deribit.md

Derbit

Date:: November 2nd, 2022

Amount Stolen:: $28,000,000

Tags:: 🍎 Applejeus

---

Details

Access control issue. The hot wallet's private keys were compromised which lead to a loss of roughly 28,000,000 $USD.

Deribit Exchange is a cryptocurrency derivatives platform. The project's hot wallet's private keys were compromised on Ethereum and Bitcoin chains.

The total funds lost are:

• 9,111 ETH ($14.2M)

• 691 BTC ($14.1M)

Client assets and cold addresses were not affected, and the loss will be paid by the company said on official Twitter.

On-Chain

Theft Addresses:

• 0x8d08aAd4b2BAc2bB761aC4781CF62468C9ec47b4
• 0xb0606F433496BF66338b8AD6b6d51fC4D84A44CD (sends 1610 ETH to Tornado Cash)
• 0x3089df0e2349FaeA1c8Ec4A08593C137DA10Fe2D (sends 7500 ETH to Tornado Cash)
• bc1q2dequzmk5vk8nmmrata8nq4y0zgqn4vc0n2h8y
• bc1qw5g8lw4kzltpdcraehy2dt6dqda8080xd6vhl4kg4wwsypwerg9s3x6pvk
• bc1qntnzayma2rg2l28e8469dgxrjz2sym2dhqh3gk
• bc1qxuc07a52s36x3z638pysgp0m4dr0fyj3e95rmh95j42dexmrvp2srr4y3t
• bc1qywkvwnwd4hm4qsxc44qzyxmt3eetw5d6ka6x09 (Sinbad, Oct 30 2023)
• bc1qxvkkl39xjfg7qvcqyf7qknpkctpn95r3n9kftm (Sinbad)

Tornado Cash Withdrawals

• 0x86fab5bb2d7e9c6c6306e5f2592d2b8197500184 500 2022-11-07
• 0x9361504d506fa4d698f7f170ac12af9b0494b57c 300 2022-11-07
• 0x919cc60e5d7160b4c9ae9573ac35ceffd4a4a5c1 400 2022-11-09
• 0x4b481f949573be546c812ac1ef7591e703922414 600 2022-11-09
• 0xe7dc8b738d42e0c036a51cbd547bd59c73d9d413 300 2022-11-09
• 0x0dd33923e608ffdf617b9e73d55125de8962907e 400 2022-11-09
• 0x224450824c591a91eebd9bc85e6187909f29ea8d 400 2022-11-10
• 0x899ededf3de6c1a4f9338604eaaf3976ee315575 300 2022-11-10
• 0x9d60ed2197445fd5180fe69b2d29ba7ade21610f 500 2022-11-11

URLs

• https://ft.com/content/09f2cb5a-5e2d-4b5f-96cd-ffed455ae23b
• https://web3rekt.com/hacksandscams/deribit-1263
• https://twitter.com/DeribitExchange/status/1587701883778523136
• https://quadrigainitiative.com/casestudy/deribithotwalletbreached.php

Defendant Property:

On or about November 1, 2022, NKCA stole virtual currency worth approximately 28 million dollars from COMPANY-1 and laundered it through decentralized virtual currency exchanges, a mixing service, and virtual currency bridges. The Defendant Property is traceable to the November 2022 hack and theft from COMPANY-1.

Laundering Stage 1

NKCA stole COMPANY-1’s virtual currency on the Ethereum blockchain (both USDC and ETH) valued at approximately $14 million and sent it to virtual currency address 0x8d08aad4b2bac2bb761ac4781cf62468c9ec47b4 (0x8d08aa). NKCA then converted stolen USDC tokens to ETH, the native coin of the Ethereum blockchain, through a decentralized exchange. This meant that the NKCA (and/or their money laundering co-conspirators) now had only ETH to launder, not ETH and USDC. Money launderers attempt to convert centrally managed assets, such as USDC, to those that are decentralized to make it harder for law enforcement to freeze and seize the assets. The stolen ETH, amounting to approximately 9,109 ETH, was then transferred to Ethereum address 0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd (0xb0606f) and to Ethereum address 0x3089df0e2349faea1c8ec4a08593c137da10fe2d (0x3089df). The NKCA then transferred from 0xb0606f and 0x3089df the approximately 9,109 ETH to Tornado Cash, an Ethereum-based virtual currency mixing service, on or about November 5 and November 7, 2022.

Laundering Stage 2

Tornado Cash is a mixing service that operates on the Ethereum blockchain. Users of Tornado Cash can only deposit ETH into Tornado Cash via different “pools” that allow for transfer in increments of 0.1 ETH, 1 ETH, 10 ETH and 100 ETH. On or about November 5, 2022, and November 7, 2022, the NKCA initiated approximately 90 transfers of ETH, or 9,000 ETH, into the Tornado Cash 100 ETH pool.

36. Although mixing services are used to obfuscate the trail of funds, law enforcement can sometimes trace the funds in and out—as they did here. In reviewing withdrawals made during November of 2022 from the Tornado Cash 100 ETH pool, law enforcement observed various connections among seventeen different Ethereum addresses (the “Tornado Cash Withdrawal Addresses”).6 These connections, as further described below in “Laundering Stage 3,” included (1) the timing of transfers (some within minutes of each other), (2) the use of the same virtual currency cross-chain bridging services (such as Celer Network Bridge and SWFT.pro), (3) stolen funds being transferred to the same blockchain (the Tron blockchain), (4) certain transaction fees being funded by the same address, and (5) virtual currency on the Tron blockchain being sent to the same consolidation address, TCxWVTbtoqLbthFrdyyJ6cV8aK5UXXBnbS (TCxWVTb). The Tornado Cash Withdrawal Addresses received 78 withdrawals from the Tornado Cash 100 ETH pool (or 7,800 ETH) beginning on or about November 7, 2022.

37. The deposits into the Tornado Cash 100 ETH pool that funded the 7,800 ETH received by the Tornado Cash Withdrawal Addresses would have been deposited within seven days of the withdrawal. An analysis conducted by the FBI of all deposits into the Tornado Cash 100 ETH pool from on or about November 1, 2022, to November 7, 2022, revealed that 75 percent, or approximately 9,000 ETH of the total approximately 12,000 ETH, were traced back to funds stolen from COMPANY-1 and laundered as described in Laundering Stage 1. The other approximately 25 percent - approximately 3,000 ETH of the approximately 12,000 ETH - represented funds from other Tornado Cash users who sought to have their funds mixed. Based upon the analysis of deposits and withdrawals into the Tornado Cash 100 ETH pool described above, the 7,800 ETH received by the Tornado Cash Withdrawal Addresses were funded by COMPANY-1 stolen funds described in Laundering Stage 1.

Laundering Stage 3

38. As described above, once the stolen funds were withdrawn from Tornado Cash, the NKCA (and/or their money laundering co-conspirators) used a variety of services to convert the stolen funds to USDT on the Tron blockchain. These transfers occurred in three different waves, separated by assets being frozen by law enforcement.

Wave 1

39. Seven of the 17 Tornado Cash Withdrawal Addresses received approximately 3,000 ETH of the approximately 7,800 ETH described in Laundering Stage 2. Through intermediary Ethereum addresses, these seven Ethereum addresses converted this approximately 3,000 ETH to USDT on the Ethereum blockchain. Between on or about January 6, 2023, and January 20, 2023, this USDT on the Ethereum blockchain was transferred to USDT on the Tron blockchain via SWFT.pro, a cross-chain bridging service. This stolen USDT was received by seven different Tron addresses. These Tron addresses were all funded by TRX, the native token on the Tron blockchain, from the same Tron address, TVaV2BBs8tpthbp19QAy7ibmXLoYsomKDD (TVaV2BB), for the purpose of paying gas fees.7 These seven Tron addresses then transferred USDT to seven different

Wave 2

40. After the above USDT was frozen, the NKCA modified their techniques for converting stolen assets to USDT on Tron. Beginning on or about February 27, 2023, five of the Tornado Cash Withdrawal Addresses transferred approximately 3,100 ETH to five different Ethereum addresses. These transfers all occurred within approximately 10 minutes. The majority of these funds were ultimately transferred to the Tron blockchain, many times after utilizing multiple cross-chain bridges, including SWFT.pro and Celer Network. The movement of stolen funds in this manner represents laundering activity because the use of multiple services in this way is an attempt to obfuscate the location of the stolen funds.

41. Stolen funds from the five Tornado Cash Withdrawal Addresses described above were transferred, by the techniques described above, to approximately thirty-two different Tron addresses. Many of these stolen funds were sent to the same consolidation address which received the stolen funds in Wave 1 and described above, TCxWVTb.

42. Between on or about March 22, 2023, and March 29, 2023, two of the thirty-two Tron addresses were frozen

Wave 3

43. After funds were frozen as described in the paragraph above, the NKCA again modified their techniques for laundering stolen funds. The FBI has not been able to freeze any assets through Wave 3, however, the following facts are included herein to further show the connections between the Tornado Cash Withdrawal Addresses laundered through Wave 1 and Wave 2. 44. From on or about April 27, 2023, to May 8, 2023, stolen funds that were received by the final five Tornado Cash Withdrawal Addresses were transferred to approximately 14 different addresses on the Tron blockchain. These transfers occurred in the same pattern as described above, utilizing Celer Network Bridge to different blockchains before being transferred to Tron through the SWFT.pro cross-chain bridge. Many of these funds were sent to the same consolidation address on the Tron blockchain, TR6RGkw4aMAUgTTMmCrNLA41urrLBLH3BF (TR6RGkw). TR6RGkw received funds from one of the Tron addresses that received funds during the second wave of laundering described above. Additionally, TR6RGkw sent approximately 628,320 USDT to TCxWVTb, which was the same consolidation address utilized in the first two waves of laundering described above. No assets were frozen during Wave 3.

• TQdNvhGKQtVKNhBSJ1xbisxiNxUCgPBzCM

• TEGTuvMgEMcLP21GLa3XUCSsgZn4pbgggw

• TWcfg4q4wH36J5R4Au8KnPFrxcrQd1YenP

• TWXhVnNi4bUiii7g13YyWQuR1gacsp2mno

• TF3JRez3XpJJYDCJ4hPtA1BTyxRurYsHTd - 267,002 USDT

• TBABZTh7p3tZGMnMefQkjqZuuyQK4iBCkS - 504,883 USDT

• TFeDK4Wea8ciDLaUe5W2QRSw9WvSqzV4p2 - 794,636 USDT

• TT8WVp65uEJM4xdAkx2hJerQX5moeZYUEw - 90,408 USDT

• TN6iW22qfXM2c6L8amCvcGx3WcvTShvbMP - 37,464 USDT

• US Forfeiture - Derbit Funds