The Kucoin hack 2020
CASE BTC 31 COINJOIN
Chart legend
○ Nodes (circles) — transactions.
○ Edges (lines) — outputs/inputs associated with addresses.
○ Edge color — the type of address with which this input/output is associated:
· blue — p2pkh
· green — p2sh
· red — bech32
General information
Wasabi Wallet was one of two mixing services used by the hackers to launder bitcoins stolen from the KuCoin Exchange. In total 533 BTC were sent to Wasabi Wallet.
Hackers split this amount into 48 parts and initiated 48 different CoinJoin transactions of about 10–18 BTC each. Since it is a pretty big amount for a single transaction, they used several consecutive CoinJoin transactions, sending the change received from one CoinJoin transaction to the next CoinJoin transaction for further splitting.
However, hackers did not split the entire amount in CoinJoin transactions. Some part of the funds did not go through the CoinJoin splitting and after several iterations, they withdrew the remained change from the Wasabi wallet.
We have unraveled this scheme and traced the hackers through CoinJoin transactions to find the addresses where they send the change left after consecutive CoinJoin transactions.
The pattern that was used to split all the stolen funds: a big amount is divided into smaller parts. Below we are going to show how it was done on one example.
Tracing
Step 1
Hackers pinched off 31 BTC from the main peel chain. and sent those 31 BTC to the address 3MJwGfTwq65wCmfiPQWp41FWGrhcGUMmV3 (the path we will follow is highlighted).
Step 2
Hackers divided 31 BTC into 2 parts:
○ 14.99925130 BTC — bc1q7rmct483hhcvgarf03sx44ykr4c66et82zj6yz
○ 16.00000000 BTC — bc1qjukjum7562pvltct39p43z8cjg28csea2zv4p0
We will now focus on the address bc1q7rmct483hhcvgarf03sx44ykr4c66et82zj6yz.
But the same approach could be applied to the second address bc1qjukjum7562pvltct39p43z8cjg28csea2zv4p0 as well.
Step 3
14.99925130 BTC from the address bc1q7rmct483hhcvgarf03sx44ykr4c66et82zj6yz were sent the first CoinJoin transaction 3c7761f5bc3a11db344625d8444828b662c755580989d3acb9ae6d6010079706.
Any entry into a CoinJoin transaction could be decomposed with the formula:
where a is the input value, bi is the CoinJoin value, ni is the number of times bi occurs in this CoinJoin transaction. txfee_a — transaction fee that the user who owns input a pays (it depends on the number of bytes that the particular user’s inputs and outputs of this CoinJoin transaction take). Addends like:
determine the service fee for the CoinJoin transaction — the value depends on the CoinJoin value and the number of times it occurs in this transaction. Changea is a value close to the change. Difference between Changea and the actual change for the input a is so low that it allows to unambiguously determine the real change. We will use this fact to pass through CoinJoin transactions.
By CoinJoin values, we mean values that occur more than once among the outputs. For example, in our CoinJoin transaction, the following CoinJoin values are found among the outputs: 0.0899357 BTC (90 outputs), 0.1790831 BTC (26 outputs), 0.3581662 BTC (8 outputs), 0.7163324 BTC (3 outputs), 1.4326648 BTC (2 outputs).
Using our formula, we get that our entry at 14.99925130 BTC will be decomposed into:
○ 0.0899357 BTC — CoinJoin value
○ 0.1790831 BTC — CoinJoin value
○ 0.3581662 BTC — CoinJoin value
○ 0.7163324 BTC — CoinJoin value
○ 1.4326648 BTC — CoinJoin value
○ ≈12.2224501991 BTC — approximate change
There is only one output close in value to 12.2224501991 BTC among the outputs of this transaction. This one: bc1qkrh6hckkm7l6675lsrnw4llwuvtdyktnjxhl7y — 12.22200793 BTC.
This output is the change associated with the input:
bc1q7rmct483hhcvgarf03sx44ykr4c66et82zj6yz — 14.99925130 BTC
This means that the address bc1q7rmct483hhcvgarf03sx44ykr4c66et82zj6yz belongs to hackers.
Step 4
After the first transaction, change of 12.22200793 BTC was sent to the second CoinJoin transaction:
e29ad6e6ede1c73fa614f83e79a41cf5422034eb3af3f7da9d86cbd65e201916
By repeating the actions taken in the previous step, we will see that 12.22200793 BTC were decomposed into:
○ 0.08980273 BTC — CoinJoin value
○ 0.17875956 BTC — CoinJoin value
○ 0.35751912 BTC — CoinJoin value
○ 0.71503824 BTC — CoinJoin value
○ 1.43007648 BTC — CoinJoin value
○ ≈9.4503203310093 BTC — approximate change
The only output close in value to 9.4503203310093 BTC is:
bc1qjquhar63880epwy9ly00a6z07sye83t6r7effp — 9.44997604 BTC
This output is the change associated with the input:
bc1qkrh6hckkm7l6675lsrnw4llwuvtdyktnjxhl7y — 12.22200793 BTC
This means that address bc1qjquhar63880epwy9ly00a6z07sye83t6r7effp belongs to hackers.
Step 5
After the second CoinJoin transaction, a change of 9.44997604 BTC was sent to the third CoinJoin transaction: b41044b49885fbde6fab0ad8e7736530ef3792659053d18649835952c1035577
Using our formula, we’ll see that our entry with 9.44997604 BTC was decomposed into:
○ 0.08922796 BTC — CoinJoin value
○ 0.17845592 BTC — CoinJoin value
○ 0.35691184 BTC — CoinJoin value
○ 0.71773214 BTC — CoinJoin value
○ 1.42764736 BTC — CoinJoin value
○ ≈6.6834328026935 — approximate change
Again, change can be determined quite easily:
bc1qsqgdejhrg79cc408qkxmtwymc03y2rtufnvpuu — 6.68327119 BTC
The address bc1qsqgdejhrg79cc408qkxmtwymc03y2rtufnvpuu belongs to hackers.
Step 6
The third CoinJoin transaction was the last in this chain, after it, the hacker decided to withdraw the change (6.68327119 BTC) from Wasabi Wallet to the P2SH address — 3E3SpStrxdjKdovY7V8wZnPjmusHVKGxnt
Step 7
With the following transaction
a2d5b0800c4376aaeaa99fe70d9954f29d84534104b8a2b33b95927232738401
the funds were divided into 7 parts:
● 35Y6DcsRo7NpWMkiaGCnknRu5issiw4vhZ 0.220625 BTC
● 32u9VqEPYCyKhUwPFKtde5Pu1VZTCMbEQz 1.69937488 BTC
● 33noyfp2MgYFCMNioHZgHYv1QBiT8jG3KE 0.76635412 BTC
● 3Jb2qXnaooxy9hs7W1YnZs6zQvWUk4mSHV 0.80156244 BTC
● 39mRdqJxdPZ25BVhrhe9MbUeKZsV2D3GaA 0.88958327 BTC
● 1C73Vs27XRno1YWJgonojswTgq25gcyH9e 0.50044193 BTC
● 3HRtk53TggoYWtghXZaoeicWw8TsS9mfPd 1.80383509 BTC
6 inputs (6.1813348 BTC in total) were sent to the merging transaction:
758fa8a54b3723b81b553a2509bda53f277690c0173e540c6b843bb3c16c4eef
In the lower part of the above diagram, you can see two transactions connected by six inputs/outputs:
1. a2d5b0800c4376aaeaa99fe70d9954f29d84534104b8a2b33b95927232738401
2. 758fa8a54b3723b81b553a2509bda53f277690c0173e540c6b843bb3c16c4eef
Besides, at this step, in the collecting transaction 758fa8a54b3723b81b553a2509bda53f277690c0173e540c6b843bb3c16c4eef, the address type has changed from p2sh to bech32. We believe that on this step, the funds were transferred to a third party (service, OTC broker) for further trading on the exchange.
In the lower part of the above diagram, you can see all the inputs to the transaction that are not displayed on the upper part. It is done not to draw attention from work with certain inputs. If necessary, they can be loaded to the main panel. The hexagon indicates that not all inputs/ outputs are displayed on the main panel, some of them are hidden.
Step 8
On the next step, the third-party pooled together the funds received from the previous transaction of 31.83953809 BTC with the amount of 35.19112105 BTC received from another transaction. All funds after the merger were sent to the address bc1qt0rj6v9ht89kt24gqt5um79vg7m0fyla8862ru.
Step 9
Then the funds were transferred in two transactions to the deposit address of the Huobi exchange — 1QAbP5fn3D2XCVkvsvwtPXZSdTcjCtjeqq. About 67 BTC were transferred to this address, at least about 6 BTC of which belongs to hackers.
This is how the whole scheme of the BTC movement described above looks like this:
This was one of the chains we found. The following diagram shows some outputs (change) that belong to the hackers and were withdrawn from CoinJoin transactions:
Analyzing this scheme, we’ve discovered that about 80 BTC were sent to Huobi Global. This diagram clearly shows the same pattern of changing address types:
P2SH ➝ bech32 ➝ bech32 ➝ P2SH ➝ P2PKH (Huobi)
Conclusion
Based on this pattern and the size of the amounts that are transferred to the Huobi exchange (30–67 BTC), we assume that either this scheme indicates the presence of a third (intermediate) party between hackers and the exchange, or all these funds belong to hackers. In any case, operations with such amounts on the exchange require KYC. Thus, appeal to Huobi Global with the data including addresses and transactions from the above scheme could shed light on the case and possibly detain hackers.