June 26, 2023
A $60 million wallet theft. Beosin KYT Reveals the Hackers' Money Laundering Tactics
Previously, a wallet theft involving tens of millions of dollars shocked the entire industry.
According to Beosin EagleEye, Atomic Wallet was attacked in early June this year. The attack caused a loss of at least $60 million, based on information reported by known victims on the chain.
According to CoinDesk, Atomic Wallet CEO Konstantin Gladych said that the team is now collecting data from affected users and said that "the attack was definitely organized by a team of professional hackers who are using scripts, fund splitting, coin mixers and other measures".
In this article, we will dive into the details of how the money was laundered in this hacked theft and use Beosin KYT virtual asset AML compliance and analytics platform to track and analyze their schemes.
According to Beosin team, so far the theft involved a total of 21 chains, including BTC, ETH and TRX. The stolen funds are mainly concentrated in the ethereum chain. Among them:
The stolen funds have been identified as 16,262 ETH worth of virtual currency, about $30 million.
Wavefield chain is known to have stolen funds of 251335387.3208 TRX worth of virtual currency, about 17 million USD.
BTC chain is known to have been stolen 420.882 BTC worth of virtual currency, equivalent to $12.6 million.
The BSC chain is known to have lost 40.206266 BNB worth of virtual currency.
XRP: 1676015 XRP, about $840,000
LTC: 2839.873689 LTC, about $220,000
DOGE: 800575.67369797 DOGE, about $50,000
In the operation of hackers on the stolen money, there are two main ways in which ethereum is attacked on the chain:
1. Using Avalanche to launder money across the chain after dispersal through the contract
According to Beosin team, hackers would first exchange the valuable coins in the wallet for the main coins of the public chain, and then pool them through two contracts.
The contract address will pack ETH into WETH through two layers of transit, then transfer the WETH to the contract used to disperse the ETH, and transfer it into the wallet address used by Avalanche for Cross Bridge through up to 5 layers of transit for cross-chain operations. This cross-chain does not use contracts, instead it is an internal book-entry transaction of Avalanche.
A sketch of the Etherchain link is shown below:
Collateralized Contract 1:
Total 3357.0201 ETH involved
Collateralized to WETH and transferred to contract 0x3c3ed2597b140f31241281523952e936037cbed3
The detailed diagram of the sale route is shown below:
Collateralized contract 2:
Total 3009.8874 ETH involved
Hackers exchanged to WETH and transferred to the contract 0x20deb1f8e842fb42e7af4c1e8e6ebfa9d6fde5a0
The detailed diagram of the pinning route is shown below:
The two convergence contracts are confirmed by agreeing to the source of transaction fee, and part of the address without transaction behavior is hidden. The transaction fee route is as follows:
At present, only these four contracts with the act of converging stolen money are found.
2. Money laundering through various cross-chain bridge protocols and exchanges without direct dispersal through contracts.
This part involves 9896 ETH according to current statistics, and this part will be consolidated through multiple consolidation addresses. The money chain diagram is shown below:
Map of ETH non-contract transfered funds as shown by Beosin KYT
Wavefield chain is similar to the ethereum chain in that it transfers all the virtual currency from the stolen wallet to the public chain's native token TRX through two layers of addresses and then continues to transit. The difference is that the convergence address is no longer carried out using a contract but a common address, which is dispersed and then transferred to various exchange deposit addresses. A part of the stolen funds remain on the chain without transfer, and there are many consolidated addresses.
We can see that there are many channels for hackers to launder money, mainly through various exchange accounts, but also directly into the cross-chain bridge contract.
The consolidation addresses are mainly the following two addresses
Flow involved: 157,401,175.7231 TRX
Flow involved: 93,934,211.5977 TRX
The route pattern is shown in the chart below
Beosin KYT shows an example of the flow of funds in the wavefield chain
BTC already known consolidation address involved in the case is 420.882 BTC.
BTC chain involved addresses are divided into multiple consolidation addresses, and there is no subsequent crossover of funds from the consolidation addresses and a large number of consolidated addresses.
Similar to other chains, the stolen funds will be directly transferred to the hacker's address, and then transferred to the consolidation address by the hacker's control through a layer of transit and dispersed afterwards. The number of dispersion layers is at least 4, after which it will be deposited or mixed into a larger stream of suspected money laundering addresses.
The route pattern is shown in the following diagram:
Example diagram of BTC money flow shown by Beosin KYT
The BSC chain has only one address, and funds are currently locked on the chain.
Another 35 BNB from stolen wallets.
The other chain addresses
XRP: 1676015 XRP, equivalent to $838,007
LTC: 2839.873689 LTC, equivalent to $217,789
DOGE: 800575.67369797 DOGE, equivalent to $51,194
The above chain model is similar to other chains, all of them are stealing coins from wallets after exchanging them for native tokens and then entering different consolidation addresses through a layer of transit, and there are more addresses still locked on the chain.
Regarding progress related to this incident, it is reported in mid-June that Estonian police said they are investigating the theft of cryptocurrency from Atomic Wallet users in the country. Estonian authorities said they have been investigating the theft since last week, that the investigation is still in its early stages and that they will not comment on the source of the attack at this time.
As can be seen from the above incident, cybercrime, money laundering, dark web trading and other crimes involving virtual assets have become common in recent years, and the decentralization, openness and anonymity of blockchain have posed a huge challenge to regulators.
To solve the above problem, a group of security institutions represented by Beosin has proposed a solution idea - KYT (Know Your Transactions), which aims to let trading platforms and regulators understand each transaction on the chain. In traditional financial transactions, financial service institutions design anti-money laundering systems through KYC and transaction data. In virtual asset transactions, trading platforms can use KYC and KYT technologies to bind the entity behind each transaction, analyze its transaction behavior, identify its criminal logic, use on-chain analysis and tracking tools to locate each transaction, profile the user, and rate the transaction, thus reducing the risk of criminals using virtual assets to launder money.
Beosin is a leading global blockchain security company co-founded by several professors from world-renowned universities and there are 40+ PhDs in the team. It has offices in Singapore, South Korea, Japan and other 10+ countries. With the mission of "Securing Blockchain Ecosystem", Beosin provides "All-in-one" blockchain security solution covering Smart Contract Audit, Risk Monitoring & Alert, KYT/AML, and Crypto Tracing. Beosin has already audited more than 3000 smart contracts including famous Web3 projects PancakeSwap, Uniswap, DAI, OKSwap and all of them are monitored by Beosin EagleEye. The KYT AML are serving 100+ institutions including Binance.
If you need any blockchain security services, welcome to contact us:
Related Project Secure Score
Guess you like
Those who have used Uniswap, please be careful! Let Beosin demystify Permit2 signature phishing.
June 12, 2023
Critical vulnerability in Move VM：Sui, Aptos and other public chains at risk of crash and hard fork
June 26, 2023
What is Stacks and what challenges may this BTC Layer2 Network face?
June 26, 2023
H1 2023 Global Web3 Security Report, AML Analysis & Crypto Regulatory Landscape
July 04, 2023