By: Elizabeth Yeung, Cyber Security Researcher, Sentinel Protocol
On 13 March 2019, ether tokens that had been stolen by attackers in the Bancor hack in July 2018 were finally transferred from wallet to wallet after seven months of inactivity. The Uppsala Security Operations Team has picked up on this anomaly and uncovered the identity of the destination addresses.
Money Flow Analysis
The starting address in question is 0xbceaa0040764009fdcff407e82ad1f06465fd2c4, which has been annotated as “Bancor Hack” on Etherscan and is now blacklisted in Sentinel Protocol’s Threat Reputation Database (TRDB). What follows next is a series of movements that are easily visualized using our Crypto Analysis Transaction Visualization (CATV) tool, shown in Figure 1.
Note that for readability, a truncated version of the involved addresses will be used throughout the article, and a mapping to the non-truncated version will be provided at the end.
Figure 1: Money flow analysis from the Crypto Analysis Transaction Visualization (CATV) tool
From 0xbceaa0, the attacker made two transactions summing up to the full amount of 25,533 ETH to 0xf27b69, which can be easily observed through any block explorer. Then, from 0xf27b69, the ether tokens get split up into many transactions, with each transferring between few hundred to a thousand ETH. If we look at the graph in Figure 1, we can see that despite multiple transactions, almost all ETH went to 0xd294ac. A negligible amount of 0.16 ETH went to 0xed3fae and has not been moved since.
On a closer look at 0xd294ac, we can see that it exhibits the behavior of a relay wallet. A relay wallet is a type of wallet that immediately transfers tokens out to one address whenever it receives them, sans a tiny portion spent on gas. This relay pattern results in a sequence of alternating send and receives transactions. Deposit wallets of users on crypto exchanges tend to display this pattern as well, but nothing at this stage could point us in that direction. We would have to look further into the next hop, which involves the address 0xf056f4.
Since the conclusion our investigation, we have identified 0xf056f4 as an address belonging to a well-known exchange and have annotated it as such in our TRDB, so it appears that way on the CATV in Figure 1. However, at this point of the trail, it is still not clear what kind of wallet 0xf056f4 is, let alone whether or not it belongs to an exchange.
As we look at 0xf056f4, we see that it has performed a moderate amount of transactions, about 37,000 at the time of writing, and holds a balance of 10,400 ETH. It is unlikely to be a personal wallet belonging to one individual, and more likely to be a service provider of some sort. If we take a closer look at the analytics provided by Bloxy.info in Figure 2, we can see two points of interest with this wallet:
- This wallet’s activity is inconsistent. It was generally quiet for most of 2018, and only regained activity in 2019.
- This wallet also receives many more transactions than it sends. In fact, in the chart below, we can barely see the send count represented by the blue bar. This suggests that there could be aggregation activity going on. Upon further inspection, we see that it indeed has been sending out large amounts to 0xdf95de, mainly in denominations of 2,551 ETH.
Figure 2: Analytics of address 0xf056f4 from Bloxy.info
While this behaviour is unusual, it was not sufficient to pinpoint exactly whose wallet 0xf056f4 belongs to. To uncover the identity of this wallet, we took a step back and inspected other relay wallets that were also sending ETH to 0xf056f4. This was when we noticed that, while these relay wallets relayed ETH to 0xf056f4, they have also been relaying ERC20 tokens to wallets belonging to Huobi, another well-known exchange.
Figure 3: Relay wallet sending ether to 0xf056f4 as seen on Etherscan
Figure 4: Relay wallet sending ERC20 tokens to Huobi as seen on Etherscan
The pattern that these relay wallets exhibited are shown in Figures 3 and 4, and some of these addresses are:
Given these findings, the Uppsala Security Operations Team has reasons to believe that the stolen funds from the Bancor hack has ended up in the Huobi exchange. We have since alerted Huobi about these tainted funds.
- 0xbceaa0: 0xbceaa0040764009fdcff407e82ad1f06465fd2c4
- 0xf27b69: 0xf27b6923ed24eed02de7686962339db00a52d2aa
- 0xd294ac: 0xd294ac18b524ff59ab7fffcbd459f11128220550
- 0xed3fae: 0xed3fae3fdf61bfe32bb34c06f210a308590de747
- 0xf056f4: 0xf056f435ba0cc4fcd2f1b17e3766549ffc404b94
- 0xdf95de: 0xdf95de30cdff4381b69f9e4fa8dddce31a0128df