Follow The Money — Tracking The Asset Movements Of Cryptopia Hack

Image from CoinGape.com

In January 2019, New Zealand crypto exchange Cryptopia was hacked, and about $16M USD (price at that time) worth of ETHs and other tokens were moved out of Cryptopia wallets. After being quite for a few months, and as the crypto token price recovers, the hackers started to move the stolen assets again. According to data from PeckShield Digital Asset Tracking and Recovery (DATAR) system, in the recent a few days, 4,787 ETHs have been moved into Huobi exchange, and 26,003 ETHs are still waiting to be laundered.

After analyzing hackers’ money laundering paths, PeckShield researchers found that:

1. After successful hacks, hackers typically move the assets to several addresses, sometimes brand new addresses, and park them in there for a while;
2. During money laundering, hackers first try to move small amount of assets, and attempt to find the best laundering path;
3. If the small amount laundering is successful, hackers would move the rest of the assets; If not, hackers would be back to stay quiet and wait for the next opportunity.

Cryptopia hackers this time went through decentralized exchange (DEX) EtherDelta, and used fake trades to launder the assets and avoid tracking. But by leveraging our home-grown DATAR system, we have been able to track and expose the Cryptopia hackers entire asset movements. Figure 1 shows the movement paths of the stolen ETH tokens.

Figure 1: The Movement Graph of The Stolen ETH Tokens From Cryptopia

As shown in Figure 1, hackers first moved some of the stolen tokens into one address, then initiated fake trades in EtherDelta, acting as both the seller and buyer, to avoid tracking, then bundled the tokens together and moved them into Huobi exchange. Here is the detailed analysis:

Step One: Move the assets

When a crypto exchange was hacked, there would usually be lots of media attention, and many people would monitor the stolen asset movements, so typically hackers may lay low for a few months or even a year. After a while, they pick an opportunity and launder the stolen assets.

This time, the hacker was waken up possibly by the crypto price recovery, and they first moved 5,000 ETHs into five addresses in a duration of 16 hours, 1,000 ETHs into each address, as shown in Figure 2. Every time, 1000 ETHs were moved into an address, they also started fake trades in EtherDelta to do money laundering.

Figure 2: The Hackers Move Some Assets Into A New Address

Step Two: Fake Trades

To avoid tracking, many times hackers would scatter large amount of assets into many addresses, then go through lots of transfers then gather them again. But the Cryptopia hackers used a new way, fake trades in DEX to launder the money. As shown in Figure 3 and Figure 4, hackers first sent the tokens, 500 ETHs in each transaction, into EtherDelta, then started many trades to move the assets between fake buyers and sellers.

Figure 3: Hacker Controlled Addresses Act As Buyers

Figure 4: Trades Between Hacker Controlled Addresses

The screenshots in Figure 5 (ForkDelta is a front end UI of EtherDelta) show the trades between the accounts controlled by hackers, and the tokens traded are ELF/ETH and BAT/ETH. Here is the record of one of the transactions, as shown in Figure 6: https://etherscan.io/tx/0x15ad9bac4391f5a6e57393ec3dc2418e73790eefb663a219fb1628501f1a31a6

Figure 5: Hackers Trades In ELF And BAT Tokens

Figure 6: Record Of A Hacker’s Trade In EtherDelta

After the trades, the seller did a withdraw, and the on-chain transaction is the following, as shown in Figure 7: https://etherscan.io/tx/0x72917f72dfdfac50ff228f72a402a592ff79934bc5f3d138fd2c1f6c53091192

Figure 7: Hacker’s Withdraw Transaction In EtherDelta

Step Three: Bundle the tokens and Send To Exchange

After the DEX fake trades, hackers bundled the ETHs into one address, then sent them all into Huobi in several transactions, as shown in Figure 8. At the time of this article’s writing, hackers have moved 4,787 ETHs into Huobi exchanges, and PeckShield is working with Huobi to freeze these stolen assets. Currently there are still 26,003 ETHs in hackers’ addresses, might be laundered in the future, and we are monitoring their movements closely.

Figure 8: Hacker’s Tokens Went Into Huobi

PeckShield Digital Asset Tracking And Recovery (DATAR) system mined and analyzed on-chain data of all leading public blockchains, and accumulated huge amount of hack/blacklist and other address labels, so it can be leveraged to track digital assets movements on the blockchains. Working closely with major exchanges around the world and community partners, we can track, freeze, or recover stolen assets lost in the hack or scam incidents.

Main addresses belonging to Cryptopia hackers:

Initial laundering address: 0xd4E79226F1E5A7a28Abb58F4704E53cd364e8D11
Fake buyer address:
0x338fDf0D792F7708d97383EB476e9418B3C16ff1
Fake seller address:
10x1e16253b81F418ee44430d94502Bc766fe8CaDba
Fake seller address:
20x7bdf9a0fba5c7ce328fe0768eaf2a2dfb0afb35f
Bundling address:
0x3d40897675A7467A73610c3ABbBc8292835e67F2

About Us

PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.