Money Trail From Liquid Exchange Hack Points to Wasabi Privacy Wallets

Hackers are using Wasabi wallets to launder BTC stolen from Liquid or received in exchange for other stolen cryptos, according to Crystal Blockchain.

AccessTimeIconAug 30, 2021 at 6:54 p.m. UTC
Updated May 11, 2023 at 3:55 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Hackers who stole about $97 million in cryptocurrency from the Liquid exchange used the non-custodial, privacy-focused Wasabi wallet to protect some of their gains, according to sleuthing firm Crystal Blockchain.

Bitcoin from the wallets Liquid identified as belonging to the hackers has been on the move over the past two weeks, public blockchain data shows. For example, on Aug. 29, 100 BTC (worth over $4.8 million) from one hacker-linked address was split up and sent to two separate addresses, then further broken into smaller pieces and distributed to yet more addresses.

At least some of that bitcoin was then sent to addresses believed to be generated by a Wasabi wallet, according to Crystal Blockchain data.

This was one of many similar transactions that the hackers made using Wasabi, presumably to disconnect the stolen funds from their criminal history, according to Crystal. This would be a necessary step to spend such funds or sell them for fiat money, because centralized exchanges tend to freeze funds that are known to come from hacks, exploits and scams.

Over 437 BTC (worth over $20 million) associated with the Liquid hackers have been laundered using Wasabi’s CoinJoin feature, and the process is still ongoing, according to Crystal.

Earlier this month, CoinDesk tracked other funds funneled out of Liquid, finding that ether and ERC20 tokens were sent to Ethereum-based online mixer Tornado.cash and decentralized exchanges (DEXs).

Wasabi is a privacy-focused desktop wallet that allows users to make their bitcoin less traceable on the public ledger by arranging so-called CoinJoin transactions. Multiple users can commingle their bitcoin in joint transactions and get it back disconnected from the previous history of payments. It also routes transactions over the Tor network which further helps to conceal the user’s IP address.

Although Wasabi is a non-custodial wallet that doesn’t store users’ funds, it generates addresses for CoinJoin transactions that blockchain analytics tools have learned to identify. Crypto sleuthing firm Elliptic did this last year, following bitcoin coming from the infamous Twitter hack to addresses associated with Wasabi.

According to Kyrylo Chykhradze, product director for Crystal Blockchain, identification of such addresses is more challenging than attributing addresses to custodial crypto services, so Crystal makes “a lot of double-checks before the final labeling” of the addresses in their analytics system.

Wasabi did not immediately respond to a request for comment.

Swapped and tumbled

According to Crystal Blockchain, wallets associated with the Liquid hackers received some 1,168 BTC in total, most of which they got by swapping other cryptocurrencies for bitcoin on several exchanges.

CoinDesk previously reported that the hackers sent stolen XRP tokens to three exchanges – Binance, Huobi and Poloniex – where they managed to exchange them for bitcoin on the first day after the hack. That bitcoin stash was later partially laundered via Wasabi’s CoinJoin addresses, according to Crystal.

ERC20 tokens, which run on the Ethereum blockchain, had been sent to decentralized exchanges (DEXs), swapped for ether and then sent to Tornado.cash, an online mixer for ether. Some tokens were also swapped for bitcoin on the decentralized exchange Ren, resulting in additional 394 BTC in the hackers’ stash, Chykhradze said.

“For almost two weeks hackers have been using different methods to cover their tracks – substantial amounts of XRP, ETH and ERC20 tokens were either converted into BTC or mixed through the Tornado tumbler service,” Chykhradze said.

Plus, several dozen BTC were put on multiple unidentified wallets and left there for now.

Liquid, a Japanese cryptocurrency exchange, was hacked on Aug. 18. About $97 million worth of multiple cryptocurrencies were siphoned out. The exchange immediately started publishing updates on the hack and the addresses to which the hackers withdrew money.

Several exchanges worked with Liquid to label and block the addresses related to the hackers, they previously told CoinDesk. However, in many cases the hackers managed to get funds out faster than the exchanges reacted.

On Aug. 30, Liquid posted an update urging users to generate new deposit wallets.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Anna Baydakova

Anna Baydakova was CoinDesk's investigative reporter with a special focus on Eastern Europe and Russia. Anna owns BTC and an NFT.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.