From Liquid Exchange Hack Points to Wasabi Privacy Wallets, a Money Trail

 According to Crystal Blockchain, hackers are utilizing Wasabi wallets to launder BTC stolen from Liquid or obtained in return for other stolen cryptos.

According to investigative company Crystal Blockchain, hackers who stole approximately $97 million in bitcoin from the Liquid exchange utilized the non-custodial, privacy-focused Wasabi wallet to safeguard part of their loot.

Bitcoin from the wallets identified by Liquid as belonging to the hackers has been moving over the last two weeks, according to public blockchain data. On Aug. 29, for example, 100 BTC (worth over $4.8 million) from one hacker-linked account was divided up and transferred to two other addresses, then further broken down and dispersed to still additional addresses.

According to Crystal Blockchain data, at least part of the bitcoin (BTC, -1.14 percent) was subsequently transferred to addresses thought to be created by a Wasabi wallet.

According to Crystal, this was one of several such transactions made by the hackers utilizing Wasabi, apparently to separate the stolen money from their criminal past. Because centralized exchanges prefer to freeze assets that are known to originate from hacks, exploits, and scams, this would be a required step to spend or trade such monies for fiat money.

Wasabi's CoinJoin function has been used to launder over 437 BTC (worth over $20 million) connected with the Liquid hackers, and the process is still continuing, according to Crystal.

Wasabi is a privacy-focused desktop wallet that enables users to arrange so-called CoinJoin transactions to make their bitcoin less traceable on the public ledger. Multiple users may combine their bitcoins in a single transaction and then separate it from the prior payment history. It also uses the Tor network to transport transactions, further masking the user's IP address.

Although Wasabi is a non-custodial wallet, it creates addresses for CoinJoin transactions that blockchain analytics tools have learnt to recognize. Elliptic, a crypto detective company, accomplished this last year after tracing bitcoin from the notorious Twitter breach to addresses linked to Wasabi.

Identification of such addresses is more difficult than attributing addresses to custodial crypto services, according to Kyrylo Chykhradze, product director for Crystal Blockchain, thus Crystal does "a lot of double-checks before the final labeling" of the addresses in their analytics system.

Wasabi did not reply to a request for comment right away.

Tumbled and swapped

According to Crystal Blockchain, the Liquid hackers' wallets acquired a total of 1,168 BTC, the majority of which they obtained through trading other cryptocurrencies for bitcoin on various exchanges.

The hackers transferred stolen xrp (XRP, -1.00 percent) tokens to three exchanges – Binance, Huobi, and Poloniex – where they were able to swap them for bitcoin on the first day following the attack, according to CoinDesk. According to Crystal, the bitcoin hoard was subsequently partly laundered via Wasabi's CoinJoin accounts.

ERC20 tokens, which are based on the Ethereum blockchain, were transferred to decentralized exchanges (DEXs), where they were exchanged for ether, and then delivered to Tornado.cash, an online ether mixer. According to Chykhradze, some tokens were also exchanged for bitcoin on the decentralized exchange Ren, resulting in an extra 394 BTC in the hackers' wallet.

“Hackers have been utilizing various ways to hide their traces for nearly two weeks — significant sums of XRP, ETH, and ERC20 tokens were either changed into BTC or mingled via the Tornado tumbler service,” Chykhradze added.

In addition, a large number of bitcoins were placed in several unnamed wallets and left there for the time being.

On August 18, Liquid, a Japanese cryptocurrency exchange, was hacked. A total of $97 million in various cryptocurrencies was stolen. The exchange began posting updates on the breach as well as the addresses from which the hackers took money almost immediately.

Several exchanges collaborated with Liquid to identify and ban the hackers' IP addresses. However, in many instances, hackers were able to withdraw money before the exchanges could respond.

Liquid issued an update on Aug. 30 encouraging customers to create fresh deposit wallets.

Post a Comment