- Gas price distribution
- Interaction with similar platforms
- Withdrawal address patterns
- Withdrawal amount distribution
In one of our classifications, we found that it shared similar characteristics:
- Used similar platforms — xxSwap
- Same active period as the hacker addresses
- Consistent with the amount deposited by hackers to TornadoCash
More importantly, one of the withdrawal addresses was associated with the original hacker’s address. Thus giving us proof these addresses were related to the hacker.
Monitoring of TornadoCash Withdrawals
We immediately notified the involved parties of all relevant TornadoCash withdrawal addresses, and used our MistTrack AML monitoring system to alert us of any further activity.
After a few days of monitoring, we received an alert informing us that the hackers had sent a portion of the stolen funds to an exchange after transferring them to various wallets. We immediately contacted the victim to discuss the best course of action. We advise the team to reach out to law enforcement agencies for support and assist the project in sending an on-chain message to the hacker. Message: “Refund the stolen funds within 48 hours and retain a portion as bug bounty, or we will continue our investigation and take legal action with the assistance of law enforcement.” Throughout the entire process, we provided law enforcement with evidence and continuously monitored all addresses involved.
Within 9 hours of sending the hacker an on-chain message, the majority of the team’s stolen funds had been returned.