Liquid Exchange Hacker Sends $20 Million to ETH Mixer To Covers Tracks
The hacker of the Japanese crypto exchange Liquid, who stole an estimated $90 million has been taking steps to cover their tracks, blockchain data reveals.
However, two exchanges have already froze funds deposited from addresses believed to belong to the hacker.
Liquid disclosed the breach Thursday in a tweet, pointing at several wallets that it said hackers used to siphon out bitcoin, ethereum, multiple ERC20 tokens, TRON and XRP.
Important Notice: We are sorry to announce that #LiquidGlobal warm wallets were compromised, we are moving assets into the cold wallet.
We are currently investigating and will provide regular updates. In the meantime deposits and withdrawals will be suspended.
Liquid tweeted that they had identified more crypto addresses belonging to the hacker. The exchange said it halted crypto withdrawals and filed a suspicious transaction report with the Monetary Authority of Singapore (MAS), the country’s financial regulator. On Saturday, Liquid said it updated the exchange’s wallet infrastructure and had been migrating users’ funds “to the new secure vaults.”
The hack is one of the largest of a crypto exchange in recent history, although smaller than the $146 million hack of Italian exchange BitGrail in 2020 and the more than $500 million hack of Tokyo-based Coincheck in 2018.
Due to the nature of blockchain data being public, everyone from sophisticated analytics vendors who contract for law enforcement to curiosity-seekers and autodidacts can trace the movement of the crypto – up to a certain point.
According to Etherscan block explorer, a little over 6,000 ETH (or about $19.7 million) stolen from Liquid has been sent to Tornado.cash, a non-custodial mixer for ether and ERC20 tokens that allows users to obfuscate their transactions by commingling their crypto with the coins of others.
And that’s as far as the trail goes.
Blockchain analysis to a certain extent relies on assumptions about the relationships of addresses to each other and to people in the real world. So on-chain data alone does not provide definitive answers as to who sent money to whom. However, combined with off-chain, real-world information, it can produce valuable insights about the ways crypto works.
Stolen Coins Deposited at DEXs
Etherscan also reveals that the hacker used Uniswap, a decentralized exchange (DEX), and other DEXs to liquidate ERC20 tokens, which run on top of the Ethereum network, over the past two days.
9,319 ETH, or $30 million worth of crypto, is still sitting in the hacker’s wallet.
Elliptic released similar findings in a blog post Thursday. Over $97 million in crypto has been sent to the presumed thief’s wallets, the blockchain research firm wrote.
“This includes $45 million in Ethereum tokens, which are currently being converted into ether using decentralised exchanges (DEXs) such as Uniswap and SushiSwap.”
According to Liquid’s Friday blog post, various issuers of ERC20 tokens have now frozen those stolen assets. Overall, 69 assets have been stolen from the exchange’s wallets “and sent to other exchanges or defi swapping venues,” Liquid said.
Another ETH wallet controlled by the hacker, identified by Liquid, hasn’t liquidated any funds yet and contains over 538 ETH worth $1.7 million.
The bitcoin stolen from Liquid also remains in the hacker’s wallets and hasn’t moved to any exchange yet, as per data from Blockchain.com, all the 107.4 BTC ($4.8 million worth) sent to the address cited by Liquid is still there.
…and Also at CEXs
A portion of the stolen TRON tokens worth about $1 million was sent in large batches to an address belonging to the centralized crypto exchange (CEX) Huobi, according to the Tronscan blockchain explorer. The funds reached Huobi in several hops via four interconnected wallets.
Huobi’s spokesperson, Mark Lee confirmed that the address was indeed a Huobi user’s deposit address.
“After Huobi was alerted of this incident, we quickly placed restrictions on the account, and are currently in the internal process of investigating both the transaction and the account.”
Some of the stolen TRON, about 3.5 million TRX (or $321,000), didn’t go to Huobi but ended up in a separate wallet.
As for the XRP tokens, the wallet identified by Liquid as the hacker’s sent 11.5 million XRP, about $14.5 million worth, to centralized exchanges Binance, Huobi and Poloniex, according to data from XRPScan.
Some of those XRP had been successfully swapped for bitcoin on one of the exchanges, Liquid tweeted, and the hacker also managed to withdraw the bitcoin to two addresses (one, two), which now together hold some 192 BTC.
Update: We are currently tracing the movement of the assets and working with other exchanges to freeze and recover funds.
Attacker deposited XRP via another exchange and withdrew BTC to these 2 addresses: 12PKkwoFkXp6JtN7roWRA2gSitE6nVDds4 1JW1tcBXp1vZ6KGEirFNSXb5RgZSaL63Av
That exchange, it turned out, was Binance, which identified the XRP stolen from Liquid in its wallets. The spokesperson Jessica Jung commented:
“We provided Liquid with relevant information, including the BTC withdrawal addresses. [Binance has frozen] associated accounts.”
KuCoin’s CEO Johnny Lyu tweeted on Thursday that his crypto exchange has blacklisted the addresses Liquid pointed at as related to the hack.
We are aware of the #LiquidGlobal security incident, and the hacker's addresses have been added to the blacklist of #KuCoin. Hope everything is OK. ? https://t.co/IasscGItZH
