Operation DK: Blockchain Analysis Using Crystal Blockchain

Image result for Blockchain analysis

Preface:

‘Operation DK’ name given as a pseudonymous identity of the individual that contacted me on Twitter at approximately 13:00 EST ; May 18th, 2019 requesting the tracking of allegedly stolen/hacked funds.

Transactions in Question:

  1. https://www.blockchain.com/btc/tx/c858f268d7e6a78e4884a7bb719307767a82f9560c0c6e8f7b49e4bb2b1c5780
  2. https://www.blockchain.com/btc/tx/279c41ebbc52423f5534122978126bfe44ab82f2f01aee7fbc02213c50464240

Reviewing the First Transaction

The following addresses are related to the first transaction (victim):

  1. 3FcMSKLBEmAbrEQiyaMJi2degEjc2u1VP6
  2. 33kCc7cKMdm6VQsNcboUjV7Yq6P9LnNeEH
  3. 3Kdicut9TR3tVWDfZCNAqWM3JiNGutUXLa
  4. 34wgYFFeyVbjGzjRoRMydMSpfzRPeBtzRw
  5. 3AgnKUyVhtz4k7MB4L6q3RPFmh36QmFqmF
  6. 3NcTwMWWNkYw8Xd6H16pBmkqb9cWNtEZiw
  7. 329ag7SEzVC5vysdmoKsxvD7d3XAGVXxwL
  8. 389bAh5YXvQBjN9TFbYQfYTrjs83fuqEfZ
  9. 31hDJJ43N7BrBc59BhpLnL7YG2xwEwC9b7
  10. 3KCL7pF4jyrMPBwy7Adv7oNofcPBQkLgpm
  11. 37Tcwid9QDyz8eahq9QRPNTNBP8xuo45sG
  12. 33cym8zAKKnyTSJq4H2TQkXFreMDKQsShA
  13. 3MDuTe1ZmFcTKnFe273GTbBwr1KwZHkEYP
  14. 3E2bEvCbbtP3gNkJHdSqSwJhMiWbTkG5bA

These addresses are all inputs that sent funds to the hacker, which is: 1KcnVpU4ajCpp1dBK7VhRTZvEdu5QEBVdq

The transaction ID = c858f268d7e6a78e4884a7bb719307767a82f9560c0c6e8f7b49e4bb2b1c5780

The address where the hacked funds went to has been active since March 13, 2019.

Notably, victim was hacked on May 17th, 2019.

In addition, funds were received from 3JjPf13Rd8g6WAyvg8yiPnrsdjJt1NP4FC , which is strongly attached to illicit activity on behalf of HitBTC.

The funds were sent from the illicit address to the address that received the hacked funds in 6 separate transactions.

Below are the transcation IDs:

  1. 6ba85c11f7e3b6900fcfad85ef2cac2174c623b9c29749e232a1003bc6551007
  2. 43fd4fc503567d1ee2c57031da2b12fc7cf8e52388f5c3d678f964a8ea547ee8
  3. c68024e551b3a6ea77ed037d39bf7ae5438d0da91fc7320119b890b839ff2d3e
  4. 2b91d168c3f324eca9dfb16cad9f4634b4b77e9a67606802f378f20d06aa4e96
  5. 18abeec7f7f3ac29ffe552c3fb9127527c7880951902e7fdef6c124b48a08620
  6. 5081cbf50841fa81c985fe790212f97615a936c3f76bf0d484de3b2f2d6bdaa1

For reference, this article here should be viewed: https://bitcoinexchangeguide.com/hitbtc-appears-insolvent-blockchain-analysis/

Looking at the Visualization for Crystal Blockchain

Above is the address that received the hacked funds from victim. The web of connections is somewhat complex, so this visualization will be tailored in a manner that helps whatever interested parties view the passage of funds in an easier manner.

The two addresses in the picture above received funds directly from the hacker’s address.

Specifically, these addresses are:

  1. bc1q2g3tfxu6lq453kyqyeenj3dh4qteha99f4kj3c
  2. 15qVKBhGsdR5kuR66hsoij9DygjAdi2kfk

Both addresses have been hyperlinked with the transaction ID that shows this transfer of funds.

If we pan back the image (zoom out) slightly, we can see some of the funds leading directly to a Binance deposit address (belongs to some customer at Binance).

The Binance deposit address in question that has received these funds is: 1LncA9soMJaxkCNDehGN7abGXorcLW3e6H

Specifically, this address received its funds from bc1q2g3tfxu6lq453kyqyeenj3dh4qteha99f4kj3c

The other address sent a string of funds that leads to 1CNfUWjmDQBYK3xw9Mqg3dQj7uf9SfgiSJ , where 18.20136927 bitcoins are parked at the time of writing. These funds are not at an exchange.

Since the funds are commingled with funds from other sources (that may or may not be illicit), it is nearly impossible to tell which funds are explicitly tied to this hack and which ones come from other sources.

One thing that can be said though is that all of the funds commingled with this address and the others that have been identified in connection with the hacked funds, specifically, should all be considered tainted.

Other Addresses Funds Are Parked At

  1. 1Cpf8CCwYRwXbjH4V8x6bhGR7NQ2VZNYez ; 12.77225288 bitcoins
  2. 1AwqZ1LyUTRDJc3fxjVXh14ATVnAaqYcbb ; 20.79284085 bitcoins
  3. 18dppbiRVeCh8oXnNVBvPYx7B9dQsdMX3s ; 20.30903456 bitcoins
  4. 1Le5BbPTakNW5eFKGMhbn4X3Z6XDy4jX9B ; 1.55076306 bitcoins
  5. 3ApPvGS1Bsk4f879teGVABxPP7LF3WpXqc ; 4 bitcoins

If one were to view the transaction history of the addresses listed above, it would be immediately apparent that there are funds coming from multiple different addresses.

Second Binance Address That Received Funds

Below is a visualization of another Binance deposit address that received funds:

Again, in this instance, this address did not receive 100% of the funds that were extracted from the victim. Some of the funds from the victim were diverted elsewhere and some of the funds that did end up in that Binance deposit address also stem from other sources.

The Binance Deposit Address in question in the picture above = 1DY21Hxe8TYMpTKHYA8YpZDSCnJchcXGdy

In specific, only 0.1356124 bitcoins from the address that received the hacked funds were sent to the Binance deposit address shown above.

Here is the link to the transaction ID that shows this passage of funds: https://www.blockchain.com/btc/tx/0af88fb5c99df1e737e7b7611a620530c402ef5237c5db41bfd9f7fd3384def4

Another path with a negligible amount of bitcoins leads to ‘Wirex’ as well.

Here is the transaction ID that shows this passage of funds: https://www.blockchain.com/btc/tx/02961a68cc92226966bc70e67be066166114ceaeb89b86bc50bb1b6f091f4089

Conclusion

Funds mainly went to the first Binance deposit address mentioned in this report, which is: 1LncA9soMJaxkCNDehGN7abGXorcLW3e6H

Specifically, 19.12544137 bitcoins from that wallet belong to the victim of this hack.

TX ID: https://www.blockchain.com/btc/tx/b8b02851613e473e3ccc16c29588907b6d8220a66b42fa65c8806357471f225e

The vast majority of the other bitcoins have not yet ended up at an exchange thus far (from what can be seen). So far, they are parked at a # of addresses as well as commingled with additional funds from other outside sources.

Those wallets should be monitored consistently with alerts if the appropriate software is on hand to do so.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.