On 26 March 2019, DragonEX reported via their official telegram channel that the exchange was compromised by a hacker, and that cryptocurrencies belonging to the exchanges had been transferred out of their wallets. DragonEx displayed the hacker’s wallet addresses that were used to transfer the funds, and request help from the crypto community in freezing those accounts (Figure 1) .
Figure 1: DragonEX’s announcement with the hacker’s wallet addresses
Upon hearing the news, researchers on the Uppsala Security Operations Team sprang into action and investigated the flow of crypto funds (Ethereum) using their in-house Crypto Analysis Transaction Virtualization ( CATV ) tool. Using this tool, the researchers were able to study techniques employed by the hacker to conceal his activities while getting the stolen cryptocurrencies out.
Crypto Analysis Transaction Virtualization
CATV is a new cryptocurrency analytical and tracking security tool developed by Uppsala Security. The tool allows users to perform forensic investigations on cryptocurrency transactions. It includes flow visualization and a proprietary algorithm that crawls the blockchain and extracts its data. After extracting transaction data, the CATV cross-references the scraped wallet addresses with Sentinel Protocol’s Threat Reputation Database (TRDB) to produce detailed flowcharts of all transactions related to the wallet address being investigated.
With this tool, the investigator would be able to see the relationships between multiple wallets and track the distribution of funds without needing to manually query blockchain explorers for each individual wallet and transaction associated with the original wallet. CATV’s algorithm studies all incoming and outgoing transaction associated with the source wallet, helping crypto investigators identify related wallets and transactions.
The CATV tool shortens investigation times and helps investigators and exchanges act faster. With this tool, potential malicious incidents can be swiftly prevented by notifying related business entities to block or freeze the bad actor’s wallet.
Starting the Tracking
We entered the Ethereum wallet address ( 0xa7f72bf63edeca25636f0b13ec5135296ca2ebb2 ) belonging to the identified hacker into the CATV tool. Next, we set the distribution depth parameter tracing the cryptocurrency flow to 7 destination hops from the hacker’s wallet (Figure 2) .
Figure 2: CATV tracking input parameters
Studying the chart
The following chart was generated from the parameters set above (Figure 3) .
Figure 3: CATV graphical flow visualization results with parameters from Figure 2
In his attempt to mask the end destination of these stolen funds, which will normally be withdrawn at a cryptocurrency exchange, the hacker distributed the stolen ETH into a web of crypto wallets he controls via multiple hops by splitting large amounts of ETH into smaller transactions.
With the CATV tool, the researcher can swiftly pinpoint the destination exchanges (orange nodes) where the stolen ETH ended up. Clicking on that specific node identifies the specific exchange wallet address (Figure 4) . In this example, this address is a Binance hot wallet.
Figure 4: Pinpointing the specific wallet address at the Binance exchange
To identify the exchange addresses the hacker used to deposit stolen ETH, we will need to identify the associated wallet sending funds to that Binance wallet. To gain better visibility we drag the wallet node to an empty space on the chart, and then zoom in on that wallet as shown in Figure 5 .
Figure 5: Wallet and transaction information displayed by selecting and dragging the node of interest
From this view, we can see that the hacker used 5 wallets on Binance. By clicking the transaction line, we get details on all the transactions made from these associated wallets, which includes the total amount transferred.
The CATV tools provide a listing of detailed transactions of all associated wallet addresses that received the stolen funds from the original wallet ( Figure 6 )
Figure 6: Transaction listings associated with associated wallets
The transaction data fields can easily be sorted allowing you to extract specific key information from these transactions. A simple example is to quickly determine which exchanges have been receiving funds from the hacker’s address, which can be obtained by sorting the Receiver Annotation field.
Using the CATV tool, our researcher extracted all exchange wallets associated with the destination exchanges. The below table summarises the deposits made by the hacker to each respective crypto exchange.
The total amount transferred to these exchanges was about 2550.67 ETH out of the stolen 2738.12 ETH, of which the lion’s share (2152 ETH) ended up at Binance. The remaining ETH were distributed among a web of relay wallets used by the hacker to mask his activities. It is highly likely that these wallets are controlled and manipulated by hackers, possibly to be used for future malicious activities. The tool can easily spin off a new instance of the chart to further study these relay wallets, including their sources of incoming funds.
How Sentinel Protocol platform can help in mitigating Exchange hacks incidents
The Sentinel Protocol team believes in collective intelligence where individuals, businesses, and governments work together to share threat intelligence and report new incidents to Sentinel Protocol. The threat intel collated and validated by the Sentinels are recorded in the Threat Reputation Database (TRDB), which is publicly available and can be queried on the blockchain. We have tools that use the TRDB for both individuals (UPPward network protection) and business entities (Interactive Cooperation Framework product suite), and the CATV tool to protect the crypto community from malicious actors.
The CATV tool is especially useful for tracking flows of stolen cryptocurrencies as shown in this case study. In our vision, we aim to form an ecosystem where members of the crypto community can share and collaborate with each other on threat intel on the Sentinel Platform. Crypto exchanges participating within our platform can automatically receive alerts when deposits of funds obtained through malicious activity reach their hot wallets and thus have the chance to freeze stolen cryptocurrencies before the hackers could cash them out. By stopping hackers from cashing out, they will be discouraged from doing malicious activities in the future.