The movement of Kucoin hack funds
On September 25, 2020, the KuCoin exchange was hacked.
The equivalent of approximately $280M was stolen during this attack.
1,008 BTC and 999,160 UDST were withdrawn from the KuCoin addresses and went to the following address 1NRsEQRg5EjmJHbPUX7YADVPcPzCQBkyU7.
The next day, September 26, assets in USDT were frozen.
We investigated the further path of these bitcoins. Below is a diagram of the movement of BTC from the moment of hacking until entering the mixers.
Complete graph from KuCoin hack to mixers:
The active phase of laundering of the stolen Bitcoins began October 26.
Two mixing services were used: ChipMixer and Wasabi Wallet (Coinjoin transactions).
ChipMixer was used on the dates of October 26–28. Funds were sent to the following deposit address 17vuW78TbsC1DdTUus3ELjkLBcYxFqhcyU. October 26: 200.992633 BTC was sent to ChipMixer in total. October 27: 148.439592 BTC was sent to ChipMixer in total. October 28: 124.979928 BTC was sent to ChipMixer in total.
From October 31st, Hackers started to use Coinjoin transactions based on the Wasabi wallet to transfer stolen funds. October 31: 48.1892513 BTC went through Coinjoin in total. November 1: 237.651755 BTC went through Coinjoin in total. November 2: 251.622331 BTC went through Coinjoin in total. November 3: 49.999154 BTC went through Coinjoin in total.
Using our algorithms for mixers analysis, we’ve found the following transactions, withdrawing funds from Chipmixer and, we believe, these transactions belong to the hackers.
October 26: 4a6e37e330a82aec5d8402f0264e6d8884d6e6b5896c0d4725c4cfe0f7ea2ba8 3a47e412837e2717a892ac4d4b148e54edfda214802fc47c34b287578c3fcab8 6ff8dc03728e8558c1bc5e78c2b1bdb1469fb9e5c1761bc86bdaf991c6524146 23d94e7c8ae6ae2bfb61adc45c3f1fbe7e12cf88dd9722575e6819f88cb5f2a7 64a5360450a1a3027a47ce997b18f1c4786377fff7a31b45476826eadd21e862 3533891c3cfdb2ff407b2b0642e0352b97f50ce0c203e674c1355716e9d794dd ad8d37577db0f5eead39fe81ac3bbc16c3595a2a76206f3c13aab4a5da64d624 a78bf34b3fd59da8ada8bcfa4de6c777fdf28fb8f1b27f26da242b8c63c43c66 3ebab115d1e4551430cfc5987b19a5fa3cd5eba8baa3e32ca0f2150bf381c7f5
727124fe064843092bd12625436545582821bb12e0f8d209e710b12c2280f1a2 ecbfb5451e69bc38c24135aa6b3a06991aa90a071ae540764b9408819c86bef8 9942b08c78aeb941c4da3494ff8c3ef93d5f2a7f53ac58c1287c38f7bc807072 b07f87b2df5b550c9fd3fc267bcd6fc61cac518c5c264196799e38cbd6cd9f24 f16796816ab1f9ee2dd8fa958239f9ad789c44f47cd229a04be65eb121112c59
7e4a8858c798db13d7a05474eef671764c865d417d1be7831b3d8f5c86de0597 aece0ec3a9fa35a0707c28256581a173ed161b891bd00fe65eec8bd0cf8c1a87 9c1db85b6f7c46a50d138859d4c14b9083fa4c386dc03e8a68aeef39acfc6c3b f99af9eb87ac8bef2cf94bd94d054f12d68a2199caab7fdc9ada53afad350275 83b8e80f7626dde272e76c766f786ff1232c2153365ccd7b11a551fbc657f07e ec8f7cfe952bc558db43d8d7b113adf3b1a1f96385027304b82ab340f8963653 1c1cb00fe056a62ca3db834022eedefb117b9dfb5f1e205ea9cbe3d7a27d496a 18152dd58fdf12093e82f45fe3e754f9baf55a540546cfb2b62080aadfa09f1b a6263d57ca1627c4082669b78ec4f0422b9af4de618970626a319e449f678a48
The diagram above shows the movement of stolen funds after the withdrawal of 25.09600 BTC from ChipMixer. It was done in two transactions:
Another 14.00142624 BTC came from the unknown service (with transaction f65065bec488885675d38b813b46f1f94540a6018a24165af918117311ab9919) and were joined with those 25.09600 BTC.
We believe these 14.00142624 BTC also belong to the hackers and were obtained in exchange for the other assets stolen from the KuCoin on Sept, 25.
After that, 27.7476327 BTC (24.3+3.4BTC) — a part of that joint sum entered the
Binance exchange (addresses: 1A65a3SjNGAiatEh9QQgseQQXCjYoQreJi and 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s).
This is the hourly histogram of hackers’ activity before the funds reached the mixers. X-axis — hours (UTC time); Y-axis — number of transactions done within the hour.
Since the main activity occurred between 6 am and 8 pm UTC, we can assume that hackers may be located either in the European or Asian regions. We bet hackers act from Asia.
This diagram shows two related to each other transactions. Both transactions withdrawing funds from ChipMixer:
It is interesting, that part of the funds (2.05006440 BTC) was transferred to the Thai exchange — bitkub.com. And the only available fiat currency on Bitkub is the Thai baht. This fact may indirectly indicate that hackers may be located in the Asian region, in particular in Thailand.
Another part of the funds (2.98722000 BTC) was sent to Binance.
This diagram shows where the stolen funds went after they left ChipMixer with these 4 transactions:
ec8f7cfe952bc558db43d8d7b113adf3b1a1f96385027304b82ab340f8963653 83b8e80f7626dde272e76c766f786ff1232c2153365ccd7b11a551fbc657f07e 6ff8dc03728e8558c1bc5e78c2b1bdb1469fb9e5c1761bc86bdaf991c6524146 23d94e7c8ae6ae2bfb61adc45c3f1fbe7e12cf88dd9722575e6819f88cb5f2a7
Part of the funds were mixed with other bitcoins and gathered on the address 3BygU6QtnTxXBX1iM6kDMYLrpFbNGN4tvg.
The second part was merged with 25.5 bitcoins from an unknown service in transaction 55e8c6187531aad97391e00ebe9d3078fd5342a708da610b91f878d79ad0cd48.
The panoramic view of the hackers' activity. See more detailed images below.
This diagram shows the movement of BTC went out ChipMixer with transaction: 7e4a8858c798db13d7a05474eef671764c865d417d1be7831b3d8f5c86de0597
Part of the funds was separated from the main branch and mixed with funds received from other services. After that, it was transferred to the address 19qvQ7yZx61MxAmiiuYARJ9JBBcsq2mf2K.
Another part of the funds was split. Visually this split resembles a sawtooth pattern. In the end rest of BTC had hit various services, one of them Binance— 3.38173792 BTC.
Hackers move stolen funds to Binance
3.38173792 BTC has entered Binance with these transactions: 7d127f087499719a6eaa2fd67643e51465ce67680b4a0f37a008d1b78a686734
This diagram shows the movement of BTC after they were withdrawn from ChipMixer by hackers with a transaction:
b07f87b2df5b550c9fd3fc267bcd6fc61cac518c5c264196799e38cbd6cd9f24 (highlighted node).
A part of these funds ended up on the HitBTC (about 1.7 BTC), the second part went to Binance, and some of the funds went to an unknown service at the following address 39mKJfQUSdEFD7WtgutQtntMWTYVBiKHnU. We assume that it belongs to an exchange.
You can also see the connection (highlighted edges) with other BTC, transactions withdrawn from ChipMixer by hackers.
We’ve tweeted about the movement of these funds earlier.