Anubis Dao was launched on October 28, 2021. At the time of the incident, the project received a total of about $60 million or 13,597 ETH in exchange for the project’s ANKH token. On October 29, this amount was transferred to a new address: 0x9fc53c75046900d1f58209f50f534852ae9f912a
Then the attacker transferred 9418 ETH to Tornado Cash in four portions.
On August 8, 2022, OFAC imposed sanctions against Tornado.Cash. These sanctions greatly affected the operation of the mixer and the number of its customers. This, in turn, influenced the patterns of its use, as well as the patterns of withdrawing funds from the mixer.
Since the first batch of deposits was sent to Tornado.Cash in June 2022, that is, before the introduction of sanctions against Tornado.Cash by OFAC, we will consider the first batch of deposits to Tornado.Cash separately from the rest.
The first portion of deposits on June 24, 2022
The attacker sent 1018 ETH to Tornado.Cash 100 ETH from 0x07002d0212e3d40a6e17773460579d694100b7f4 address.
We noticed that the 0x07002d0212e3d40a6e17773460579d694100b7f4 address initially received 1097 WETH from one of the attacker-controlled 0xb1302743acf31f567e9020810523f5030942e211addresses.
After sending the funds to Tornado, there was still about 79.24 ETH left in the 0x07002d0212e3d40a6e17773460579d694100b7f4 address, which was transferred to the 0xe77b0377b498a2e485dc8043b9ccc8254f972195 address.
This address is highlighted in green in the diagram below.
We also noticed that the 0xe77b0377b498a2e485dc8043b9ccc8254f972195 address received one withdrawal from Tornado.Cash 100 ETH:
This withdrawal was made after the first batch of deposits and is directly connected to the address from which the deposits were sent. Therefore, we conclude that it is associated with one of the deposits in Tornado.Cash 100 ETH sent from the address 0x07002d0212e3d40a6e17773460579d694100b7f4. Thus, we got an understanding of the pattern of withdrawal of funds from the mixer by the attacker and the pattern of how the assets move further. Namely:
- Funds are withdrawn using the relayer mechanism
- Funds are sent in portions to the Sideshift exchange (umbrella-like structure)
Having received the time of this withdrawal, we decided to check the withdrawals from Tornado.Cash 100 ETH and Tornado.Cash 1 ETH located chronologically close to the first deposit withdrawal in case the attacker withdrew funds to different addresses with a small time interval between withdrawals.
Thus, we got a few more addresses using the pattern described above:
- 0xfd47b98b08b280d033a3e5aac15399ee1076bea3–1 withdrawal from Tornado.Cash 100 ETH on 24–06–2022 11:47:23 (6 minutes after the withdrawal to 0xe77b0377b498a2e485dc8043b9ccc8254f972195). Further, the funds were also transferred in portions to Sideshift
2. Two addresses that received funds with Tornado.Cash 1 ETH.
Address 0xe414a2224dac8e188c19d3225d58e5130e0a8818–1 withdrawal from Tornado.Cash 1 ETH. Date: 24–06–2022 08:23:47.
Address 0x0bd2f46d2f3f6713bee3b0696765b23183ca722e — 17 withdrawals from Tornado.Cash 1 ETH. Dates: from 24–06–2022 11:49:51 to 24–06–2022 12:14:27
Thus, for 10 deposits in Tornado 100 ETH of the first portion of deposits, we found 2 withdrawals belonging to the attacker. And for 18 deposits in Tornado 1 ETH, we found 18 withdrawals from Tornado 1 ETH belonging to the attacker.
Tree portions of deposits done in 2023
In March, April and May, the attacker sent new portions of deposits to the Tornado.Cash mixer. We analyzed all withdrawals from Tornado.Cash 100 ETH between May 5, 2023 and June 28, 2023. We clustered the addresses that received withdrawals from Tornado.Cash 100 ETH over this period using the following characteristics:
- Common neighbors that are not services or smart contracts
- Withdrawal time from Tornado.Cash 100 ETH
- The length of the withdrawal time range from Tornado.Cash 100 ETH, in cases where there were more than one withdrawal to the address
- Use of other blockchains (Bitcoin, BSC, Polygon, Arbitrum, etc.)
- Use of certain services (centralized exchanges, DEXs, bridges, etc.)
- Use of certain ERC20 tokens (WETH, WBTC, multiBTC, DAI, USDC, USDT, etc.)
After clustering, we looked at each cluster and filtered out the unsuitable clusters. Clusters were considered unsuitable if:
- The number of withdrawals to the cluster from a certain Tornado.Cash pool exceeded the number of deposits that the attacker sent to this pool. (For example, in this case, no deposits were sent to Tornado.Cash 10 ETH, so clusters containing withdrawals from this pool were excluded)
- The presence in the cluster of addresses with a history was also an excluding factor. Addresses with a history are addresses that were active before the first deposit that the attacker sent to Tornado.Cash.
As a result, we got a set of suitable clusters, of which the cluster containing 27 addresses, which received 57 withdrawals from Tornado.Cash 100 ETH, stood out in particular.
Movements of funds from all addresses of this cluster corresponded to the same pattern. After the withdrawal from Tornado.Cash, the funds were transferred to the Polygon network through the Multichain and Synapse smart contracts, then the attacker returned them back to Ethereum and distributed them among the exchanges (see the scheme below).
We believe that after the introduction of sanctions against Tornado.Cash in August 2022, this technique of jumping from the Ethereum network to other networks and back allows breaking the connection between Tornado.Cash smart contracts and end services (exchanges). Not all explorers and visualization programs allow you to track the connection during such jumps. This allows attackers to send funds to the exchange with less risk of them being frozen. In our opinion, in this case, this technique was used precisely for this.
In addition, as can be seen from the diagram, part of the funds (846.33 ETH and 824738 USDT) withdrawn from Tornado.Cash to the cluster we found and transferred through the Polygon network was then transferred to the OKX deposit address:
That address has a direct graph connection via address 0x1c4203db716a122aff5120203268113e8b471f0e (ENS: bsl.eth) with addresses 0x872254d530ae8983628cb1eaafc51f78d78c86d9 and 0x51da686c7a2f973ad11fafed6ce9a3ffc020349f, which belong to the attacker. This is a mistake made by an attacker and additionally confirms we selected the correct cluster.
Also note that address 0x1c4203db716a122aff5120203268113e8b471f0e is also associated with another rug pull event, BELLE Honeypot rug pull (0xf80f6fa4ccb6550c9dc58d58d51fb0928f9b323c). Thus, we suspect that address 0x1c4203db716a122aff5120203268113e8b471f0e (ENS: bsl.eth) belongs either directly to the attacker who took part in several rug pulls, or to a person affiliated with these cases.