Whoever hacked the Japanese crypto exchange Liquid for an estimated $90 million has been taking steps to cover their tracks, according to public blockchain data.
However, three exchanges told CoinDesk they froze funds deposited from addresses believed to belong to the thieves.
Later, Liquid tweeted more crypto addresses it identified as the hacker’s, said it halted crypto withdrawals and filed a suspicious transaction report with the Monetary Authority of Singapore (MAS), the country’s financial regulator. On Saturday, Liquid said it updated the exchange's wallet infrastructure and had been migrating users' funds "to the new secure vaults."
Since blockchain data is public, everyone from sophisticated analytics vendors who contract for law enforcement to curiosity-seekers and autodidacts can trace the movement of the crypto – up to a point.
According to a CoinDesk review of the Etherscan block explorer, a little over 6,000 ETH (or about $19.7 million) stolen from Liquid has been sent to Tornado.cash, a non-custodial mixer for ether and ERC20 tokens that allows users to obfuscate their transactions by commingling their crypto with the coins of others.
From there, the trail goes cold.
Blockchain analysis to a certain extent relies on assumptions about the relationships of addresses to each other and to people in the real world. So on-chain data alone does not provide definitive answers as to who sent money to whom. However, combined with off-chain, real-world information, it can produce valuable insights about the ways crypto works.
Deposited at DEXs….
Etherscan also shows that the hacker used Uniswap, a decentralized exchange (DEX), and other DEXs to liquidate ERC20 tokens, which run on top of the Ethereum network, over the past two days.
Some 9,319 ETH, or $30 million worth of crypto, is still sitting in the hacker’s wallet, according to Etherscan.
Elliptic released similar findings in a blog post Thursday. Over $97 million in crypto has been sent to the presumed thief’s wallets, the blockchain research firm wrote.
“This includes $45 million in Ethereum tokens, which are currently being converted into ether using decentralised exchanges (DEXs) such as Uniswap and SushiSwap," Elliptic said.
According to Liquid’s Friday blog post, various issuers of ERC20 tokens have now frozen those stolen assets. Overall, 69 assets have been stolen from the exchange’s wallets “and sent to other exchanges or defi swapping venues,” Liquid said.
The bitcoin stolen from Liquid also remains in the hacker’s wallets and hasn’t moved to any exchange yet: According to data from Blockchain.com, all the 107.4 BTC ($4.8 million worth) sent to the address cited by Liquid is still there.
Mark Lee, a spokesperson for Huobi, confirmed to CoinDesk that the address was indeed a Huobi user's deposit address.
"After Huobi was alerted of this incident, we quickly placed restrictions on the account, and are currently in the internal process of investigating both the transaction and the account," Lee added.
Another portion of the stolen TRON, about 3.5 million TRX (or $321,000), didn't go to Huobi but ended up in a separate wallet.
As for the XRP tokens, the wallet identified by Liquid as the hacker's sent 11.5 million XRP, about $14.5 million worth, to centralized exchanges Binance, Huobi and Poloniex, according to data from XRPScan.
That exchange, it turned out, was Binance: spokesperson Jessica Jung confirmed to CoinDesk that Binance identified the XRP stolen from Liquid in its wallets. "We provided Liquid with relevant information, including the BTC withdrawal addresses," Jung said. Binance has frozen "associated accounts," she said.
Poloniex spokesperson Gabriel Wang also confirmed to CoinDesk that the exchange blocked addresses related to the hack.
KuCoin's CEO Johnny Lyu tweeted Thursday that his crypto exchange has blacklisted the addresses Liquid pointed at as related to the hack.
UPDATE (Aug. 21, 15:30 UTC): Adds detail about bitcoin wallet in 16th paragraph.
UPDATE (Aug. 21, 17:19 UTC): Clarifies that it's one of the largest hacks of a crypto exchange in recent history.
UPDATE (Aug. 23, 2021, 10:50 UTC): Adds comment from Poloniex that the exchange also blocked addresses related to the hack.
UPDATE (Aug. 23, 13:50 UTC): Fixes typo in 19th paragraph.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.