Investigation into NEM Hack: Bitfinex Was the Primary Laundry Machine

Investigations Jul 22, 2020

Investigation into NEM Hack, Potential Bitfinex Involvement?

Image for post

As most know, a significant amount of NEM tokens ($XEM) were hacked from Japanese exchange, Coincheck, last year, in which $530 million were extracted from the exchange.

The Coincheck Cryptocurrency Hack: Everything You Need to Know
Hackers have stolen roughly $530 million from Tokyo-based cryptocurrency exchange Coincheck. The following are some questions and answers.

The NEM was never recovered. However, it is traceable to a certain extent.

Later that year, it was discovered that a darkweb site had been set up to facilitate the exchange of NEM tokens for Bitcoin in an anonymous fashion.

Coincheck loot being turned into bitcoin
Tens of thousands of dollars in stolen NEM now exchangeable for cash

Below is one of the transactions associated in connection with this service: Explorer | BTC | ETH | BCH
The easiest and most trusted transaction search engine and block explorer.

Climbing Down the Rabbithole

We’re going to start with the most recent link cited above, which has the transaction ID: 18cb6d0679a19b31b6f2f321088111ba2ee1a22d03ca170d85a96751dba94fa3

The majority of funds from the transaction (which has numerous inputs), can be seen heading directly to 1PQV39VVwfDnwY7W5JPReGFRiMnfJupWFg.

Checking the Affiliated Cluster

The address above is grouped in this cluster:

Crystal Blockchain Software confirms this clustering as well.

Notably, that cluster also contains the affiliated address: 18C35bBJxeXw8eUgDruc7Jo7p488wF4WKE Connection

18C35bBJxeXw8eUgDruc7Jo7p488wF4WKE = Coinmarket (or attached to it)

User claims that it is part of their “final exit scam”

What is 'Coinsmarkets'?

‘Coinsmarkets’ is a defunct exchange that essentially extracted all user funds from the site at some point in 2017. Throughout 2018, they feigned solvency for a while before collapsing.

Notably, this 18C35 prefix address also has funds coming from 1AauwKcsQKmL6idtxp64Trv97N5cVrCDTn , which is attached to the original cluster containing Bitcoin that was swapped with hacked NEM coins.

Visualizing the Cluster

Thankfully, because of access to Crystal Blockchain Software, we can gain more information about the cluster address that the stolen bitcoins were attached to.

The metrics for the cluster address are displayed above in detail. However, we’re going to dig a bit deeper than that and see if we can find out more about the source of the bitcoins going into this cluster address.

In order to do so, we will track the highlighted transaction above, which sent the majority (14.1k bitcoins) of the bitcoins into the current cluster we are looking at.

Intro to Cluster #2

This cluster is our ‘source cluster’ address.

Below are pictures of the metrics and connections associated with this cluster.

The above does not necessarily implicate the exchanges listed, but it does give us a better idea of where funds were being sent from if those exchanges wanted to take any action on those accounts.

Proceeding Forth to the Visualization

Now that we have a solid grasp of how the main cluster address was formulated, let’s see if we can track the distribution of funds via Crystal Blockchain’s visualization methods.

Tracking through, we can see a significant amount of illicit funds ended up at Bitfinex in one way or another.

One address that received a particularly large portion of funds is the deposit address 3HfYLED57Pd2pniUxEqUp7LX4sDo1aeos3.

Perhaps what is even more interesting is the fact that the majority of these funds ended up directly at Bitfinex’s cold wallet address. This can be seen in this transaction: d841ee94cee5c07f85d84cd50b9fd823d780e673a77ba81df4741293d0129fbd

Exchanges Where Funds Landed

Based on research, funds ended up at:

  1. Bitfinex
  2. OKex
  3. Kraken
  4. Localbitcoins
  5. Huobi
  6. Binance
  7. Gemini

Below are some pictures that show the intricacies in the routing of funds:

Concluding Notes

This most alarming discovery in the passage of wallets is that it appears that Bitfinex as an exchange was involved, in some facet, in the redirection of some of these funds.

This is stated because numerous deposit addresses (determined via their activity) were seen also sending funds out to various addresses. This is extremely unusual behavior for a true deposit address and it also indicates, definitively, that this redirection was done on behalf of the exchange.

Notably, not all Bitfinex deposit addresses function in this manner. In fact, the vast majority (98%+) simply send funds directly to the hot wallet address and on nearly no occasions are they sending funds directly to the cold wallet address, which is what we saw with transaction d841ee94cee5c07f85d84cd50b9fd823d780e673a77ba81df4741293d0129fbd.

Its also notable that Bitfinex appears to be the central point of the transferred funds.



Happy to serve and help wherever I'm needed in the blockchain space. #Education #EthicalContent #BringingLibretotheForefront

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.