Hack of Binance of May 7, 2019. The path through Chipmixer
· Nodes (circles) — transactions.
· Edges (lines) — outputs/inputs associated with addresses.
· Edge color — the type of address with which this input/output is associated:
- blue — p2pkh
- green — p2sh
- red — bech32
Tracking BTC through Chipmixer
On May 7, 2019, Binance crypto exchange was hacked.
Txid of the Binance withdrawal transaction is:
In total, about 7,000 BTC were withdrawn. These two addresses were among others to receive the stolen funds:
The first address received 567.997 BTC, the second one — 519.8974318 BTC. On the next step, these funds were combined (transaction is indicated by a black arrow on Figure 1) and after were sent to the address bc1q2rdpyt8ed9pm56u9t0zjf94zrdu6gufa47pf62 (the output to this address is marked with a red arrow on Diagram 1).
Further we will focus on the chain of transactions starting from this address. We will trace the path starting from this address to the first deposit transactions on Chipmixer, committed by hackers. The diagram 2 shows that after several steps along the peeling chain, part of the funds was split-off from the main chain. Five split-off transactions are indicated with arrows in Diagram 2.
After that, almost all the funds separated from the main chain were sent through several transactions to the Chipmixer’s deposit addresses (deposit transactions are indicated by black arrows in Diagram 3).
On the above section of the graph, you can see Chipmixer’s deposit transactions with the total the amount of 126.464 BTC. Here is the list of deposit transactions with details:
All of the transactions from table 1 were made in the time period from 06:41 to 15:17 on 2019–06–13 UTC. Our algorithm allows to determine the relationship between deposit transactions and transactions withdrawing BTC from Chipmixer and belonging to the same entity that made the deposit transaction. Using our algorithm, we found transactions that hackers used to withdraw funds from Chipmixer.
Let’s look at a specific example of one deposit transaction:
This transaction ended up in block 580502. The hackers deposited 19.456 BTC on Chipmixer with this transaction. Our algorithm pointed the following transaction as an output:
In this particular case, the result was unambiguous. However, there are situations when several potential output transactions are being revealed as a result by our algorithm. To make an unambiguous conclusion in such cases we analyze the behavior of entities before and after the mixer. Moreover, the larger the amount was deposited, the more accurate the result.
Result of detection of the output transaction in current example is also confirmed by the amounts of funds received and withdrawn from the mixer for a certain period of time. In diagram 4, the red graph — funds withdrawn by users in a specific block from Chipmixer, blue — the amount of BTC deposited to Chipmixer in a specific block.
8 deposit transactions from table 1 you can see in the right part of diagram 4 as small peaks. In diagram 5, they are indicated with blue arrows and marked with numbers corresponding to their numbers in table 1.
The corresponding withdrawal transactions are shown on the red graph next to deposit transactions. In diagram 6, deposit transactions are indicated with red arrows and marked with numbers corresponding to the numbers of deposit transactions from Table 1, with which these output transactions are associated.
Getting back to our example:
1. Deposit transaction (marked with blue arrow on diagram 7)
2. Withdrawing transaction (marked with red arrow on diagram 7)
Further, having an output transaction associated with the original deposit transaction, we can track where the hackers sent funds after the mixer:
The diagram 8 shows that the hackers used a peeling chain pattern to split funds into pieces and send them to separate services. In particular, part of the funds was sent to services such as: Binance (about 2.2 BTC), HitBTC (4.5 BTC), Hydra market (0.263 BTC).
Thus, as you can see from the above example, our algorithm is able to find a relationship between a deposit transaction and an output transaction in Chipmixer, belonging to the same entity. It is worth noting that the larger the amount goes to the deposit address, the more accurate the results are. However, we can also track a small amount with fairly high accuracy, relying on the exclusion method and observing the entities’ behavior which uses this mixer.
We used a similar approach when tracking funds stolen from the Kucoin exchange after the hack on September 25, 2020. The hackers sent about 470 BTC to Chipmixer. We found 24 transactions withdrawing BTC from Chipmixer (460.78749 BTC in total). In the case of the Kucoin exchange hack, we were able to track about 98% of the funds sent to Chipmixer. You can find out more about this investigation in our official Twitter account https://twitter.com/blinagency, or on Medium https://medium.com/@blinagency/the-movement-of-kucoin-hack-funds-74c3546b8008.