The movement of Kucoin hack funds
On September 25, 2020, the KuCoin exchange was hacked. The equivalent of approximately $280M was stolen during this attack.
1,008 BTC and 999,160 UDST were withdrawn from the KuCoin addresses and went to the following address 1NRsEQRg5EjmJHbPUX7YADVPcPzCQBkyU7. The next day, September 26, assets in USDT were frozen.
We investigated the further path of these bitcoins. Below is a diagram of the movement of BTC from the moment of hacking until entering the mixers.
Complete graph from KuCoin hack to mixers:
The active phase of laundering of the stolen Bitcoins began October 26.
Two mixing services were used: ChipMixer and Wasabi Wallet (Coinjoin transactions).
ChipMixer was used on the dates of October 26–28. Funds were sent to the following deposit address 17vuW78TbsC1DdTUus3ELjkLBcYxFqhcyU.
October 26: 200.992633 BTC was sent to ChipMixer in total.
October 27: 148.439592 BTC was sent to ChipMixer in total.
October 28: 124.979928 BTC was sent to ChipMixer in total.
From October 31st, Hackers started to use Coinjoin transactions based on the Wasabi wallet to transfer stolen funds.
October 31: 48.1892513 BTC went through Coinjoin in total.
November 1: 237.651755 BTC went through Coinjoin in total.
November 2: 251.622331 BTC went through Coinjoin in total.
November 3: 49.999154 BTC went through Coinjoin in total.
Using our algorithms for mixers analysis, we’ve found the following transactions, withdrawing funds from Chipmixer and, we believe, these transactions belong to the hackers.
The diagram above shows the movement of stolen funds after the withdrawal of 25.09600 BTC from ChipMixer. It was done in two transactions:
Another 14.00142624 BTC came from the unknown service (with transaction f65065bec488885675d38b813b46f1f94540a6018a24165af918117311ab9919) and were joined with those 25.09600 BTC.
We believe these 14.00142624 BTC also belong to the hackers and were obtained in exchange for the other assets stolen from the KuCoin on Sept, 25.
After that, 27.7476327 BTC (24.3+3.4BTC) — a part of that joint sum entered the Binance exchange (addresses: 1A65a3SjNGAiatEh9QQgseQQXCjYoQreJi and 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s).
This is the hourly histogram of hackers’ activity before the funds reached the mixers. X-axis — hours (UTC time); Y-axis — number of transactions done within the hour.
Since the main activity occurred between 6 am and 8 pm UTC, we can assume that hackers may be located either in the European or Asian regions. We bet hackers act from Asia.
This diagram shows two related to each other transactions. Both transactions withdrawing funds from ChipMixer:
It is interesting, that part of the funds (2.05006440 BTC) was transferred to the Thai exchange — bitkub.com. And the only available fiat currency on Bitkub is the Thai baht. This fact may indirectly indicate that hackers may be located in the Asian region, in particular in Thailand.
Another part of the funds (2.98722000 BTC) was sent to Binance.
This diagram shows where the stolen funds went after they left ChipMixer with these 4 transactions:
Part of the funds were mixed with other bitcoins and gathered on the address 3BygU6QtnTxXBX1iM6kDMYLrpFbNGN4tvg.
The second part was merged with 25.5 bitcoins from an unknown service in transaction 55e8c6187531aad97391e00ebe9d3078fd5342a708da610b91f878d79ad0cd48.
This diagram shows the movement of BTC went out ChipMixer with transaction: 7e4a8858c798db13d7a05474eef671764c865d417d1be7831b3d8f5c86de0597
Part of the funds was separated from the main branch and mixed with funds received from other services. After that, it was transferred to the address 19qvQ7yZx61MxAmiiuYARJ9JBBcsq2mf2K.
Another part of the funds was split. Visually this split resembles a sawtooth pattern. In the end rest of BTC had hit various services, one of them Binance— 3.38173792 BTC.
3.38173792 BTC has entered Binance with these transactions: 7d127f087499719a6eaa2fd67643e51465ce67680b4a0f37a008d1b78a686734
This diagram shows the movement of BTC after they were withdrawn from ChipMixer by hackers with a transaction:
b07f87b2df5b550c9fd3fc267bcd6fc61cac518c5c264196799e38cbd6cd9f24 (highlighted node).
A part of these funds ended up on the HitBTC (about 1.7 BTC), the second part went to Binance, and some of the funds went to an unknown service at the following address 39mKJfQUSdEFD7WtgutQtntMWTYVBiKHnU. We assume that it belongs to an exchange.
You can also see the connection (highlighted edges) with other BTC, transactions withdrawn from ChipMixer by hackers.
We’ve tweeted about the movement of these funds earlier.