‘Operation DK’ name given as a pseudonymous identity of the individual that contacted me on Twitter at approximately 13:00 EST ; May 18th, 2019 requesting the tracking of allegedly stolen/hacked funds.
Transactions in Question:
Reviewing the First Transaction
The following addresses are related to the first transaction (victim):
These addresses are all inputs that sent funds to the hacker, which is: 1KcnVpU4ajCpp1dBK7VhRTZvEdu5QEBVdq
The transaction ID = c858f268d7e6a78e4884a7bb719307767a82f9560c0c6e8f7b49e4bb2b1c5780
The address where the hacked funds went to has been active since March 13, 2019.
Notably, victim was hacked on May 17th, 2019.
In addition, funds were received from 3JjPf13Rd8g6WAyvg8yiPnrsdjJt1NP4FC , which is strongly attached to illicit activity on behalf of HitBTC.
Below are the transcation IDs:
For reference, this article here should be viewed: https://bitcoinexchangeguide.com/hitbtc-appears-insolvent-blockchain-analysis/
Above is the address that received the hacked funds from victim. The web of connections is somewhat complex, so this visualization will be tailored in a manner that helps whatever interested parties view the passage of funds in an easier manner.
The two addresses in the picture above received funds directly from the hacker’s address.
Specifically, these addresses are:
Both addresses have been hyperlinked with the transaction ID that shows this transfer of funds.
If we pan back the image (zoom out) slightly, we can see some of the funds leading directly to a Binance deposit address (belongs to some customer at Binance).
The Binance deposit address in question that has received these funds is: 1LncA9soMJaxkCNDehGN7abGXorcLW3e6H
Specifically, this address received its funds from bc1q2g3tfxu6lq453kyqyeenj3dh4qteha99f4kj3c
Since the funds are commingled with funds from other sources (that may or may not be illicit), it is nearly impossible to tell which funds are explicitly tied to this hack and which ones come from other sources.
One thing that can be said though is that all of the funds commingled with this address and the others that have been identified in connection with the hacked funds, specifically, should all be considered tainted.
Other Addresses Funds Are Parked At
- 1Cpf8CCwYRwXbjH4V8x6bhGR7NQ2VZNYez ; 12.77225288 bitcoins
- 1AwqZ1LyUTRDJc3fxjVXh14ATVnAaqYcbb ; 20.79284085 bitcoins
- 18dppbiRVeCh8oXnNVBvPYx7B9dQsdMX3s ; 20.30903456 bitcoins
- 1Le5BbPTakNW5eFKGMhbn4X3Z6XDy4jX9B ; 1.55076306 bitcoins
- 3ApPvGS1Bsk4f879teGVABxPP7LF3WpXqc ; 4 bitcoins
If one were to view the transaction history of the addresses listed above, it would be immediately apparent that there are funds coming from multiple different addresses.
Second Binance Address That Received Funds
Below is a visualization of another Binance deposit address that received funds:
Again, in this instance, this address did not receive 100% of the funds that were extracted from the victim. Some of the funds from the victim were diverted elsewhere and some of the funds that did end up in that Binance deposit address also stem from other sources.
The Binance Deposit Address in question in the picture above = 1DY21Hxe8TYMpTKHYA8YpZDSCnJchcXGdy
Here is the link to the transaction ID that shows this passage of funds: https://www.blockchain.com/btc/tx/0af88fb5c99df1e737e7b7611a620530c402ef5237c5db41bfd9f7fd3384def4
Another path with a negligible amount of bitcoins leads to ‘Wirex’ as well.
Here is the transaction ID that shows this passage of funds: https://www.blockchain.com/btc/tx/02961a68cc92226966bc70e67be066166114ceaeb89b86bc50bb1b6f091f4089
Funds mainly went to the first Binance deposit address mentioned in this report, which is: 1LncA9soMJaxkCNDehGN7abGXorcLW3e6H
Specifically, 19.12544137 bitcoins from that wallet belong to the victim of this hack.
The vast majority of the other bitcoins have not yet ended up at an exchange thus far (from what can be seen). So far, they are parked at a # of addresses as well as commingled with additional funds from other outside sources.
Those wallets should be monitored consistently with alerts if the appropriate software is on hand to do so.