Bitfury’s analytical blockchain department Crystal has published a report on the hacking of the South Korean exchange Bithumb. The hacker attack led to a loss of $31 million, including 2,016 BTC. According to the results of the analysts’ work, most of the stolen funds later entered the Yobit exchange.
Bithumb temporarily stopped accepting user deposits on June 16 to update security systems and the database, while on June 20, the management of the exchange reported the aforementioned loss of $31 million.
Analysts decided to study the events occurred on the platform four days prior to the hack. After inspecting more than one million of Bithumb addresses they made a list of the ones to which the funds were transferred during these days.
Until June 19, the transfer of funds took place as follows:
- Most of the bitcoins were collected at the address 1LhWMukxP6QGhW6TMEZRcqEUW2bFMA4Rwx (further in the text “1LhW”);
- From the address 1LhW, large volume transactions were transferred to the address 18x5Wo3FLQN4t1DLZgV2MoAMWXmCYL9b7M (further in the text “18x5”).
Address 18x5 analysts have recognized as the cold wallet belonging to the exchange, as it was used for the rare and large-scale transactions from/to addresses of Bithumb.
The transaction’s pattern has changed on June 19, when the wallet belonging to Bithumb has twice transferred the funds to addresses 34muFC1sWsvJ5dzWCotNH4rpKSNfkSCYvD and 3DjdVF83hhXKXV8nUFWCF5chrdSAkgE6Ny with an unusually high Commission 0,1 BTC. After that, within half an hour, about 1,050 BTC were transferred and deposited on addresses that previously were not related to the blockchain. In total, the transfer of funds to these addresses lasted longer than a day.
At this stage, the exchange has ceased to use the buffer address 1LhW. In addition, the amount of commissions for incoming transactions at 18x5 increased significantly - first to 0.1 BTC, then to 0.2 BTC.
Shortly thereafter, Bithumb’s official Twitter account has warned its users not to deposit at the addresses of the exchange.
The withdrawal of funds from the wallets of the exchange with high commissions continued, sometimes commissions exceeded 2 BTC and even the amount of the funds transferred in transactions. Because of this, on June 19-20, commissions increased throughout the entire Bitcoin network, which in turn slowed down the processing of the transaction.
Thus, from all Bithumb’s wallets bitcoins migrated to 39 addresses. Most of the funds were received by 18x5, the wallet owned by Bithumb. The remaining 38 addresses are believed to belong to the attackers. They received 2002.52 BTC, paying 48.4126 BTC as commissions.
After that point analysts traced the movement of funds from these addresses, which began on August 2. A large transaction amounted to 1,000 BTC was sent first. According to the Bitfury analysis, in the end, these funds were split to the parts including approximately 30 BTC each and ended up on two wallets of the Yobit exchange.
“The address 1JwpFNKhBMHytJZtJCe7NhZ8CCZNs69NJ1 on top of the graph, which belongs to Yobit, received 603 BTC. Another Yobit address, 13jHABthiyHHtviHe9ZxjtK8KcEANzhjBT, received 396 BTC via the same chain of transactions,” states the report.
All bitcoins remained were transferred to Yobit directly:
After these transactions were over, the alleged hacker was still possessing 29 BTC. They began to move on August 31 and were transferred to the CoinGaming.io service in the portions including approximately 2 BTC each.
This way, analysts conclude that the 38 addresses most probably belong to a hacker, and most of the stolen funds subsequently landed at the Yobit exchange.
Recall that earlier in October, Bithumb cryptocurrency exchange was sold to the BK Global Consortium, an investment blockchain division of the Singapore-based BK Global, a plastic surgery company.
Yobit’s shady reputation precedes it. Russian cryptocurrency exchange is infamous for the pump&dumps scheme that the platform is not even shy to announce in public. Last year, a study of telegram groups identified Yobit as a favorite place for traders to inflate prices for subsequent sales of cryptocurrency.
Subscribe to our Telegram channel to stay up to date on the latest crypto and blockchain news.