MistTrack Case 02: Wasabi Coinjoin Withdrawal Analysis

SlowMist
5 min readMay 23, 2023

Background

A prominent wallet’s private key was compromised and the stolen funds were subsequently transferred into the Wasabi obfuscation tool for transaction mixing. The victim sought assistance from our MistTrack team (https://misttrack.io/). The team performed a withdrawal analysis of the stolen funds mingled within the Wasabi Coinjoin, successfully tracing and recapturing the flow of funds. Later, the hacker initiated cross-chain transactions with the funds. The MistTrack team discovered historical traces of the hacker’s address moving funds to an exchange, prompting them to assist law enforcement in contacting the exchange, submitting requests for investigation, and implementing risk controls for related accounts. The hacker further transferred the stolen funds to relevant accounts on exchanges, and a portion of the stolen assets was successfully frozen.

Key steps taken by the MistTrack team in this case included:

  1. Establishing Trust: Building a strong trust relationship with the victim was foundational to the analysis and tracking work.

2. Tracing Stolen Funds: Technical expertise to track the flow of the stolen funds.

3. Analyzing Hacker Behavior: Our team conducted in-depth analyses of the hacker’s behavior patterns to understand their actions and predict potential next moves.

4. Wasabi Coinjoin Withdrawal Analysis: Specialized analysis tools were utilized to study the stolen funds that were mixed into Wasabi Coinjoin.

5. Cross-chain Tracking: When the hacker attempted to transfer funds via cross-chain transactions, we were able to successfully trace the flow of funds.

6. Law Enforcement Intervention: In necessary situations, we contacted law enforcement and provided support.

Next, we will elaborate on the specifics of our MistTrack team’s work and the analysis process in this case.

Tracing the Stolen Funds

Upon receiving a distress request from the victim, the MistTrack team swiftly launched an investigation and tracking of the stolen funds.

During the tracking process, we discovered that a large portion of the funds had been transferred into Wasabi Coinjoin.

Wasabi Coinjoin Withdrawal Analysis

Given the preliminary understanding of the case, the crucial breakthrough lay in the withdrawal segment of Wasabi Coinjoin. Thus, we carried out an in-depth analysis centered around this point.

The MistTrack team researched the output and input addresses during the Wasabi Coinjoin process and conducted detailed comparisons and analyses of the intersections of multiple funds.

Upon obtaining the list of withdrawal addresses, the MistTrack team analyzed these addresses from the following aspects:

  • Address usage frequency
  • Input amount
  • Withdrawal amount
  • Transaction behavior characteristics post-withdrawal

After a series of detailed analyses, the team successfully identified several suspicious withdrawal addresses. We then compiled statistics and made comparisons of the withdrawal amounts from these addresses. The results showed that these amounts corresponded closely with the funds that the hacker had transferred into Wasabi Coinjoin. We found a certain correlation among different Wasabi Coinjoin withdrawal transactions and a clustering relationship among the withdrawal addresses. Therefore, we could essentially confirm that these addresses were the hacker’s withdrawal addresses.

Below is the bird’s eye view of the hacker’s Coinjoin transactions:

And here is a partial bird’s eye view of the hacker’s Coinjoin transactions:

Cross-Chain Tracking

After the MistTrack team had identified the hacker’s Wasabi Coinjoin withdrawal address list, we further tracked the stolen funds. We discovered that the hacker used renBTC for cross-chain operations. Through deep analysis of renBTC cross-chain funds, we successfully obtained the hacker’s renBTC withdrawal address on the Ethereum chain.

Subsequently, the hacker acquired renBTC and exchanged it for ETH via a trading platform, further dispersing it to multiple exchanges.

Analysis of Hacker’s Traces

Based on the above blockchain traces, the MistTrack team conducted an in-depth analysis of the hacker’s behavioral traces:

  • Hacker Profile

The hacker evidently has an extensive understanding of cryptocurrency laundering methods and is proficient in utilizing various automated tools and dark web resources for operations.

Wasabi Coinjoin
  • Other Transactions by the Hacker

The hacker’s renBTC withdrawal address on the Ethereum chain revealed transactions that involved deposits and withdrawals from exchanges.

Risk Control for Exchange Accounts

After the MistTrack team uncovered the historical records of the hacker using exchanges, we promptly shared this information with the victim and assisted law enforcement in contacting the exchanges to request an investigation. Following that, the exchanges implemented relevant risk control measures on the potentially involved accounts.

Summary

In the end, when the hacker further transferred the stolen funds to relevant accounts on the exchange, a portion of the stolen funds was successfully frozen thanks to the close cooperation of the MistTrack team, law enforcement, and the exchanges. This action effectively prevented the hacker from further transferring the funds. Currently, the remaining funds are still under the surveillance of the MistTrack team.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.