Bitfury: Bitcoins stolen from Bithumb

Bitfury: Bitcoins stolen from Bithumb were transferred to the Yobit exchange

Bitfury: Bitcoins stolen from Bithumb were transferred to the Yobit exchange

Cryptocurrency company Bitfury has published a report on the hacking of the South Korean exchange Bithumb, prepared by its analyst team using the Crystal blockchain data analysis toolkit, which was announced earlier this year. The hacker attack resulted in the loss of $ 31 million, including 2,016 BTC. According to the results of the work of analysts, most of the stolen funds later entered the Yobit exchange..

Bithumb temporarily suspended accepting user deposits on June 15 to update security systems and update the database, and on June 20, the exchange’s management reported a loss of $ 31 million.

Bithumb withdraws assets to a cold wallet

Analysts decided to study the events that took place on the exchange 4 days before the hack. They looked at over 1 million Bithumb-owned addresses and compiled a list of all the addresses to which funds were transferred during these four days..

Until June 19, funds were transferred according to the following scheme:

  • Most of the bitcoins were collected at the address 1LhWMukxP6QGhW6TMEZRcqEUW2bFMA4Rwx (hereinafter “1LhW”);
  • Large-scale transactions were transferred from the address 1LhW to the address 18x5Wo3FLQN4t1DLZgV2MoAMWXmCYL9b7M (hereinafter “18×5”).

Moving bitcoins to the Bithumb cold wallet

The 18×5 address has been recognized by analysts as the exchange’s cold wallet as it is used to rarely send large transactions to / from Bithumb addresses.

History of changes in the balance of the wallet 18×5

The funds transfer pattern changed on June 19, when two transactions were sent from Bithumb wallets to 34muFC1sWsvJ5dzWCotNH4rpKSNfkSCYvD and 3DjdVF83hhXKXV8nUFWCF5chrdSAkgE6Ny with an unusually high commission of 0.1 BTC. After that, within half an hour, about 1,050 BTC was transferred to addresses that had not previously appeared in the blockchain. In total, the transfer of funds to these addresses lasted longer than a day.

At this stage, the exchange stopped using the buffer address 1LhW. In addition, the size of commissions for incoming transactions to the 18×5 address increased significantly – first to 0.1 BTC, then to 0.2 BTC.

Shortly thereafter, a message appeared on the exchange’s official Twitter account that users should not make deposits to the exchange’s addresses.

Bithumb suspends deposits

Withdrawals from wallets of the exchange with high commissions continued, sometimes commissions exceeded 2 BTC and the amount of funds transferred in transactions. Because of this, on June 19-20, fees increased across the entire Bitcoin network, which in turn led to a slowdown in transaction processing.

Transaction with a commission of 2 BTC

Thus, bitcoins migrated from all Bithumb wallets to 39 addresses. One of them is the exchange’s own wallet 18×5, which received the most funds. The remaining 38 addresses, presumably, belong to cybercriminals. They accepted 2002.52 BTC, while paying 48.126 BTC in fees.

Next, analysts tracked the movement of funds from these addresses, which began on August 2. First, a large transaction of 1,000 BTC was sent. According to Bitfury’s analysis, the funds ended up in two wallets on the Yobit exchange after being split into 30 BTC chunks..

Bitcoins stolen from Bithumb are transferred to Yobit

Address 1JwpFNKhBMHytJZtJCe7NhZ8CCZNs69NJ1 corresponds to the peak in the image above; it belongs to the Yobit exchange and received 603 BTC. Another Yobit address – 13jHABthiyHHtviHe9ZxjtK8KcEANzhjBT – received 396 BTC through the same chain of transactions.

The remaining funds were sent to Yobit directly:

  • 1DBRZgDZYnmLWLUpLMgBo1P12v9TnCL8qr – 100 BTC
  • 13rgFLyKYQduTwhJkkD83WDLVNMXs4fwPp – 100 BTC
  • 1A6wuQGYPbEEb9cy76tdSQHmm5fi5wvzHK – 344 BTC
  • 1JquU8Hp6nAhom5c3UDBa9QM5iv1W2Wf2b – 433 BTC

After these transfers, 29 BTC remained on the alleged hacker’s original addresses. They began to move on August 31 and in transactions of 2 BTC were transferred to the CoinGaming.io service.

29 BTC moves to CoinGaming.io

Thus, analysts conclude that 38 addresses in question are likely to belong to a hacker, and most of the stolen funds subsequently ended up on the Yobit exchange..

Binance has previously confirmed that it has frozen wallets that may be linked to assets withdrawn from WEX.

Similar articles

Similar articles