Tracking on the chain: tornado, the popular technology of coin washing Cash

The theme of this time is money mixer Tornado.Cash.

As the theft of money by hackers becomes more and more serious ,Tornado.Cash And it's becoming more and more important “ famous ”, Most hackers will ruthlessly make money “ Dirty money ” to turn to Tornado.Cash. We used to Tornado.Cash The anonymity of , See ： Slow fog AML：“ uncover ” Tornado.Cash Anonymous veil . Today, let's take a real case to see how the hacker passed Tornado.Cash Money washing .

Basic knowledge of

Tornado.Cash It is a completely decentralized unmanaged protocol , Improve transaction privacy by breaking the chain link between source address and destination address . To protect privacy ,Tornado.Cash Use a smart contract , Accept... From an address ETH And other token deposits , And allow them to withdraw money to different addresses , That is to hide the sending address ETH And other tokens sent to any address . These smart contracts act as a pool for mixing all deposited assets , When you put money in the pool （ That is, deposit ） when , Private credentials are generated （ Random key ）, Prove that you have performed the deposit operation . Then , This private credential is used as your private key when you withdraw money , The contract will ETH Or other tokens are transferred to the designated receiving address , The same user can use different withdrawal addresses .

case analysis

Today's analysis is a real case , When the victim platform finds us （ Details are not available ）, stay Ethereum、BSC、Polygon The stolen funds on the three chains were transferred by hackers Tornado.Cash, So we mainly analyze Tornado.Cash Part of .

Hacker address ：

（ To protect the victim platform , The addresses in the text have been processed ）

0x489...1F4(Ethereum/BSC/Polygon)

0x24f...bB1(BSC)

Ethereum part

With the help of slow fog MistTrack Anti money laundering tracking system , Let's first make a general feature analysis of the address .

From the partial display results , It can be seen that hackers use more in trading activities except Bridge It's the mixer Mixer, These are very important for us to analyze hacker portraits .

next , We are right. Ethereum Conduct in-depth analysis of funds and behavior on ： According to slow fog MistTrack Analysis of anti money laundering tracking system , Hackers will 2450 ETH With  5x10 ETH+24x100 ETH Transfer in batches in the form of Tornado.Cash, take 198 ETH into FixedFloat, Let's keep tracking Tornado.Cash Part left a mind .

Since you want to try to track hackers from Tornado.Cash Transfer out address , Then we have to start from Ethereum The first capital transferred into Tornado.Cash Start at the time of , We found the first 10 ETH And the second 10 ETH The time span between , So let's start with the small span 100 ETH To analyze .

Locate the Tornado.Cash:100 ETH The transaction corresponding to the contract , Find out from Tornado.Cash There are many transfer out addresses . After the slow fog MistTrack Analysis of , We screened out addresses that match the timeline and transaction characteristics . Of course , There are still many addresses , This requires us to constantly analyze . But soon there was the first address that made us suspicious （0x40F…952）.

According to slow fog MistTrack Analysis of , Address （0x40F…952） take  Tornado.Cash To it ETH Go to the address （0x8a1…Ca7）, And then ETH It is divided into three transactions and transferred to FixedFloat.

Of course , It may also be a coincidence , We need to continue to verify .

Continue analysis , It is found that three addresses have the same characteristics ：

A→B→（ Many pen ）FixedFloat

A→（ Many pen ）FixedFloat

Supported by such characteristics , We analyzed the addresses that match the characteristics , At the same time, it happens to be 24 An address , In line with our hypothesis .

Polygon part

Here's the picture , Hackers will make a profit 365,247 MATIC Part of MATIC branch 7 Next go Tornado.Cash.

And the rest of the 25,246.722 MATIC Went to the address （0x75a…5c1）, Then track this part of the money , We found that hackers will 25,246.721 MATIC Turned to FixedFloat, This makes us think that hackers are Polygon Whether the money will be washed in the same way .

Let's start with Tornado:100,000 MATIC The contract corresponds to the last three transactions in the figure above , Also found from Tornado.Cash There are not many contract transfer out addresses , At this point, we can analyze one by one .

Soon , We found the first address that made us think there was a problem （0x12e…69e）. We see familiar FixedFloat Address , Not only  FixedFloat turn MATIC To the address （0x12e…69e）, From address （0x12e…69e） The receiving address of the transferred out funds will also MATIC Transferred to FixedFloat.

After analyzing other addresses , I found that they all use the same coin washing method , No more details here . From the previous analysis, hackers are right FixedFloat I really have a preference for , But it also became a handle on him .

BSC part

Let's analyze BSC part .BSC There are two hacker addresses on , Let's look at the address first （0x489…1F4）：

The hacker's address is divided into 17 Turn for the second time 1700 ETH To Tornado.Cash, The time range is also relatively consistent . Just when we thought hackers would do it again , It turns out that's not the case . Again , After the slow fog MistTrack Analysis and screening of , We screened out addresses that match the timeline and transaction characteristics , Then make breakthroughs one by one .

During analysis , Address （0x152…fB2） Caught our attention . Pictured , According to slow fog MistTrack Show , The address will Tornado.Cash To it ETH Transferred out to SimpleSwap.

After further analysis, it is found that , The soup does not change the dressing , Although the hacker changed the platform , The technique characteristics are still similar ：

A→SimpleSwap

A→B→SimpleSwap

Another hacker address （0x24f…bB1） In order to 10 BNB In units of Tornado.Cash.

And in the coin washing technique of this address , The hacker chose another platform , But the technique is still similar . Here we will not analyze them one by one .

summary

This paper is mainly started by a real case , Analyze and find out how hackers try to use... On different chains Tornado.Cash To clean up the stolen funds , The coin washing method is very similar , The main features are from Tornado.Cash After withdrawing money, it is transferred to the common mixed currency platform directly or through a layer of intermediate address （FixedFloat/SimpleSwap/Sideshift.ai）. Of course , It's just through Tornado.Cash One way to wash money , More tricks are still waiting for us to find .

And want to analyze the results more efficiently and accurately , You have to use tools . With super 2 Billion wallet address tags , Slow fog  MistTrack The anti money laundering tracking system can identify all kinds of wallet addresses on the world's mainstream trading platforms , Such as user recharge address 、 Wen wallet address 、 Hot wallet address 、 Cold wallet address, etc . adopt MistTrack The anti money laundering tracking system can conduct feature analysis and behavior portrait of any wallet address , It plays a vital role in the analysis and evaluation of anti money laundering , For cryptocurrency trading platform 、 It provides strong technical support for users to analyze address behavior and trace the source .