Slow fog technology 2022-04-06 10:30:29 阅读数:119
author ：[email protected] Slow fog AML The team
The original title ：《 Tracking on the chain ： Currency washing is a popular technique Tornado.Cash》
Some time ago , We released Tracking on the chain ： Currency washing is a popular technique Peel Chain, Continue the series today . The theme of this time is money mixer Tornado.Cash.
As the theft of money by hackers becomes more and more serious ,Tornado.Cash And it's becoming more and more important “ famous ”, Most hackers will ruthlessly make money “ Dirty money ” to turn to Tornado.Cash. We used to Tornado.Cash The anonymity of , See ： Slow fog AML：“ uncover ” Tornado.Cash Anonymous veil . Today, let's take a real case to see how the hacker passed Tornado.Cash Money washing .
Tornado.Cash It is a completely decentralized unmanaged protocol , Improve transaction privacy by breaking the chain link between source address and destination address . To protect privacy ,Tornado.Cash Use a smart contract , Accept... From an address ETH And other token deposits , And allow them to withdraw money to different addresses , That is to hide the sending address ETH And other tokens sent to any address . These smart contracts act as a pool for mixing all deposited assets , When you put money in the pool （ That is, deposit ） when , Private credentials are generated （ Random key ）, Prove that you have performed the deposit operation . Then , This private credential is used as your private key when you withdraw money , The contract will ETH Or other tokens are transferred to the designated receiving address , The same user can use different withdrawal addresses .
Today's analysis is a real case , When the victim platform finds us （ Details are not available ）, stay Ethereum、BSC、Polygon The stolen funds on the three chains were transferred by hackers Tornado.Cash, So we mainly analyze Tornado.Cash Part of .
Hacker address ：（ To protect the victim platform , The addresses in the text have been processed ）
With the help of slow fog MistTrack Anti money laundering tracking system , Let's first make a general feature analysis of the address .
From the partial display results , It can be seen that hackers use more in trading activities except Bridge It's the mixer Mixer, These are very important for us to analyze hacker portraits .
next , We are right. Ethereum Conduct in-depth analysis of funds and behavior on ： According to slow fog MistTrack Analysis of anti money laundering tracking system , Hackers will 2450 ETH With 5x10 ETH+24x100 ETH Transfer in batches in the form of Tornado.Cash, take 198 ETH into FixedFloat, Let's keep tracking Tornado.Cash Part left a mind .
Since you want to try to track hackers from Tornado.Cash Transfer out address , Then we have to start from Ethereum The first capital transferred into Tornado.Cash Start at the time of , We found the first 10 ETH And the second 10 ETH The time span between , So let's start with the small span 100 ETH To analyze .
Locate the Tornado.Cash:100 ETH The transaction corresponding to the contract , Find out from Tornado.Cash There are many transfer out addresses . After the slow fog MistTrack Analysis of , We screened out addresses that match the timeline and transaction characteristics . Of course , There are still many addresses , This requires us to constantly analyze . But soon there was the first address that made us suspicious （0x40F…952）.
According to slow fog MistTrack Analysis of , Address （0x40F…952） take Tornado.Cash To it ETH Go to the address （0x8a1…Ca7）, And then ETH It is divided into three transactions and transferred to FixedFloat.
Of course , It may also be a coincidence , We need to continue to verify .
Continue analysis , It is found that three addresses have the same characteristics ：
A→B→（ Many pen ）FixedFloat
A→（ Many pen ）FixedFloat
Supported by such characteristics , We analyzed the addresses that match the characteristics , At the same time, it happens to be 24 An address , In line with our hypothesis .
Here's the picture , Hackers will make a profit 365,247 MATIC Part of MATIC branch 7 Next go Tornado.Cash.
And the rest of the 25,246.722 MATIC Went to the address （0x75a…5c1）, Then track this part of the money , We found that hackers will 25,246.721 MATIC Turned to FixedFloat, This makes us think that hackers are Polygon Whether the money will be washed in the same way .
Let's start with Tornado:100,000 MATIC The contract corresponds to the last three transactions in the figure above , Also found from Tornado.Cash There are not many contract transfer out addresses , At this point, we can analyze one by one .
Soon , We found the first address that made us think there was a problem （0x12e…69e）. We see familiar FixedFloat Address , Not only FixedFloat turn MATIC To the address （0x12e…69e）, From address （0x12e…69e） The receiving address of the transferred out funds will also MATIC Transferred to FixedFloat.
After analyzing other addresses , I found that they all use the same coin washing method , No more details here . From the previous analysis, hackers are right FixedFloat I really have a preference for , But it also became a handle on him .
Let's analyze BSC part .BSC There are two hacker addresses on , Let's look at the address first （0x489…1F4）：
The hacker's address is divided into 17 Turn for the second time 1700 ETH To Tornado.Cash, The time range is also relatively consistent . Just when we thought hackers would do it again , It turns out that's not the case . Again , After the slow fog MistTrack Analysis and screening of , We screened out addresses that match the timeline and transaction characteristics , Then make breakthroughs one by one .
During analysis , Address （0x152…fB2） Caught our attention . Pictured , According to slow fog MistTrack Show , The address will Tornado.Cash To it ETH Transferred out to SimpleSwap.
After further analysis, it is found that , The soup does not change the dressing , Although the hacker changed the platform , The technique characteristics are still similar ：
Another hacker address （0x24f…bB1） In order to 10 BNB In units of Tornado.Cash.
And in the coin washing technique of this address , The hacker chose another platform , But the technique is still similar . Here we will not analyze them one by one .
This paper is mainly started by a real case , Analyze and find out how hackers try to use... On different chains Tornado.Cash To clean up the stolen funds , The coin washing method is very similar , The main features are from Tornado.Cash After withdrawing money, it is transferred to the common mixed currency platform directly or through a layer of intermediate address （FixedFloat/SimpleSwap/Sideshift.ai）. Of course , It's just through Tornado.Cash One way to wash money , More tricks are still waiting for us to find .
版权声明：本文为[Slow fog technology]所创，转载请带上原文链接，感谢。 https://netfreeman.com/2022/03/202203211749144563.html