API tools faq
paste
Advertisement
CRDT

The Cream Finance hacker has become active again and is now easily laundering funds.

CRDT
Oct 9th, 2022 (edited)
1,389
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.98 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. A few months ago, an attacker attacked the Cream Finance protocol and seized assets worth over 130 million dollars. This has been reported in multiple media outlets, such as:
  2. https://cryptobriefing.com/136m-lost-cream-finance-suffers-another-flash-loan-attack/
  3. https://timgicodo.com/protocol-cream-finance-loses-million-latest-1663043796/
  4. as well as other sources.
  5.  
  6. Now for the problem of why this attacker manages to make exchange transactions on some major exchanges, including Binance exchange...
  7. Based on public sources, the hacker's addresses are known:
  8. https://etherscan.io/address/0x24354d31bc9d90f62fe5f2454709c32049cf866b
  9. https://etherscan.io/address/0x921760e71fb58dcc8DE902cE81453E9e3D7fe253
  10. https://etherscan.io/address/0x70747df6ac244979a2ae9ca1e1a82899d02bbea4
  11. https://etherscan.io/address/0x49b9eb77b300014f99b39b35904c2dbc069e428e
  12. When examining these addresses, one can see a feature in which it is noticeable that the hacker is trying to launder money using bridges. In particular, the hacker uses the Renproject bridge to convert renBTC tokens into BTC coin. The outbound transfers that the hacker performed for Renproject can be divided into 3 batches of transfers:
  13.  
  14. 1. The hacker's transaction path from the address https://etherscan.io/address/0x921760e71fb58dcc8de902ce81453e9e3d7fe253 Cream Finance Flash Loan Exploiter 2 (etherscan has designated this address as "Cream Finance Flash Loan Exploiter 2") to the address https://etherscan.io/address/0x4648451b5f87ff8f0f7d622bd40574bb97e25980, which is the official TradeOgre address:
  15. https://etherscan.io/tx/0x36f82018700515ec5170218466fa8871bf2191a674f95ff3fd5782c2e154487d => https://etherscan.io/tx/0xca0f36818f8752d1361c04502d334f0aa342142323b7fe23102fcfd6c1ab0c3e
  16.  
  17. 2.Money laundering batch #1 can be traced to https://etherscan.io/address/0x49b9eb77b300014f99b39b35904c2dbc069e428e#tokentxns:
  18. 2.1. https://etherscan.io/tx/0x175cbbba646054274a80dab2fdcfa0a9776257030c24073e2446319ba6ad6c0c corresponds to https://www.blockchain.com/ru/btc/tx/7ac6eb9fb268f855ff417ce6dbbb241f508962c7195e2389525aea245a1620c5
  19. 2.2. https://etherscan.io/tx/0x6f0d47c6d413dffee00fdd8da94a1761e7bb77510f81bde3baf0798f642baeab corresponds to https://www.blockchain.com/ru/btc/tx/88351d1f6a899d0851efdcc4d10383910bef5322c2f44d4aede3dc0e0b8b1926
  20. 2.3. https://etherscan.io/tx/0xc78611839fbc126bbaf4c29aeee9b7b2493f6bf0decb7a5f91e995bbe78065dc corresponds to https://www.blockchain.com/ru/btc/tx/25b2d1fb1c1297bb11e198862c055ac89d3552d04cbc0f9ee5dd5419f1b88fc6
  21. 2.4. https://etherscan.io/tx/0xd2c59581e3d2fcb00e84837695250796f33fdf68acbdc890e3e965867f7a5b19 corresponds to https://www.blockchain.com/ru/btc/tx/9dae61da9e250a8a6562d434b843b9d518be1b42778f24e12086e275cfbcc6e6
  22. 2.5. https://etherscan.io/tx/0x2072772b47071c216278c455656b261873b96547fa8784519c61a908d98ce5fc corresponds to https://www.blockchain.com/ru/btc/tx/585e1e34e1687a5f7ddd1faf073100cf7c1917923b9f9fe9d78e87b39aceb0bf
  23.  
  24. In total, all of the BTC the hacker obtained in the laundering of batch #1 were collected at the address
  25. https://www.blockchain.com/btc/address/bc1q58n8g56l6sqlsy5s8w2767xpgugjja9uwyc9d9 (!!!)
  26. Address bc1q58n8g56l6sqlsy5s8w2767xpgugjja9uwyc9d9 located on the TradeOgre exchange.
  27.  
  28. 3. Money laundering batch #2 is traced to https://etherscan.io/address/0x7c0579d0bc9954e935196cccafb3a93eb2d65f2d#tokentxns:
  29. 3.1. https://etherscan.io/tx/0x6a6c59a3d8c70b99cd9e24336f45dac6a5a01d2d9750e9d48b6086c1d6555d57 corresponds to https://www.blockchain.com/ru/btc/tx/567d10834a1e2fc69549aeaa14a7ff5697a2b9ea88204ddee8b6f345459edde6
  30. 3.2. https://etherscan.io/tx/0x2ba88670f04d048238a22edb4003ea4382d1ec405fb1101df2012d38d66b276a corresponds to https://www.blockchain.com/ru/btc/tx/519e3c8a3aab702438459a5dc7cfd60fe0b08d0e99fd365f945a9b13c01a55eb
  31. 3.3. https://etherscan.io/tx/0xb26613f716dba4a0bf970ec424ce09288c1e6a1521c903a09fd4de99f1fabf4a corresponds to https://www.blockchain.com/ru/btc/tx/fdef76f15f2b687b5016240a100c9d62b2ec32808b6e5ae9a6cdd1ade755282e
  32. 3.4. https://etherscan.io/tx/0xbac1c5e9d34b2d5dd1dfaed1cae47887cfa05090fe7c35537af6ccab83c6026a corresponds to https://www.blockchain.com/ru/btc/tx/8d822155cc989d3dd822951fdf5eae11bf42e15c43a1f54ee9e9cd3b6b13749f
  33.  
  34. Thus, we see the second address of the hacker: bc1qxn95s5c3q8y7q3w3gzgy0v74q05vvmvmsn8g8s (!!!)
  35.  
  36. 4. Money laundering batch #3 is traced to https://etherscan.io/address/0x921760e71fb58dcc8DE902cE81453E9e3D7fe253#tokentxns:
  37. https://etherscan.io/tx/0x33844d8a43759d94cd86bc5f24b0001f67a1a9670c37646153c80252c0e29132 corresponds to https://www.blockchain.com/ru/btc/tx/94bd34604b4e3f67f6694087b0f2f823f5fb92b39635fa9bb28f8a9d3ca4f418
  38.  
  39. Thus, we see another hacker address: bc1qnjstca5gzja3ay9ktyf2qsa7jr4lf0cn8hkfhd (!!!)
  40.  
  41. The hacker made several Direct Transactions for the Binance exchange:
  42. - https://www.blockchain.com/ru/btc/tx/57cb533694c23f02945d38827927203f870330209e27ab7200d236c58149706f - 2.94047542 BTC
  43. - https://www.blockchain.com/ru/btc/tx/3d2e2f5f3c358070aa57c11b6fdd230e122bab3212f8d80c95a78ba7641d94b9 - 2.73445042 BTC
  44. - https://www.blockchain.com/ru/btc/tx/c2a1140bd4f79e39ec2c92398981e2fbb8c855678a7a156aac49882cdd3bacfc - 1.04721368 BTC
  45. - https://www.blockchain.com/ru/btc/tx/3c752f74a9764d30af7e5eb7c8c371886c6e7d6cdcac902fd85101915e92789a - 0.81269287 BTC
  46. - https://www.blockchain.com/ru/btc/tx/5dc3308e9a5ba1b7a6d8b47e766bad07c4a197c6c51d46bbc93f5c73a451f429 - 3.00000000 BTC
  47. - https://www.blockchain.com/ru/btc/tx/8409936ffa008533f71d14207cdde9a35d92c925db5968c6c8adbcdead385d47 - 1.00000000 BTC
  48. - https://www.blockchain.com/ru/btc/tx/e4fb9e180fc5ed3676598797e67b57254cd89562a902a5a40bc1dcc6e15e4a64 - 0.47868519 BTC
  49. - https://www.blockchain.com/ru/btc/tx/64e705dcf62bc90fc2e324ee0447751e63f024768aef8b0fdb9e783d5c09ee13 - 0.01455361 BTC
  50.  
  51. Also, the hacker uses an intermediary address https://www.blockchain.com/ru/btc/address/bc1q9c0ryk3sp6nyzqfpv758t09eml35r4rlktkpcl (!!!)
  52.  
  53. Also, the mentioned hacker BTC-addresses also make deposits for other exchanges, including: KuCoin, FTX, OKX and others.
  54.  
  55. In any case, we see that at least 2 addresses, which directly belong to the hacker who attacked Cream Finance a few months ago, are using the Binance exchange. From the above we know these 2 addresses:
  56. https://www.blockchain.com/btc/address/bc1q58n8g56l6sqlsy5s8w2767xpgugjja9uwyc9d9
  57. https://www.blockchain.com/btc/address/bc1qxn95s5c3q8y7q3w3gzgy0v74q05vvmvmsn8g8s
  58. Also, it can be easily determined that for these two addresses, the hacker has repeatedly used the intermediary address https://www.blockchain.com/ru/btc/address/bc1q9c0ryk3sp6nyzqfpv758t09eml35r4rlktkpcl for subsequent deposits on various large exchanges including the Binance exchange.
  59.  
  60.  
  61. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
  62. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
  63.  
  64. To thank the contributors to this independent investigation, you can send any amount of funds to any of these addresses of ours:
  65. BTC address: 15TFrZCEWn2FbaXhCX2R7tWCotSjGMmZvp
  66. ETH address: 0x6c629437eF38Aa610fb14FfF8BebA7Dc5B21B29E
  67. TRX address: TRbEpq38kNfJp7smiRPNaXAYKPGycvjnts
  68.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!