How did hackers get through tornado Cash laundered the stolen money?

Slow fog technology 2022-04-06 10:30:29 阅读数:119

hackers tornado cash laundered stolen

author :[email protected] Slow fog AML The team

The original title :《 Tracking on the chain : Currency washing is a popular technique Tornado.Cash》

Some time ago , We released Tracking on the chain : Currency washing is a popular technique Peel Chain, Continue the series today . The theme of this time is money mixer Tornado.Cash.

As the theft of money by hackers becomes more and more serious ,Tornado.Cash And it's becoming more and more important “ famous ”, Most hackers will ruthlessly make money “ Dirty money ” to turn to Tornado.Cash. We used to Tornado.Cash The anonymity of , See : Slow fog AML:“ uncover ” Tornado.Cash Anonymous veil . Today, let's take a real case to see how the hacker passed  Tornado.Cash  Money washing .

Basic knowledge of

Tornado.Cash It is a completely decentralized unmanaged protocol , Improve transaction privacy by breaking the chain link between source address and destination address . To protect privacy ,Tornado.Cash Use a smart contract , Accept... From an address ETH And other token deposits , And allow them to withdraw money to different addresses , That is to hide the sending address ETH And other tokens sent to any address . These smart contracts act as a pool for mixing all deposited assets , When you put money in the pool ( That is, deposit ) when , Private credentials are generated ( Random key ), Prove that you have performed the deposit operation . Then , This private credential is used as your private key when you withdraw money , The contract will ETH Or other tokens are transferred to the designated receiving address , The same user can use different withdrawal addresses .

case analysis

Today's analysis is a real case , When the victim platform finds us ( Details are not available ), stay Ethereum、BSC、Polygon The stolen funds on the three chains were transferred by hackers  Tornado.Cash, So we mainly analyze  Tornado.Cash  Part of .

Hacker address :( To protect the victim platform , The addresses in the text have been processed )

0x489...1F4(Ethereum/BSC/Polygon)

0x24f...bB1(BSC)

Ethereum part

With the help of slow fog MistTrack Anti money laundering tracking system , Let's first make a general feature analysis of the address .

 Slow fog From the partial display results , It can be seen that hackers use more in trading activities except Bridge It's the mixer Mixer, These are very important for us to analyze hacker portraits .

next , We are right. Ethereum Conduct in-depth analysis of funds and behavior on : According to slow fog MistTrack Analysis of anti money laundering tracking system , Hackers will 2450 ETH With  5x10 ETH+24x100 ETH Transfer in batches in the form of  Tornado.Cash, take 198 ETH into FixedFloat, Let's keep tracking  Tornado.Cash  Part left a mind .

 Slow fog Since you want to try to track hackers from  Tornado.Cash  Transfer out address , Then we have to start from Ethereum The first capital transferred into  Tornado.Cash  Start at the time of , We found the first 10 ETH And the second 10 ETH The time span between , So let's start with the small span 100 ETH To analyze .

 Slow fog Locate the Tornado.Cash:100 ETH The transaction corresponding to the contract , Find out from  Tornado.Cash  There are many transfer out addresses . After the slow fog MistTrack Analysis of , We screened out addresses that match the timeline and transaction characteristics . Of course , There are still many addresses , This requires us to constantly analyze . But soon there was the first address that made us suspicious (0x40F…952).

 Slow fog  Slow fog According to slow fog MistTrack Analysis of , Address (0x40F…952) take  Tornado.Cash  To it ETH Go to the address (0x8a1…Ca7), And then ETH It is divided into three transactions and transferred to FixedFloat.

 Slow fog Of course , It may also be a coincidence , We need to continue to verify .

Continue analysis , It is found that three addresses have the same characteristics :

A→B→( Many pen )FixedFloat

A→( Many pen )FixedFloat

 Slow fog Supported by such characteristics , We analyzed the addresses that match the characteristics , At the same time, it happens to be 24 An address , In line with our hypothesis .

 Slow fog Polygon part

Here's the picture , Hackers will make a profit 365,247 MATIC Part of MATIC branch 7 Next go  Tornado.Cash.

 Slow fog And the rest of the 25,246.722 MATIC Went to the address (0x75a…5c1), Then track this part of the money , We found that hackers will 25,246.721 MATIC Turned to FixedFloat, This makes us think that hackers are Polygon Whether the money will be washed in the same way .

Let's start with Tornado:100,000 MATIC The contract corresponds to the last three transactions in the figure above , Also found from  Tornado.Cash  There are not many contract transfer out addresses , At this point, we can analyze one by one .

 Slow fog Soon , We found the first address that made us think there was a problem (0x12e…69e). We see familiar FixedFloat Address , Not only  FixedFloat  turn MATIC To the address (0x12e…69e), From address (0x12e…69e) The receiving address of the transferred out funds will also MATIC Transferred to  FixedFloat.

 Slow fog After analyzing other addresses , I found that they all use the same coin washing method , No more details here . From the previous analysis, hackers are right FixedFloat I really have a preference for , But it also became a handle on him .

BSC part

Let's analyze BSC part .BSC There are two hacker addresses on , Let's look at the address first (0x489…1F4):

 Slow fog The hacker's address is divided into 17 Turn for the second time 1700 ETH To  Tornado.Cash, The time range is also relatively consistent . Just when we thought hackers would do it again , It turns out that's not the case . Again , After the slow fog MistTrack Analysis and screening of , We screened out addresses that match the timeline and transaction characteristics , Then make breakthroughs one by one .

During analysis , Address (0x152…fB2) Caught our attention . Pictured , According to slow fog MistTrack Show , The address will  Tornado.Cash  To it ETH Transferred out to SimpleSwap.

 Slow fog After further analysis, it is found that , The soup does not change the dressing , Although the hacker changed the platform , The technique characteristics are still similar :

A→SimpleSwap

A→B→SimpleSwap

 Slow fog Another hacker address (0x24f…bB1) In order to 10 BNB In units of  Tornado.Cash.

 Slow fog And in the coin washing technique of this address , The hacker chose another platform , But the technique is still similar . Here we will not analyze them one by one .

 Slow fog

 Slow fog summary

This paper is mainly started by a real case , Analyze and find out how hackers try to use... On different chains Tornado.Cash To clean up the stolen funds , The coin washing method is very similar , The main features are from Tornado.Cash After withdrawing money, it is transferred to the common mixed currency platform directly or through a layer of intermediate address (FixedFloat/SimpleSwap/Sideshift.ai). Of course , It's just through Tornado.Cash One way to wash money , More tricks are still waiting for us to find .

版权声明:本文为[Slow fog technology]所创,转载请带上原文链接,感谢。 https://netfreeman.com/2022/03/202203211749144563.html