SlowMist AML: Tracking funds laundered by Tornado Cash

SlowMist
6 min readFeb 11, 2022

--

The rapid development in projects such as DeFi, NFT, and cross-chain bridges has also led to the rise of incidents in the crypto industry. According to our AML system(MistTrack), 80% of stolen funds are deposited into a mixer protocol called Tornado.Cash to hide their digital trail. However, not all hope is lost. Let’s look at a KuCoin incident where stolen funds were deposited into Tornado Cash and utilize MistTrack to find clues of its whereabouts.

Incident Overview

In the early morning of September 26, 2020, Beijing time, KuCoin announced that they had discovered suspicious withdrawal for substantial quantities of crypto assets from their exchange hot wallet address. These included assets like ETH and BTC, as well as various cryptocurrencies.

According to our MistTrack statistics, the combined loss of these stolen assets exceeded over $270M at the time. Below is a list of the stolen assets in tens of thousands.

After a thorough investigation, we discovered that the hackers used Tornado.Cash to launder the stolen funds in this attack with ETH. This post will focus on how the hackers converted these funds to ETH and transferred them to Tornado.Cash. We will then analyze the transactions from the Tornado.Cash for clues on where the stolen funds may have gone.

What is Tornado.Cash ?

Tornado.Cash is a fully decentralized, non-custodial protocol that improves transaction privacy by breaking the on-chain link between the sender and recipients’ addresses. To improve privacy, Tornado.Cash uses a smart contract that accepts ETH and other tokens from one address and allows them to withdraw to a different address. These smart contracts act as a pool that mixes all the deposited assets and generates a private key proving that you performed the deposit operation. Then, the sender can use this private key to withdraw the deposited funds into any address at the time of their choosing.

The Transfer in

After stealing funds from KuCoin, the hacker tried to deposit them into various exchanges. However, word had already gotten out of their actions and banned them from their exchanges. With no other options, the hacker turned their attention to DeFi to help launder the funds.

According to our MistTrack AML tracking system, the hacker (0xeb31…c23) distributed the ERC20 tokens to various addresses and then used decentralized exchanges like Uniswap, 1inch, and Kyber to exchange them for ETH.

After converting the funds into ETH, they were consolidated into the following addresses:

After a full trace of ETH and ERC20 tokens, we teased out how funds moved between hacker addresses and broke down how funds got into Tornado.Cash.

We created a flow chart below showing how funds were exchanged and transferred to Tornado.Cash

Tracking the funds

Guess

  1. A large amount of ETH is deposited into Tornado.Cash, which will collectively exhibit some traceable characteristics.
  2. Based on the analysis of the behavior of hackers eager to use the exchange to realize cash, it is speculated that the hacker will withdraw the funds immediately after depositing the funds in Tornado.Cash, or withdraw the funds at the next deposit.
  3. If that’s the case, we can monitor all withdrawals that happened after the original deposits have been made.

Possible On-Chain Behavior

  1. Using the approach mentioned above, we can assume that the time frame for withdrawals should be similar or close to the time frames for when the hacker made deposits into Tornado.Cash.
  2. The fund’s withdrawal from Tornado.Cash will also be deposited into the same address during that time frame.

Let’s verify this theory

Starting with the hacker’s address ( 0x34a…c6b):

Using Blockchain analysis, we can see that the hacker deposited about 11,500 Eth into Tornado.Cash between 2020-10-23 16:06:28 to 2020-10-26 10:32:24 (UTC). These were made in increments of 100 ETH over the course of 115 deposits. The following is the deposit history of this address between 2020-10-24 3:00:07 to 6:28:33 (UTC):

In the same time frame, we can see a large amount of ETH being transferred out of Tornado.Cash. These were also withdrawn in increments of 100 ETH into the same address(0x82e…398). We highlighted the transactions listed below.

When looking at these transactions for the address (0x82e…398), we found that the address did not withdraw ETH to itself, but as a contract caller, withdrew all ETH to the address (0xa4a…22f).

Using this method, we tracked down other addresses that could have received funds from the hacker’s original address (0x34a…c6b) via Tornado.Cash. These are our findings:

After further investigation, it was discovered that the amount withdrew from Tornado.Cash to the six addresses matched the 11,500 ETH the hacker deposited into it, validating our original theory.

We then track and analyze these six different addresses using our MistTrack AML tracking system. The hacker transferred some funds into trading platforms such as ChangeNOW, CoinSwitch, and Binance in increments of 50 to 53 ETHs. Some funds were also transferred to other exchanges first before being moved to the exchanges mentioned above.

Summary

This article mainly explains how the hackers tried to use Tornado.Cash to launder the stolen ETH. The analysis results make us think: Is Tornado.Cash really completely anonymous? On the one hand, withdrawal addresses can be analyzed implies that there is no such thing as complete anonymity. On the other hand, there still is some anonymity available, maybe Tornado.Cash isn’t the best option for a large-scale operation in a short time frame.

KuCoin has officially stated that it has recovered about $240 Million with help from exchanges, project team members, law enforcement, and security agencies. In the past, Defi protocols may have been the best chance for hackers to launder stolen funds, but that is no longer the case. Using our MistTrack AML system, even if hackers turned defi protocols for help, we can still track them down.

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.