Briefly, in the video: https://www.youtube.com/watch?v=ccjcbADuTjw (Who is the hacker of Nexus Mutual, EasyFi, FinNexus?).
On December 14, 2020, it became known that an unknown hacker stole 370,000 NXM from the wallet of the CEO of Nexus Mutual DeFi.
On April 20, 2021, another hack occurred, but this time, another project called EasyFi DeFi was attacked. In this case, the hacker stole almost 3,000,000 EASY tokens.
On May 17, 2021, the system of the FinNexus DeFi project was hacked, in which the hacker was able to mint FNX tokens in the amount of 323,000,000 FNX and sell them on the open market.
All three of these hacks have an analogy. These hacks were aimed at gaining access to wallets or private keys, which allowed a hacker to gain access to funds. Also, these break-ins were carried out at the same hour.
All the results of our independent investigation that we publish in this article are obtained as a result of our own independent investigation, and these results of the investigation may differ from the official ones.
From the media, we know the ETH addresses that belong to the Nexus Mutual hacker, EasyFi hacker and FinNexus hacker. Now let's take a look at each of their addresses that belong to these hackers.
Let's start in order. The first hack we're talking about is the Nexus Mutual hack, which was carried out in December 2020. The Etherscan block explorer shows several addresses that belong to the Nexus Mutual hacker. But we will focus on one of them, which Etherscan has marked with the name Fake_Phishing4636. This hacker's address has leading digits 0x0adab45946372c2be1b94eead4b385210a8ebf0b.
ETH address 0x0adab45946372c2be1b94eead4b385210a8ebf0b has a direct transaction for address 0x31499E03303dd75851a1738E88972CD998337403 - you need to remember this address:
https://etherscan.io/tx/0xff9c6419ba87235a5fbcbfe85899ba0440abbf5f6e6af078682ec6ac0523bea5
The next address we'll look at is the EasyFi hacker's address. This address is not tagged with Etherscan. But from the media, we know this address is 0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37. This hacker address was founded using a deposit transfer from the already known address 0x31499E03303dd75851a1738E88972CD998337403:
https://etherscan.io/tx/0x84dc4924575bae826d50fd8278c307e5b8d2d7cbe05ad52a5e867f2c1aaa340a
Also, the EasyFi hacker's address has an additional direct transaction for 0x31499E03303dd75851a1738E88972CD998337403, which is the last outgoing transaction that the EasyFi hacker performed.
https://etherscan.io/tx/0xeaaabcafafe474cdac5d1f231a790e805fb72d1e27cd6f3e2d90c5635fe61cde
In addition, the EasyFi hacker carried out several direct transactions from the address 0x77BEB16e4DB0686e36dbf01142685275785775Ed:
https://etherscan.io/tx/0xcf99a55af6ee7a3d46f121fe091d2e29720881a72b5876dac25068fb73405ec5
https://etherscan.io/tx/0xb189754f07f00f3e32fbfd3e60f34686afd5209c7ccfe281c7ee5ad5ba514270
as well as additional transactions:
https://etherscan.io/tx/0x4d6d6c5d6231614db587b52d1f8e4d58c8b804032f5ee959344ac47c51b046e6
https://etherscan.io/tx/0x8ecd760060c60cb64520d803774a08c83210aac06a0ebbfcb436a5ffdc7348f5
https://etherscan.io/tx/0xd843d0b9300b1cdc79c0e1280127163794c7df6c87dca06cb128b232779f0291
The address 0x77BEB16e4DB0686e36dbf01142685275785775Ed is also based on the address 0x31499E03303dd75851a1738E88972CD998337403:
https://etherscan.io/tx/0x7d90cbac9ff954555ee9e927598ff5daee9c3396451262fa77c44fab6bda25c0
As we can see, unlike the Nexus Mutual hacker's address, the EasyFi hacker's address is linked not by one, but by several transactions with the address 0x31499E03303dd75851a1738E88972CD998337403. You need to keep on remembering the address 0x31499E03303dd75851a1738E88972CD998337403, as we will meet it many times.
Now we will look at the FinNexus hacker's address. From the media, we know this address - it is the address 0x5EbC7d1Ff1687A75f76c3EdFAbCdE89D1C09Cd5F and it is marked in the Etherscan block explorer. We do not observe direct transactions between the address 0x5EbC7d1Ff1687A75f76c3EdFAbCdE89D1C09Cd5F and the address 0x31499E03303dd75851a1738E88972CD998337403. But there is a connection between these addresses using the intermediary address 0x2Da3a8738c34fFB35182670bcb76Ad722240bcC0. Despite the fact that the hacker diligently tried to hide the address 0x31499E03303dd75851a1738E88972CD998337403 from our eyes, we were still able to find this connection. The FinNexus hacker's main address has a direct transaction with the address 0x2Da3a8738c34fFB35182670bcb76Ad722240bcC0. The address has two outgoing FNX token transfer transactions for address 0x1cE5f1fe7d8543A0046E521302C3A21734309302:
https://etherscan.io/tx/0x0403a2a195c94203ccc36c3a481328b478742bbb390e7ab7debbc44de534abcd
https://etherscan.io/tx/0x84aaa19f5b8bb5ac58047eac0d462bdf9f7631a4d7a2a9c911718dfc35845584
In turn, the address 0x1cE5f1fe7d8543A0046E521302C3A21734309302 has a multiple connection with the address 0x67fe5B5343f963C7043cE551FADBa84a3aD6473A:
https://etherscan.io/tx/0xdc54b9fc18773e04365710ca3f243c47e196218f1855d5d177ec45598c1a838c
https://etherscan.io/tx/0x0403ec450fd3fd3ef1915cbcf0e5a3e3c679b81188399ac09bb7c3bf8ef21f2e
https://etherscan.io/tx/0xffe4d170dd4461a173acaa694dc9220755f0bfcba0883723ef843e7b4569de8d
https://etherscan.io/tx/0x968bd9ead37db5d7c7148ac5c0bd6860032a952f517d180713efeaf8dfd6971f
https://etherscan.io/tx/0x7ef4693769adb3f1ee362ae0c77e695c7fb94ac291da736efd28aee554f7f3f3
In total, this connection has 12 transactions.
Also, 0x67fe5B5343f963C7043cE551FADBa84a3aD6473A received a deposit with Tornado Cash:
https://etherscan.io/tx/0xdf6a5aefaf5dcd44c40b881f1d2c816a560107a9b0fa12a018adf7e7e2a44e1f
This is the address 0xA29bD5815AEA7ac88E9F3AaDd8F477675EDAD404 made a transfer for the address 0x67fe5B5343f963C7043cE551FADBa84a3aD6473A amount, about 1 ETH. For this, 0xA29bD5815AEA7ac88E9F3AaDd8F477675EDAD404 made a deposit for Tornado Cash in transaction:
https://etherscan.io/tx/0x000849cb2a3ab080bbda4fd6f0e41a7d2a35108c3d47a1f91655c7f33feb959f
In turn, the address 0xA29bD5815AEA7ac88E9F3AaDd8F477675EDAD404 is based on the address 0x31499E03303dd75851a1738E88972CD998337403 in the following transaction:
https://etherscan.io/tx/0x7e1878f62be97e245a31b426b191479704fdfcfa3044b51f9a70ef1287489a9c
It also has many direct transactions that you can see:
https://etherscan.io/address/0xa29bd5815aea7ac88e9f3aadd8f477675edad404#tokentxns
(28 transactions in total) and https://etherscan.io/tx/0x61324b4a3624eccf5c69e7fb4292f3f22ccf295d07dbf866679a6c38ce2df0bf .
Address 0x67fe5B5343f963C7043cE551FADBa84a3aD6473A has an outgoing transfer transaction of 124,977.5383 USDT tokens for address 0x860Dc1b24f96F59F4ec25ca439bcB9cDD6c1a7B0:
https://etherscan.io/tx/0xae6a4ec0cf0f70f5b2bcce1149175fc71cb5f4346d3c41beffaab98265e64e68
The address 0x860Dc1b24f96F59F4ec25ca439bcB9cDD6c1a7B0 is associated with the known address 0x31499E03303dd75851a1738E88972CD998337403, with its last transaction:
https://etherscan.io/tx/0x61324b4a3624eccf5c69e7fb4292f3f22ccf295d07dbf866679a6c38ce2df0bf
Likewise, the address 0x860Dc1b24f96F59F4ec25ca439bcB9cDD6c1a7B0 is also associated with the address 0x31499E03303dd75851a1738E88972CD998337403 using the intermediary wallet 0x67fe5B5343f963C7043cE551FADBa84a3aD6473A.
By the way, I would like to say about some strange feature of the address 0x5EbC7d1Ff1687A75f76c3EdFAbCdE89D1C09Cd5F, which belongs to the hacker FinNexus, is that this address, on Etherscan, looks like a normal wallet address, but block explorers such as Bloxy and Bitquery 0x5EbC7d1Ff1687A75f76c3EdFAbCdE89D1C09Cd5F the contract that is created by the address 0x78d147015a9ef3ed9f9011fa394561670dc787cb in the following transaction:
https://etherscan.io/tx/0x47dd577a9ea88215884e5eeda6ec3a8b7200b50377e906f9b7a8a7e5d6a91b9c
Thus, the hacks of the Nexus Mutual, EasyFi and FinNexus projects are related not only by the nature of these hacks, but also by the same address - this is the address 0x31499E03303dd75851a1738E88972CD998337403. This suggests that all of these hacks were carried out by the same hacker (or the same group of hackers).
Now let's try to determine the roots of the already known address 0x31499E03303dd75851a1738E88972CD998337403. Let's try to find the name of the person who owns the address 0x31499E03303dd75851a1738E88972CD998337403.
Address 0x31499E03303dd75851a1738E88972CD998337403 had many mutual transactions with address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912:
https://etherscan.io/tx/0x09d01a209e33e91d77b663eb52b8965f4ec88567df01cc0d00c03a5d89a283ea
https://etherscan.io/tx/0xaa5f8b9d67509a1148f1da6602a4907a8d3354a64af7bd1c2172604fa4b423ac
https://etherscan.io/tx/0xfdd0f75170c0d4bf882a36bcfb84ebe91eb53ad7021fea010d35a25c4317adc0
https://etherscan.io/tx/0xf411e402f3b3d44100592946a173331fad7a7fad2a6f1431a43ccc446331c2b4
https://etherscan.io/tx/0x055d65059df06cc2d5242c5e89e56e4f517cdb6ce101d2dfd247e9b011cac803
https://etherscan.io/tx/0x0d62b86a12c8da051aeea773e3627a2218ebc093928d8cb1828647e59aaf66e8
https://etherscan.io/tx/0xc3a549322212613472facec75215b287e556c4da720f3e2b30c42c6b8e746f66
https://etherscan.io/tx/0xe63b26da1d6a85eb10253401fb3f26b4069d3ce44263006e65df7d55daa8646a
https://etherscan.io/tx/0xd2a05b70d43eb1c2b8abff77f9f61f27cbbb0480aa0a90d376fd75920ad9a797
as well as 9 direct transactions of tokens, which are indicated:
https://etherscan.io/address/0x31499e03303dd75851a1738e88972cd998337403#tokentxns
The total amount of direct mutual transactions between the address 0x31499E03303dd75851a1738E88972CD998337403 and the address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 is 18 transactions (!!!).
In turn, the address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 received its first deposit from the address 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B:
https://etherscan.io/tx/0x2a0bf3d67de08e384ee34242f5c45b01c58e7ee289ab6522c559e532d3f01b9f
Address 0x834e6bedc304c4c610557e9ffaf0d4ec310b881b created by address 0x0AAf72DA643570Da1bF76E8b3063C3f378b3D3D4 in transaction:
https://etherscan.io/tx/0xd1e99af2a9b3a446eb0387f5c61801ddccafc8f5f211cfebddf581b601979d84
Address 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B is associated with multiple transactions with address 0x0AAf72DA643570Da1bF76E8b3063C3f378b3D3D4:
https://etherscan.io/tx/0xdfd6869e43d614f014b6d5f0227e85f22ae50bb7d092abbf9c0b93b3f7c6baf5
https://etherscan.io/tx/0xc0059c86d46a5faef8be817e07d4ccaebd1d8149d2ecbdbca7e621ff30e52e76
https://etherscan.io/tx/0xaa6360699863ed640b17c645b4047a2cca4cb4055167342c038ee4d0f567bb7e
https://etherscan.io/tx/0x74fd673304c52f7017819056ef29b8fbdfbe8ba0b74892c4d5e8374222c23a68
https://etherscan.io/tx/0xff2d34c669ec9b8202fae4d26456af800f16077ed2cade4d3a67d3cef769cba2
https://etherscan.io/tx/0xba7047ac9ecee6013f44fd03429e87410d01d43f5a68901c092471722beea586
https://etherscan.io/tx/0x921763e445cca2cd400db20f23391e5c39a204c7f548b67d3a00e8a5559a2c43
https://etherscan.io/tx/0xa42c5e91f312f137d16846dfda2558510280306afb2f8c28104111e8cba18b7e
https://etherscan.io/tx/0xa2a293b2406d2f30e18e4f245dca39beb9ad1c13cf03c753d9eb7de04b496035
https://etherscan.io/tx/0xd1e99af2a9b3a446eb0387f5c61801ddccafc8f5f211cfebddf581b601979d84
https://etherscan.io/tx/0xcb5d44c2a8678e34532c5b2b98be82fbdefad5a837b65f8569706573bb3a7e1c
https://etherscan.io/tx/0xafc27ac6a7201d6d0e801df286c2e72b8f9103c652dde5bee2a33c3d01aad6d8
https://etherscan.io/tx/0xb17cb0896e67187818dd026c5b4b1f3146884bc357d9d59f10c5b91cd8410465
https://etherscan.io/tx/0xbbb691ede2708ed3d79c3a0269a418f78864c8219e9a1849eb1a4491fc4fdb30
as well as 21 direct mutual token transactions:
https://etherscan.io/address/0x834e6bedc304c4c610557e9ffaf0d4ec310b881b#tokentxns
The total amount of mutual transactions between the address 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B and the address 0x0AAf72DA643570Da1bF76E8b3063C3f378b3D3D4 is 35 transactions (!!!).
Address 0x0AAf72DA643570Da1bF76E8b3063C3f378b3D3D4 belongs to Anton Dziatkovskii. Anton Dziatkovskii publicly says that he owns the address 0x0AAf72DA643570Da1bF76E8b3063C3f378b3D3D4 in the following sources:
1. https://twitter.com/antondzyatkovsk/status/1391126347682959360 - https://app.poap.xyz/token/108903
2.
https://twitter.com/antondzyatkovsk/status/1388607712355782663 -
https://pay.sablier.finance/stream/4167 (https://pay.sablier.finance/stream/4167/details)
Speaking about the personality of Anton Dziatkovskii, we can say that Anton Dziatkovskii is a developer of platforms for DeFi projects, a developer of smart contracts, is a specialist in the field of security of smart contracts, is a computer specialist, considers himself a white hacker, is a trader, as well as manager of bounty companies for various projects.
Also, Anton Dziatkovskii is a co-founder of the MicroMoney project (https://www.micromoney.io/), director of education for the UBAI project (https://www.ubai.co/). One of the UBAI products is the BTCNext exchange (https: //www.btcnext.io/). Anton Dziatkovskii is a co-founder of the QDAO DeFi project (https://qdefi.io/en). Anton Dziatkovskii is also a member of the NoahCity project team (https://noahcity.org/en). Anton Dziatkovskii is the founder of the Platinum Fund project team (https://platinum.fund/en), which develops platforms for DeFi projects and blockchain solutions. Anton Dziatkovskii is directly related to the development of the SpaceSwap DeeFi project (https://spaceswap.app/) and its possible co-founder. Anton Dziatkovskii is the bounty program manager of the SpaceSwap project (https://bitcointalksearch.org/topic/--5314607) and this can be seen in his bitcointalk profile which has the username Cubus or in the fraud dispute https://bitcointalk .org/index.php?topic=5185188.0.
Now about Anton Dziatkovskii's personal profile (links):
https://www.linkedin.com/in/Anton-Dziatkovskii-47012a95/
https://www.facebook.com/AntonDziatkovskii
https://twitter.com/antondzyatkovsk
BTT url: https://bitcointalksearch.org/user/cubus-1120647
BTT username: Cubus
GitHub: https://github.com/AntonDz
ETH-address: https://etherscan.io/address/0x0aaf72da643570da1bf76e8b3063c3f378b3d3d4
Address 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B has a direct transaction with address 0x4664db097caC5E006AC94705D3C778f2aC896AA8:
https://etherscan.io/tx/0xcdfc173671d819852bc988561d97f012bc9077f0b7cba215cd56dac8eccfb876
https://etherscan.io/tx/0x7cae308a78ea346ff12bb2aabec8006bdb102637e175284b50208102eed8b8f9
https://etherscan.io/tx/0x970ae7f65cf0411cafbbcdaa967d00ed9d683a1fe348e79098f0e266c6e7771d
https://etherscan.io/tx/0x34c682332b1cc547464a7792dd1fcc4e95a43fe039fdfd313ec65cf260ec8577
https://etherscan.io/tx/0x83e6fa104fd2eadf061916d8a876875e40fa427915bc12ad22c27fca067eb21a
https://etherscan.io/tx/0x63c2d52a1878d223031752844c159120acd28aa56e83a60ae4642e7da8143f2c
https://etherscan.io/tx/0xb9ebdc1a15a6e65cdec5bf16f356d5966e893813a71798d5a2238b4b2730961d
https://etherscan.io/tx/0x05577efbf0f6b9290453261d2c891aa521aa09a4d0d2237881f0be01aaee7e49
https://etherscan.io/tx/0x0221d3f6f4bb312a923306c600254e0cff9e054459ede48abede99ac12ce4740
https://etherscan.io/tx/0x69692e6a7cd211ad20eac4651372ce2be46bb029520e61467fe29e8ee7abff5d
https://etherscan.io/tx/0x942ed370ed893dda297d9b3f4c60529f8b44f47adc9e1effcf1a4c8a2e1be5ed
https://etherscan.io/tx/0x5d621d6523e2fe87a2f9027ed5aa631761bfe62160b576d1e571b65e26d29d2e
https://etherscan.io/tx/0x16121cdf65d8710146a114081ccd7d1de7d01cff97d9eca33da57c10275ac0d3
and an additional 15 token transactions. The total amount of related transactions between the address 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B and the address 0x4664db097caC5E006AC94705D3C778f2aC896AA8 is 28 transactions (!!!). There are also several related transactions using the intermediary address 0xDaEB3B152bE7ac786E79122C4655594e7808587D.
Address 0x4664db097caC5E006AC94705D3C778f2aC896AA8 is associated with Anton Dziatkovskii address 0x0aaf72da643570da1bf76e8b3063c3f378b3d3d4:
https://etherscan.io/tx/0xc75a093e8da8232cda46e64a244d08ea77ef53e3cfd3879c851f24acdef8a06e
https://etherscan.io/tx/0xff9211c8a521f000d9e9f96bf78c5f1630892a7c42f8858aa779dfde9deb54c1
https://etherscan.io/tx/0x9a204b1f662e00747961b31ad6ba858d1b38fbc31f1f8c4cc56e3359d9ca8a86
https://etherscan.io/tx/0x6d4194f76b4dbeac399be2a096684ad4e1347e3928cfb674c339cbc186391d1e
https://etherscan.io/tx/0xba9a9807e2969d5f0d9296426492a38cdcd4e4b8071c64e7d453f7c63b32f4cd
Address 0x4664db097caC5E006AC94705D3C778f2aC896AA8 is associated with address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 (which has made many transactions with address 0x31499E03303dd75851a1738E88972CD998337403, at least two transactions:
https://etherscan.io/tx/0xa6e43e8d7ee9455ebc5291a031548a346fcf4176df41f4201ded66436ab9b115
https://etherscan.io/tx/0xadc4495b302dcb747c7f1db98d79f588ce42ec88369bd653fbfe9e790fdcaaa1
All this means that the overall hacking address 0x31499E03303dd75851a1738E88972CD998337403, which has a lot of mutual transactions with the address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912, in consequence, the two roads meet with the address 0x0aaf72da643570da1bf76e8b3063c3f378b3d3d4, which belongs to Anton Dziatkovskii: first road - with the help of mediation addresses 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B (laid the groundwork for 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 address); the second is through the intermediary address 0x4664db097caC5E006AC94705D3C778f2aC896AA8.
Address 0x4664db097caC5E006AC94705D3C778f2aC896AA8, is associated with address 0x5a6a52a7bf22813882e988135a7d2be805bb0649 by numerous transactions:
https://etherscan.io/tx/0x5b07bf2f9bd2c796621d0960e43623791ed3b97248401b480a7f5cc13188440a
https://etherscan.io/tx/0x741aed055bed684f1149c130f3ebdffe414da3bf4026d002d30c8fa12a179220
https://etherscan.io/tx/0x6e4d6693cee30d4b077489820f32d380913f18810285be608ca3e8d9a0982ed6
https://etherscan.io/tx/0x7b83d4b6d2a93dd0a10420381ebec9b8a2d5791073e0dae799731c2ebf7b0449
https://etherscan.io/tx/0x2128a3d2785868c553d8a82c501239cd246c2ec0acc949710ce2388dd8d2b069
https://etherscan.io/tx/0xf0e6f25433ed29f917761a09d055b87889532f2a9e9f6d2a4f7d91cd9cda590f
https://etherscan.io/tx/0xc22f519e47a86d1429dac5be5cec802fbe2d975a17fe1d9562821a5c41a25261
https://etherscan.io/tx/0x8fb76aeae37295b2ecee24c4d83e7a689162de88eec475a088fdea7c2fc3ae99
https://etherscan.io/tx/0xba49ca3ec1b8abecbe1bb0cb37a72f5632004371a4844bd9b9a80885f3ada3a8
https://etherscan.io/tx/0xbfc65a07cbc1d9160c943622a6c00b9d9f3a0752858ffd0bb94b3e4ecbdeded2
https://etherscan.io/tx/0x6c83d5f6dfcdd80bb3fc4b80c5bb7a0e37ca5a6d35765b5bea5da7567d0514ba
and an additional 58 transactions (https://etherscan.io/address/0x5a6a52a7bf22813882e988135a7d2be805bb0649#tokentxns).
In total, the number of mutual transactions is 69 transactions (!!!).
Address 0x5a6a52a7bf22813882e988135a7d2be805bb0649 is the foundation https://etherscan.io/tx/0x9e872cf2555bd5b07f1420b2195f9e397190971ea928725158ee7103142f801c to form the address 0x71e0d074bb70fdc5345f986e3435117f52afcebb - the creator of a smart contract for QDAO tokens issued by the QDAO DeFi project, where Anton Dziatkovskii is a co-founder:
https://etherscan.io/address/0x3166c570935a7d8554c8f4ea792ff965d2efe1f2
Address 0x71e0d074bb70fdc5345f986e3435117f52afcebb, is the creator of the smart contract for the BNX token, which belongs to the BTCNext exchange, which is part of the UBAI project, where Anton Dziatkovskii is the co-founder.
Address 0x71e0d074bb70fdc5345f986e3435117f52afcebb also cooperates with address 0x4664db097caC5E006AC94705D3C778f2aC896AA8 in transactions.
Address 0x5a6a52a7bf22813882e988135a7d2be805bb0649 also has several direct related transactions with address 0x81cfe8efdb6c7b7218ddd5f6bda3aa4cd1554fd2:
https://etherscan.io/tx/0xd016bd35a947a95af6505db3f426b53d9429f21705cd340f29cf96d6bb7d478a
https://etherscan.io/tx/0xf7adf5ff89bb7a00bbaf7dbc81bf8a889f01139766f45756f22615a3bebbbadf
and many transactions with different tokens,
as well as using the intermediary address 0x3c586d0e07f312a180ec46d4c27d831731c41d23 with multiple transactions.
Address 0x81cfe8efdb6c7b7218ddd5f6bda3aa4cd1554fd2 also cooperates with address 0x4664db097caC5E006AC94705D3C778f2aC896AA8.
Just address 0x81cfe8efdb6c7b7218ddd5f6bda3aa4cd1554fd2, has a direct transaction with the address 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B, which is the founder 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 addresses having a plurality of transactions with the common hacker location 0x31499E03303dd75851a1738E88972CD998337403:
https://etherscan.io/tx/0x3084669504ddca7161a0afc35207a961c4870581fa2d1740dc11f5f2ede43322
as well as transactions using the intermediate address 0x3c586d0e07f312a180ec46d4c27d831731c41d23.
Address 0x81cfe8efdb6c7b7218ddd5f6bda3aa4cd1554fd2 is the creator of smart contracts for MILK2 tokens (https://etherscan.io/address/0x66d1b01c0fd7c2d8718f0997494b53ff5c485688) and SHAKE tokens (https://etherscan.io/address/0x6006FC2a849fEdABa8330ce36F5133DE01F96189) , which belong to the SpaceSwap project, to which Anton Dziatkovskii has at some direct relation.
Address 0x81cfe8efdb6c7b7218ddd5f6bda3aa4cd1554fd2 is the creator of the smart contract for CNYQ tokens (https://etherscan.io/address/0xc541b907478d5CD334C0cbfcB9603b6dac6e9ee3) , JPYQ (https://etherscan.io/address/0x558A069a3A1a1e72398607b9E3577fCe1C67EA63) , which belong to the QDAO DeFi project, Anton Dziatkovskii is a co-founder.
Address 0x81cfe8efdb6c7b7218ddd5f6bda3aa4cd1554fd2 is the creator of the smart contract for NOAH ARK tokens (https://etherscan.io/address/0xfce94fde7ac091c2f1db00d62f15eeb82b624389), and tokens NOAHP (https://etherscan.io/token/0x41b3F18c6384Dc9A39c33AFEcA60d9b8e61eAa9F), which belong to the NoahCity project, in which Anton Dziatkovskii is a member of the team.
I would like to note the following that many wallet addresses associated with the EasyFi hacker address 0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37 (including some intermediate addresses) have MILK, MILK2, SHAKE, NOAH, QDAO tokens on their balance. Even the address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912, which has many mutual transactions with the well-known common hacker address 0x31499E03303dd75851a1738E88972CD998337403, contains these tokens.
By the way, the address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 has BABYMILK tokens on its balance (smart contract https://etherscan.io/address/0xe00edf07bbab7f9e7a93ffbffdd4c16c5dbc6b03 - BabyMilk TEST token by SpaceSwap v2, at the same time, the address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 takes the #13 place among the holders of these tokens (https://etherscan.io/token/0xe00edf07bbab7f9e7a93ffbffdd4c16c5dbc6b03#balances) . As a rule, such a high rating among the holders is occupied either by the co-owners of the project or by the leading investors in the project.
Also, the address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 (which has a lot of mutual transactions with the common hacker address 0x31499E03303dd75851a1738E88972CD998337403), has a direct link with the address 0x72d49544D17e3C98B0f94D97eE851981279f3aa9:
https://etherscan.io/tx/0x11cf0326b7b0ee31db33231d2b5eac63763d323f065a72bbfe77baf147e90fe7
https://etherscan.io/tx/0x11cf0326b7b0ee31db33231d2b5eac63763d323f065a72bbfe77baf147e90fe7
This address 0x72d49544D17e3C98B0f94D97eE851981279f3aa9 also belongs to the SpaceSwap project, which can be confirmed on the Rarible website page:
https://rarible.com/spaceswap
https://coinranking.com/ms/nft/a0a0d045cc-rarible-fallen-puppet
By examining the block conductors, we can determine where the Nexus Mutual hacker sent funds:
1. Transaction to convert renBTC to BTC https://etherscan.io/tx/0xd0b498293d36e2f264b377d3cfec5d1701a92808f0f7580881f6459a6e9c0062 got an exit in a transaction https://www.blockchain.com/ru/btc/tx/75e7645350615dcb1526010af5c9ca264f962136dec83e11120056ff66d579f0. So this is the BTC address bc1qmyxuldmsec6xm7gm7dnmmth4lz776tr5mtluvp followed by outgoing transactions.
2. . Transaction to convert renBTC to BTC https://etherscan.io/tx/0xfdd36a0c510bb7acf66ab3f42f8682eae563f52767f8a897d03f087426f683c0 got an exit in a transaction https://www.blockchain.com/ru/btc/tx/b59fd9206d1e81e520c5000e60907a7c2ba730d18f34b488ea60f29c718886bc . So this is the BTC address bc1q6qsnqt98g3aggqy6adlpxkgngughwc66f93dve followed by outgoing transactions.
3. Transaction to convert renBTC to BTC https://etherscan.io/tx/0xe6c87c15e0f71640cb61be417a651a532b7321a12b2022203f6a16f2f3f64e4f got an exit in a transaction https://www.blockchain.com/ru/btc/tx/a3191751822b488aed9be4712992271dfd51ff71f1a4f1c40df23c6e559b7894 . Hence, this is the BTC address bc1qun448hv5cudqlwrmghju58jnprkguy48emtj8a with subsequent outgoing transactions.
By examining the block conductors, we can determine where the EasyFi hacker sent funds:
1. Transaction to convert renBTC to BTC https://etherscan.io/tx/0x2e575a4f490423bd49d79cce9a5f5b6067fb3aabcdd695ee9caa8fd91193d1c0 got an exit in a transaction https://www.blockchain.com/ru/btc/tx/f0dafd9b6377bc2ed4899ab8a982ca23ce30b2c3f217e13f86a2e49a450397bc . So this is the BTC address bc1qfl085d0fxy8s6grja5qf8cgqvx8w94ufaygg9y with subsequent outgoing transactions.
2. Transaction to convert renBTC to BTC https://etherscan.io/tx/0xf3932eb7ae1a0ad8c74b9e05e5b2a81333576e69d798805f06e816724596c077 got an exit in a transaction https://www.blockchain.com/ru/btc/tx/e0d56ea73302b422b1f377e297f9581f133924fb1db5ceb7847ff22c80a8b956 . Hence, this is the BTC address 17WFZENdcgkCvVjENQWJnqwXyiCkgTdGbi with subsequent outgoing transactions.
3. Transaction to convert renBTC to BTC https://etherscan.io/tx/0xf4316088f83c541027feaea0fdf798a844eda364ef7c965c9625d58da43ba30c got an exit in a transaction https://www.blockchain.com/ru/btc/tx/c2949b10e22c3a235c08f2b78c6c839ea8955a5e89c69232627b31f77636f967 . Hence, this is the BTC address 1395hgVUB2P7yv145sRbt6Ykbi3qargnoD with subsequent outgoing transactions.
4. Transaction to convert renBTC to BTC https://etherscan.io/tx/0x6cb20a995a7e722622d8648f7853b550fa04dae4f8fe5d9625f19025159a1d3c got an exit in a transaction https://www.blockchain.com/ru/btc/tx/47d23bd06022cdafa62f038cf2b9e0b912d0ec0b1da884252ce67dbb8f8a3bd4 . Hence, this is the BTC address 1DzGYwnUKu9ukGBKm8kTvoezjfCQ2qLwYr with subsequent outgoing transactions.
By examining the block conductors, we can determine where the FinNexus hacker sent funds:
At the time of this writing, the FinNexus hacker has only made a deposit for Tornado Cash:
https://etherscan.io/tx/0xdfff5f1f94045f87569eca8100393861d847fb558115031aec4173b1dd9b5df4
We can see the exit from Tornado Cash in the transaction:
https://etherscan.io/tx/0xa0346bf9cdb454e3e59fcd969ef351297f4850629d806f75992841a700b8b63a
This means ETH-address 0x996f5CcbF2856137744603b382dE559b78a096fC is the recipient to whom the FinNexus hacker sent 10 ETH using Tornado Cash.
Next, 0x996f5CcbF2856137744603b382dE559b78a096fC sent 3 ETH for address 0x487927e4c49ac6e03d0168dade4a400017197c65 in the transaction:
https://etherscan.io/tx/0x4cfd671ba3c6b376c9b56573f9727d3ae74155621e099b097bfc35ef5ecd4097
Address 0x487927e4c49ac6e03d0168dade4a400017197c65 created 2 smart contracts:
- He created a smart contract 0x2dd4bffd9d4fc1fd48cca3b1e83d96ece4b51460
(https://etherscan.io/tx/0xd476c5eef7664c38cb77d5dfe54295c64ac7a19f6bc020920fcdd825b1f0bc68)
- He created a smart contract 0x3c690e31359f83d7b82cbf105d9b71e813f016bb
(https://etherscan.io/tx/0x0e117c3fbedbd8bd3cb549daa2fdeefa90bea46bc51632e1fb05caf296b6ca37)
Both of these smart contracts are created to interact with smart contract 0x606246e9ef6c70dcb6cee42136cd06d127e2b7c7:
https://bloxy.info/graphs/0x3c690e31359f83d7b82cbf105d9b71e813f016bb
https://bloxy.info/graphs/0x2dd4bffd9d4fc1fd48cca3b1e83d96ece4b51460
Smart contract 0x606246e9ef6c70dcb6cee42136cd06d127e2b7c7 belongs to the Bondly project (DeFi) https://www.bondly.finance/.
I doubt the hacker is going to start some kind of fair play by making a simple tranche with Tornado Cash where he can be traced. Maybe now the hacker has chosen a new victim for a new hack and this victim may be the Bondly Finance project
