Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- A few months ago, an attacker attacked the Cream Finance protocol and seized assets worth over 130 million dollars. This has been reported in multiple media outlets, such as:
- https://cryptobriefing.com/136m-lost-cream-finance-suffers-another-flash-loan-attack/
- https://timgicodo.com/protocol-cream-finance-loses-million-latest-1663043796/
- as well as other sources.
- Now for the problem of why this attacker manages to make exchange transactions on some major exchanges, including Binance exchange...
- Based on public sources, the hacker's addresses are known:
- https://etherscan.io/address/0x24354d31bc9d90f62fe5f2454709c32049cf866b
- https://etherscan.io/address/0x921760e71fb58dcc8DE902cE81453E9e3D7fe253
- https://etherscan.io/address/0x70747df6ac244979a2ae9ca1e1a82899d02bbea4
- https://etherscan.io/address/0x49b9eb77b300014f99b39b35904c2dbc069e428e
- When examining these addresses, one can see a feature in which it is noticeable that the hacker is trying to launder money using bridges. In particular, the hacker uses the Renproject bridge to convert renBTC tokens into BTC coin. The outbound transfers that the hacker performed for Renproject can be divided into 3 batches of transfers:
- 1. The hacker's transaction path from the address https://etherscan.io/address/0x921760e71fb58dcc8de902ce81453e9e3d7fe253 Cream Finance Flash Loan Exploiter 2 (etherscan has designated this address as "Cream Finance Flash Loan Exploiter 2") to the address https://etherscan.io/address/0x4648451b5f87ff8f0f7d622bd40574bb97e25980, which is the official TradeOgre address:
- https://etherscan.io/tx/0x36f82018700515ec5170218466fa8871bf2191a674f95ff3fd5782c2e154487d => https://etherscan.io/tx/0xca0f36818f8752d1361c04502d334f0aa342142323b7fe23102fcfd6c1ab0c3e
- 2.Money laundering batch #1 can be traced to https://etherscan.io/address/0x49b9eb77b300014f99b39b35904c2dbc069e428e#tokentxns:
- 2.1. https://etherscan.io/tx/0x175cbbba646054274a80dab2fdcfa0a9776257030c24073e2446319ba6ad6c0c corresponds to https://www.blockchain.com/ru/btc/tx/7ac6eb9fb268f855ff417ce6dbbb241f508962c7195e2389525aea245a1620c5
- 2.2. https://etherscan.io/tx/0x6f0d47c6d413dffee00fdd8da94a1761e7bb77510f81bde3baf0798f642baeab corresponds to https://www.blockchain.com/ru/btc/tx/88351d1f6a899d0851efdcc4d10383910bef5322c2f44d4aede3dc0e0b8b1926
- 2.3. https://etherscan.io/tx/0xc78611839fbc126bbaf4c29aeee9b7b2493f6bf0decb7a5f91e995bbe78065dc corresponds to https://www.blockchain.com/ru/btc/tx/25b2d1fb1c1297bb11e198862c055ac89d3552d04cbc0f9ee5dd5419f1b88fc6
- 2.4. https://etherscan.io/tx/0xd2c59581e3d2fcb00e84837695250796f33fdf68acbdc890e3e965867f7a5b19 corresponds to https://www.blockchain.com/ru/btc/tx/9dae61da9e250a8a6562d434b843b9d518be1b42778f24e12086e275cfbcc6e6
- 2.5. https://etherscan.io/tx/0x2072772b47071c216278c455656b261873b96547fa8784519c61a908d98ce5fc corresponds to https://www.blockchain.com/ru/btc/tx/585e1e34e1687a5f7ddd1faf073100cf7c1917923b9f9fe9d78e87b39aceb0bf
- In total, all of the BTC the hacker obtained in the laundering of batch #1 were collected at the address
- https://www.blockchain.com/btc/address/bc1q58n8g56l6sqlsy5s8w2767xpgugjja9uwyc9d9 (!!!)
- Address bc1q58n8g56l6sqlsy5s8w2767xpgugjja9uwyc9d9 located on the TradeOgre exchange.
- 3. Money laundering batch #2 is traced to https://etherscan.io/address/0x7c0579d0bc9954e935196cccafb3a93eb2d65f2d#tokentxns:
- 3.1. https://etherscan.io/tx/0x6a6c59a3d8c70b99cd9e24336f45dac6a5a01d2d9750e9d48b6086c1d6555d57 corresponds to https://www.blockchain.com/ru/btc/tx/567d10834a1e2fc69549aeaa14a7ff5697a2b9ea88204ddee8b6f345459edde6
- 3.2. https://etherscan.io/tx/0x2ba88670f04d048238a22edb4003ea4382d1ec405fb1101df2012d38d66b276a corresponds to https://www.blockchain.com/ru/btc/tx/519e3c8a3aab702438459a5dc7cfd60fe0b08d0e99fd365f945a9b13c01a55eb
- 3.3. https://etherscan.io/tx/0xb26613f716dba4a0bf970ec424ce09288c1e6a1521c903a09fd4de99f1fabf4a corresponds to https://www.blockchain.com/ru/btc/tx/fdef76f15f2b687b5016240a100c9d62b2ec32808b6e5ae9a6cdd1ade755282e
- 3.4. https://etherscan.io/tx/0xbac1c5e9d34b2d5dd1dfaed1cae47887cfa05090fe7c35537af6ccab83c6026a corresponds to https://www.blockchain.com/ru/btc/tx/8d822155cc989d3dd822951fdf5eae11bf42e15c43a1f54ee9e9cd3b6b13749f
- Thus, we see the second address of the hacker: bc1qxn95s5c3q8y7q3w3gzgy0v74q05vvmvmsn8g8s (!!!)
- 4. Money laundering batch #3 is traced to https://etherscan.io/address/0x921760e71fb58dcc8DE902cE81453E9e3D7fe253#tokentxns:
- https://etherscan.io/tx/0x33844d8a43759d94cd86bc5f24b0001f67a1a9670c37646153c80252c0e29132 corresponds to https://www.blockchain.com/ru/btc/tx/94bd34604b4e3f67f6694087b0f2f823f5fb92b39635fa9bb28f8a9d3ca4f418
- Thus, we see another hacker address: bc1qnjstca5gzja3ay9ktyf2qsa7jr4lf0cn8hkfhd (!!!)
- The hacker made several Direct Transactions for the Binance exchange:
- - https://www.blockchain.com/ru/btc/tx/57cb533694c23f02945d38827927203f870330209e27ab7200d236c58149706f - 2.94047542 BTC
- - https://www.blockchain.com/ru/btc/tx/3d2e2f5f3c358070aa57c11b6fdd230e122bab3212f8d80c95a78ba7641d94b9 - 2.73445042 BTC
- - https://www.blockchain.com/ru/btc/tx/c2a1140bd4f79e39ec2c92398981e2fbb8c855678a7a156aac49882cdd3bacfc - 1.04721368 BTC
- - https://www.blockchain.com/ru/btc/tx/3c752f74a9764d30af7e5eb7c8c371886c6e7d6cdcac902fd85101915e92789a - 0.81269287 BTC
- - https://www.blockchain.com/ru/btc/tx/5dc3308e9a5ba1b7a6d8b47e766bad07c4a197c6c51d46bbc93f5c73a451f429 - 3.00000000 BTC
- - https://www.blockchain.com/ru/btc/tx/8409936ffa008533f71d14207cdde9a35d92c925db5968c6c8adbcdead385d47 - 1.00000000 BTC
- - https://www.blockchain.com/ru/btc/tx/e4fb9e180fc5ed3676598797e67b57254cd89562a902a5a40bc1dcc6e15e4a64 - 0.47868519 BTC
- - https://www.blockchain.com/ru/btc/tx/64e705dcf62bc90fc2e324ee0447751e63f024768aef8b0fdb9e783d5c09ee13 - 0.01455361 BTC
- Also, the hacker uses an intermediary address https://www.blockchain.com/ru/btc/address/bc1q9c0ryk3sp6nyzqfpv758t09eml35r4rlktkpcl (!!!)
- Also, the mentioned hacker BTC-addresses also make deposits for other exchanges, including: KuCoin, FTX, OKX and others.
- In any case, we see that at least 2 addresses, which directly belong to the hacker who attacked Cream Finance a few months ago, are using the Binance exchange. From the above we know these 2 addresses:
- https://www.blockchain.com/btc/address/bc1q58n8g56l6sqlsy5s8w2767xpgugjja9uwyc9d9
- https://www.blockchain.com/btc/address/bc1qxn95s5c3q8y7q3w3gzgy0v74q05vvmvmsn8g8s
- Also, it can be easily determined that for these two addresses, the hacker has repeatedly used the intermediary address https://www.blockchain.com/ru/btc/address/bc1q9c0ryk3sp6nyzqfpv758t09eml35r4rlktkpcl for subsequent deposits on various large exchanges including the Binance exchange.
- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
- To thank the contributors to this independent investigation, you can send any amount of funds to any of these addresses of ours:
- BTC address: 15TFrZCEWn2FbaXhCX2R7tWCotSjGMmZvp
- ETH address: 0x6c629437eF38Aa610fb14FfF8BebA7Dc5B21B29E
- TRX address: TRbEpq38kNfJp7smiRPNaXAYKPGycvjnts
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement