Preface: *This research was performed with the assistance of Crystal Blockchain's proprietary on-chain transaction analysis software. Also, this is a re-published version of a (formerly lost) research report that was originally published on August 9th, 2019. Thus, all 'present tense' verbs in the following report only refer to conditions as of August 9th, 2019. A subsequent 'update' report will be published in due time that assesses changes (if any) in the affected wallet addresses named in this report
The first address that we’re going to look at (via Etherscan), can be found here: https://etherscan.io/address/0xbceaa0040764009fdcff407e82ad1f06465fd2c4
A screenshot of the address is provided below:
The wallet in the picture above can be seen receiving 25.5k Ethereum on August 11th, 2018 (approx. 1 year ago).
From this wallet, the funds were immediately sent out in two transactions (100 Ethereum & 25.4k Ethereum) to wallet address: 0xf27B6923ed24EEd02De7686962339dB00a52d2aA.
What’s interesting about the 0xf27 address is that analysis shows us that it was active before the Bancor hack funds were transferred to it (see below):
Approximately 17 days later, the Bancor hack funds (25k Ethereum) were sent into this wallet:
Where Did the Initial Funds Come From?
In order to answer that question, the Crystal Blockchain visualizer will be consulted.
Specifically, the funds that we are referring to are the 12,000 (approx.) Ethereum that initially entered into the 0xf27 wallet address where the 25k Bancor Hack funds were sent 17 days later.
Let’s see below:
Interestingly, when tracking back the transactions it appears that the coordinator of this send is address 0xbc3175b1054214acea52127f3de1b7b243844670.
See the investigation below that allowed for the tracing of the Ethereum back to the wallet cited above:
Specifically, 0x94f20ccff70d82d1579d8b11f2985f8de9b287cf serves as the intermediary:
Perhaps what makes this the most interesting is the fact that a substantial amount of funds came directly from Kraken:
The pattern of transactions flowing from wallet 0xbC3175B1054214aceA52127F3de1b7B243844670 strongly indicate that the funds were being mixed/laundered in some fashion in order to make tracking their liquidation much more difficult.
Back to the Bancor Hack Wallet (0xbceaa0040764009fdcff407e82ad1f06465fd2c4)
The picture above brings us back to the main Bancor hack wallet.
From there, funds were transferred to wallet 0xf27 (as previously noted) on March 13th, 2019.
If we take a cursory glance at the wallet’s most recent transaction history, we can see that the vast majority of funds were sent to 0xd294ac18b524ff59ab7fffcbd459f11128220550:
Another wallet that received a substantial amount of Ethereum from 0xf27 was 0xfe61ad22a847c4df702731c7d5e803d283ea1376.
Viewing Fund Transfers Via Crystal Blockchain On-Chain Transaction Visualizer
Below is a visual look of the passage of funds from 0xf27 to 0xd29:
Also, below, is a look at the passage of fund from 0xf27 to 0xfe61
Most Interesting Passage of Funds in the Bancor Hack
If we follow up on the 0xfe61 address, we’ll see that it sent the vast majority of its funds on to 0x39d9f4640b98189540a9c0edcfa95c5e657706aa.
This is important to note because 90k bitcoins from the 0x39 wallet address traveled directly to 0xdf95de30cdff4381b69f9e4fa8dddce31a0128df.
Why Wallet 0xDf95 Demands Scrutiny
Huobi Exchange has sent thousands of Ethereum into this wallet.
Let’s take a look at the transactions from various Huobi wallets into the 0xD95 wallet below, starting with ‘Huobi 15’ (label on Etherscan):
In the picture above, 3,102 Ethereum can be seen being transferred into the 0xD95 wallet address from a Huobi-controlled and owned exchange address (note: this address is not a hot wallet address).
In fact, if we use Crystal’s Blockchain Explorer again to break down all of the transfers from Huobi to this address, specifically, we can see that over 200,000 Ethereum has traveled from the Huobi exchange to the 0xdf95 address in total:
Below are some of the most recent transactions into this wallet:
As one can see in the picture above, Huobi has sent approximately 40,000 Ethereum in the last week (since August 2nd, 2019).
In USD, that’s approximately $8.4 million at Ethereum’s current price.
Currently, at the time of writing, the 0xdf95 wallet address has 53,617 Ethereum worth a combined total of $11.317 million USD at the time of writing (this analysis was originally performed in 2019 ; thus, the wallet address in question may look significantly different as you read this study):
Reviewing 0xdf95's Wallet Address Statistics
Let’s take a look at the address statistics for this address below:
With 1/4th of all of the coins coming from hacked/stolen sources, one must seriously question the ownership of this wallet when juxtaposing the illicit activity with the fact that Huobi, alone, has sent 200,000+ Ethereum into the wallet as well:
Perhaps what is even more interesting is the fact that Huobi is the only other identifiable entity apart from the hacked Bancor funds:
The purpose of this article is to sound the alarm bells for the crypto space and prompt people to take a much deeper, probing look at Huobi exchange as well as the associated wallet where they have sent tens of thousands of Ethereum.
Overall, it appears that over a billion dollars has been laundered via 0xdf95 without any scrutiny from law enforcement or other relevant agencies.