Author

Topic: The stupid 307 BTC hacker (Exmo exchange) (Read 112 times)

newbie
Activity: 26
Merit: 4
July 25, 2021, 04:06:01 PM
#10
Thanks for all the additional information, it does seem highly unusual that someone would go through all that manual obfuscation only to link his final spend into an exchange (Binance, for that matter) with unspent outputs from the original. Suppose no one's immune from noob mistakes, probably did a sweep from the wrong wallet.

This was just one example. He did several mistakes. Moving the coins from address to address in long chains and then crossing the chains which isn't smart. And there are a lot of little side transactions to exchanges. This might come from the fear that higher amounts attract more attention.
I think the idea is that nobody can follow this up in 200 steps depth in the blockchain because there are billions of paths. But I analysed patterns of these kinds of obfuscation behavior. They are totally different from a normal random transaction chain with 200 steps.

newbie
Activity: 26
Merit: 4
A bit too lazy to look this up but couldn't you at least show some links or give us the address to look at? You'd have probably taken care to do this had this been your own findings, but then my first Google search didn't show anything about this, so assuming this is new and hasn't made it rounds to English-speaking channels yet. So come on, don't be shy. Share.

P.S. Make up your mind. Is this "hacker" stupid or cunning?

1A4PXZE5j8v7UuapYckq6fSegmY5i8uUyq is the BTC address where the hacker collected the stolen funds first. The findings are from myself. I think he is a cunning hacker but stupid in hiding his traces ;-)
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
Thanks for all the additional information, it does seem highly unusual that someone would go through all that manual obfuscation only to link his final spend into an exchange (Binance, for that matter) with unspent outputs from the original. Suppose no one's immune from noob mistakes, probably did a sweep from the wrong wallet.

Albeit a "dent" in anyone's life, it seems that the attack "only" represents about 6 % of the company's total assets[1]:

Still a significant hit, given how many big corporations stutter if they just lose one month of output. Fine margins. But I guess Binance would be happy to play hero and return this all to Exmo.
sr. member
Activity: 2268
Merit: 275
I went by their website  to see if they already had some more recent news regarding the incident but sadly the latest one (regarding this subject) was from 23-12-2020[2]:
Quote
Our investigation is ongoing, and we are taking all necessary and precautionary measures to prevent such incidents from reoccurring.
Just a note though, this wasn't just limited to BTC[3]:
Quote
In terms of units, 292 BTC (about $6.5 million) has been stolen, and transactions of another 18.5 BTC ($415,000) are waiting to get confirmed in the Bitcoin mempool, said Igamberdiev. The rest of the units include 867 ETH (about $521,900), 476,521 XRP (about $247,700), 20,651 ETC ($126,800), 50,000 USDT ($50,000) and 39,285 ZEC ($2.7 million).
For anyone curious here's the address on Blockchain : https://blockchair.com/bitcoin/address/1A4PXZE5j8v7UuapYckq6fSegmY5i8uUyq

The balance was drained to 0, and he's got quite a lot of transactions recorded, mostly limited to 1 address which I assume was then sent to another one (probably some mixer I assume).


While it is still in the investigation stage, it will be very difficult if until now Exmo's clients are still waiting for a decision. I'm not too sure when the investigation took place linking various addresses where the transaction had been carried out would trigger the investigators to feel confused to the point of spending huge fees to pay VIP investigators.
What's more, the theft that took place was almost 2 years old, which meant they really couldn't find any traces that led to the light.
copper member
Activity: 166
Merit: 3
TheStandard.io
hacker scam but no different from a fool. Although I have transferred a lot of transactions up to 207 times, every time I remember the tx, I just need to track the conversion and the last time if I transfer it to the KYC wallet, it will still be detected.
legendary
Activity: 1148
Merit: 3117
I still don't understand if this is just a rant about how the hacker stole BTC from Exmo's clients, or a rant to the "stupidity" of the hacker that at the 207 transaction managed to trick himself into ruining his previous work - either way I would just like to say that you can't assume people know about all the hacks that are made against exchanges (let alone smaller ones). I was able to find some information while googling this "hack", and according to Exmo themselfs [1] here's the main address:
Quote
We have detected that some amounts of BTC, XRP, ZEC, USDT, ETC and ETH have been withdrawn to the hackers’ private addresses on December 21st, 2020 between 00:00 – 10:00 AM, UTC. Currently, almost the entire amount of stolen BTC is stored on the following BTC wallet: 1A4PXZE5j8v7UuapYckq6fSegmY5i8uUyq
Albeit a "dent" in anyone's life, it seems that the attack "only" represents about 6 % of the company's total assets[1]:
Quote
Compromised due to the hack amount makes up around 6% of the company’s total assets. We don’t believe it could somehow affect a going concern basis for EXMO. The company’s policy is to store around 5-10% of all its assets on hot wallets to enable fast withdrawals for users and limit potential losses from the hacks. At the moment of the hack, there was approximately 5-10% of BTC on a withdrawal wallet according to the internal rules.
I went by their website  to see if they already had some more recent news regarding the incident but sadly the lastest one (regarding this subject) was from 23-12-2020[2]:
Quote
Our investigation is ongoing, and we are taking all necessary and precautionary measures to prevent such incidents from reoccurring.
Just a note though, this wasn't just limited to BTC[3]:
Quote
In terms of units, 292 BTC (about $6.5 million) has been stolen, and transactions of another 18.5 BTC ($415,000) are waiting to get confirmed in the Bitcoin mempool, said Igamberdiev. The rest of the units include 867 ETH (about $521,900), 476,521 XRP (about $247,700), 20,651 ETC ($126,800), 50,000 USDT ($50,000) and 39,285 ZEC ($2.7 million).
For anyone curious here's the address on Blockchair : https://blockchair.com/bitcoin/address/1A4PXZE5j8v7UuapYckq6fSegmY5i8uUyq

The balance was drained to 0, and he's got quite a lot of transactions recorded, mostly limited to 1 address which I assume was then sent to another one (probably some mixer I assume).


[1] https://info.exmo.com/en/notifications/security-incident-report/
[2] https://info.exmo.com/en/notifications/security-update-further-steps/
[3] https://www.theblockcrypto.com/post/88692/crypto-exchange-exmo-hacked
sr. member
Activity: 1848
Merit: 341
Duelbits.com
So where do I find that information for sure and reviewable? as @buwaytress said, you've at least included some evidence, so it's not just an assumption or some accusation that we haven't found in any media. it would be helpful if you included the thief's address and proof of transaction at least the first transaction so as to link to the Binance Exchange. because without a reference we do not dare to respond and comment too far.
hero member
Activity: 1764
Merit: 696
[Nope]No hype delivers more than hope
-snip-

This is what I found, posted in a short space of time. I think the op wrote his own thoughts, idk.
OP's post refers to the Exmo exchange hacking case that occurred last year, this is the stolen btc https://blockchair.com/bitcoin/address/1A4PXZE5j8v7UuapYckq6fSegmY5i8uUyq.

Actually the total loss is more than that according to this article. It makes sense that the hunt for hackers is taking longer (7 months) and hasn't been closed yet. No recent news found regarding the OP's post, maybe he got the info from "insiders".
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
A bit too lazy to look this up but couldn't you at least show some links or give us the address to look at? You'd have probably taken care to do this had this been your own findings, but then my first Google search didn't show anything about this, so assuming this is new and hasn't made it rounds to English-speaking channels yet. So come on, don't be shy. Share.

P.S. Make up your mind. Is this "hacker" stupid or cunning?
newbie
Activity: 26
Merit: 4
The cunning 307 BTC hacker of exchange Exmo is far from being able to escape undetected with the captured Bitcoin. Although the hacker tried to obfuscate the origin of bitcoin through hundreds of transfers, it is easy to prove that he deposited 15.7 BTC after 207 transactions on the Binance exchange on February 26, 2021. How is this possible?

Manually created BTC obfuscation transaction chains have a significantly different pattern than chains created by natural transactions in the blockchain. And the fraudster made the additional mistake of using the bitcoin in the 207th step together with other unspent outputs from the heist in a common transaction. The 207 obfuscation transactions were thus completely useless for the scammer, only the miners enjoyed the transaction fees.

This is just one of many mistakes the fraudster made. The next logical step for Exmo is to use the analysis results to freeze the fraudster's crypto assets on the involved exchanges.
Jump to: