Hacking the KuCoin exchange 2020-09-25. How a hacker laundering 11,500 ETH

1. This article is in addition to the video: https://www.youtube.com/watch?v=_72aXrR0TMY. In order to understand the results of our independent investigation in more detail and in detail, we recommend that you first watch the specified video, and then return to studying the text description and links to transactions.
2.  
3. On September 25, 2020, the KuCoin cryptocurrency exchange was hacked. Exchange staff, on October 26, 2020, noticed large withdrawal transactions from hot exchange wallets. The audit revealed a shortage of cryptocurrency, for a total amount equivalent to over $ 274 million.
4. On September 30, 2020, KuCoin CEO Johnny Lyu tweeted that the hacker had been identified. Unfortunately, there is no information in the media about who exactly is the hacker who hacked the KuCoin exchange and whether this hacker is arrested or is still at large.
5. You can read more about this incident in the media. And in this video we will publish the results of our independent investigation of the movement of funds, or at least the movement of some of the funds that were stolen by the hacker KuCoin.
6.  
7. So, let's start our investigation...
8. First, we will investigate the transactions that the KuCoin hacker carried out with the Tornado Cash mixer.
9. Unfortunately, Tornado Cash does not provide the ability to trace transactions. But we can trace the exits from Tornado Cash. With multiple inputs, we should see multiple outputs and map them over time. If these sets of transactions coincide in time and, subsequently, end up in the same wallet, then we can assume that this particular wallet belongs to the hacker.
10. Hacker KuKoin used the address:
11. https://etherscan.io/txs?a=0x34a17418cec67b82d08cf77a987941f99dc87c6b
12. It was from this address that he sent Ethereum to Tornado Cash.
13. The exit from Tornado Cash can be tracked on a smart contract:
14. https://etherscan.io/txsInternal?a=0xa160cdab225685da1d56aa342ad8841c3b53f291
15. As we know, the KuCoin hacker sent a large number of transactions, 100 Ethereum each. Address 0x34a17418cec67b82d08cf77a987941f99dc87c6b has 115 such outgoing transactions, for a total of 11,500 Ethereum. The hacker KuCoin carried out these transfers over several days, several transactions a day.
16. You can check the date and time for entries for Tornado Cash using etherscan for address 0x34a17418cec67b82d08cf77a987941f99dc87c6b. There are also a lot of exits and each of these exits exactly coincides with the date and time for entering from Tornado Cash. In order not to describe all these exits (this is a very long time), we will look at some of the latest exits from Tornado Cash, which happened, for example, on October 26 and October 23. On October 26, the hacker got the output:
17. 1. Address 0x4a8a97876b42f6154c612cbd60e49ce308dc3048
18. https://etherscan.io/address/0x4a8a97876b42f6154c612cbd60e49ce308dc3048#internaltx
19. 2. Address 0x0e2b72150e2837f791f5bd59be20179cea79e465
20. https://etherscan.io/address/0x0e2b72150e2837f791f5bd59be20179cea79e465#internaltx
21. After that, the hacker made transfers from these two addresses to the new common address 0xb3fac46b46ef4c7a25a20b25aa6ef230d8ba9d6e:
22. For convenience, this can also be seen in the Bloxy Info block explorer:
23. https://bloxy.info/address/0xb3fac46b46ef4c7a25a20b25aa6ef230d8ba9d6e
24. After that, the hacker sent 50 transactions, 50 Ethereum each, to 50 different addresses.
25. Each of these 50 addresses sent their 50 Ethereum to the address 0xa305FAb8bDA7e1638235b054889B3217441Dd645 (I do not provide transaction addresses to save time, but you can see it yourself using Etherscan or Bloxy), which belongs to the Binance exchange. But this address is not the address of any particular user. This Binance public address is the hot wallet address that belongs to this exchange. Each individual user of the Binance exchange has a separate personal user address for receiving Ethereum. This means that the KuCoin Hacker has created a fairly large number of accounts on the Binance exchange, and each of this set of addresses is exactly a user address on the Binance exchange. But why has the KuCoin Hacker created so many accounts on the Binance exchange?
26. The answer to this question is obvious ... Every Binance exchange user who has not passed the KYC verification process has a relatively low withdrawal limit. This withdrawal limit for non-verified users is 2 BTC in twenty four hours. But the KuCoin Hacker needed to make an exchange of 11,500 ETH in a short time, which was the equivalent of more than 350 BTC. To go through the KYC verification procedure and be able to make large withdrawals, for the KuCoin Hacker, it meant the same as admitting to a crime.
27.  
28. To exit the Tornado Cash mixer on October 23rd, the hacker used the address 0xc609b3940be560c8c00e593bea47fb6ecef6b2c6. This can be seen:
29. https://etherscan.io/address/0xc609b3940be560c8c00e593bea47fb6ecef6b2c6#internaltx
30. After that, the hacker performed two additional relatively small transactions to other addresses. It can be determined that these two relatively small transactions were intended: 5 Ethereum - for the Binance exchange, 10 Ethereum - for the ChangeNow exchange.
31. The hacker also sent funds located at the address 0x77bde789b22136496385d702e2172311525aa077 to many other wallets, mainly 50 Ethereum for each address. Subsequently, each of these relatively small intermediate addresses, on October 24, carried out a transfer to the address 0xa305FAb8bDA7e1638235b054889B3217441Dd645 (by analogy with the case that I described before), with the exception of some relatively insignificant transfers that were not intended for 0xa305FAb8bDA7e1638235b054889B3217441Dd645.
32.  
33. As I mentioned above, on October 23rd, the hacker used the address 0xc609b3940be560c8c00e593bea47fb6ecef6b2c6 to accept the exit from Tornado Cash. After that, the hacker used many addresses with a subsequent deposit to exchange Binance 0xa305FAb8bDA7e1638235b054889B3217441Dd645. But, not all Ethereum he used for these purposes. Also, the hacker made some transfers to third-party addresses. These addresses include the address 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36. For this he used:
34. Transfer
35. https://etherscan.io/tx/0xb13f4562a19a02a8da04e85f61726999bc7f04d19e7527caf4f8ac69b4257e09 for intermediate address 0xf8b91fe30dfc880d80f82223fd8b4c0f9e3a54e3 followed by transfer https://etherscan.io/tx/0xf3b30ba1888a43287bbdc2ee9c9ded4ceb73d8079daf1536a7948285cb57ceb0 for the recipient address 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36, which belongs to the ChangeNow exchange, sending 5 Ethereum to this address.
36. Also, there is a very strange connection in time between the deposits made by the KuCoin hacker and the deposits made by the address 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36 the days. Now we will consider only a few examples (but, in fact, there are many more of them) ...
37. Deposits from the KuCoin hacker addresses, in most cases with a value of 50 Ethereum, began to arrive at 0xa305fab8bda7e1638235b054889b3217441dd645 (Binance) starting October 24, 0 hours 59 minutes.
38. On October 24, at 1:25 am, we also see a deposit for the address 0xa305fab8bda7e1638235b054889b3217441dd645 (Binance), which made the address 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36 in the amount of almost 48 Ethereum.
39. https://etherscan.io/tx/0x0fe598c8c0cd7b3763a73a26ff99ac56414deac2b03934bf0f0f3c3c6cb92aa9 Это совпадает со временем депозитов, которые осуществлял хакер.
40. October 24, at 6 o'clock and 54 minutes, we see the deposit to address 0xa305fab8bda7e1638235b054889b3217441dd645 (Binance), who made 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36 address at a rate of more than 39 Ethereum (https://etherscan.io/tx/0x93f260d2874adb0fc717b641ec52d1115b1599136b3188b44da3f34caa207490 ) This coincides with the time deposits, which carried out the hacker ...
41. October 24, 7 hours 8 minutes, we see the deposit to address 0xa305fab8bda7e1638235b054889b3217441dd645 (Binance), who made 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36 address of almost 6 Ethereum (https://etherscan.io/tx/0x087391ec627174adacc4a8c1d98dbdda327a648f2389a067439126f177fa3cda ) This coincides with the time deposits, which carried out the hacker ...
42. October 24, at 7 o'clock 28 minutes, we see the deposit to address 0xa305fab8bda7e1638235b054889b3217441dd645 (Binance), who made 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36 address at a rate of more than 37 Ethereum (https://etherscan.io/tx/0xcbb8ad51b7d025683c554403aec769733ce37487a02f3a2f93c4eeda57a22674 ) This coincides with the time deposits, which carried out the hacker ...
43. October 24, 10 hours and 25 minutes, we see the deposit to address 0xa305fab8bda7e1638235b054889b3217441dd645 (Binance), who made 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36 address of more than 114 Ethereum (https://etherscan.io/tx/0xf0b478ed5e8baf94040293bcc7da88a8f033023853c6d9bc27846bf4f41c5986 ) This coincides with the time deposits, which carried out the hacker ...
44.  
45. In other words, in the days and hours at which the KuCoin hacker made his deposits for the Binance exchange, the address 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36, almost synchronously, made his deposits to the same Binance address. This can be seen by examining Etherscan or the Bloxy block explorer. These events not only have coincidences, but such activity for wallet 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36 is abnormal. And if you examine the amount of deposits that the address 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36 for the Binance exchange the days, and compare them with the amounts withdrawn, you can see that the withdrawals are 4 times the amount of deposits. This seems to suggest that the KuCoin hacker may have carried out some kind of exchange transactions in parallel using the ChangeNow exchange. The ChangeNow exchange is often a long-term client of the KuCoin exchange, as evidenced by the history of the address 0x7a343cce0fbe8d33e25cd8765950cb5c67c93f36.
46.  
47. Now let's summarize everything I've said ...
48. The KuCoin hacker, for several days, has been accepting exits from Tornado Cash using multiple addresses. After that, the Hacker divided the received funds into smaller amounts, which he sent to many other addresses, mainly 50 Ethereum for each address. Most likely, this set of addresses belongs to the corresponding set of Binsnce accounts, which were used by the KuCoin hacker in order to make exchange and withdrawal transactions without going through the KYC verification procedure (to get a higher withdrawal limit).
49. The KuCoin hacker also made 2 transfers to 2 other addresses, which are different from the address 0xa305FAb8bDA7e1638235b054889B3217441Dd645 belonging to the Binance exchange.
50. One of these addresses is 0x09a75408b4ca2660bff2e413630a0c448f1b9bbe, which also belongs to the Binance exchange, which suggests that the KuCoin hacker sent 5 Ethereum for his accomplice, or for his relative.
51. The second address, which is different from Binance's 0xa305FAb8bDA7e1638235b054889B3217441Dd645 address, is 0x7A343CcE0fbE8D33E25cD8765950cB5C67c93f36, which belongs to the ChangeNow exchange. Perhaps the KuCoin hacker used this address, as in the case of 0x09a75408b4ca2660bff2e413630a0c448f1b9bbe Binance, or to pay for some other transaction costs.
52.  
53. We are still continuing our investigation. I hope we move forward and find a lot more useful information about the KuCoin hacker.
54. In addition, today, we already have some information that we received as a result of our independent investigations regarding hacker attacks on other projects, as well as high-profile exploits, as a result of which many people have lost millions of dollars.
55.  
56. In order for us to create new videos about our investigations as quickly and often as possible, we ask for your support. Our wallet addresses:
57. BTC address: 15TFrZCEWn2FbaXhCX2R7tWCotSjGMmZvp
58. ETH address: 0x6c629437eF38Aa610fb14FfF8BebA7Dc5B21B29E
59. TRX address: TRbEpq38kNfJp7smiRPNaXAYKPGycvjnts
60.