Binance hackers start the laundering process again – Funds on the move


The tale of the one and only hack of the world’s largest crypto exchange is back in the news, as hackers began their task of laundering the 7,074 Bitcoins that were stolen back in early May from Binance. Coinfirm, a crypto analytics firm, has been keeping tabs on the various addresses where these coins, now valued at over $83 million, have been stashed. Per there latest report, the funds are on the move again.

If there is one immutable trait of the Bitcoin blochchain, it is that it is public and can be followed by analytical firms, like Coinfirm, law enforcement investigators, and even common citizens like you or me if we know where and how to use the tools that are readily available. As the Binance tale unfolds, however, we are soon learning that there are many technical avenues that crooks can use to disguise their actions and pull the wool over the eyes of those intent to follow their money laundering schemes.

On one sad morning in May, the management team at Binance was shocked:

We have discovered a large scale security breach today, May 7, 2019 at 17:15:24. Hackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info.” As we further reported on the unfolding story: “This breach was actually the first for Binance, which disclosed that the cyber-crooks had targeted the company’s “Hot Wallet”, which contained 7,000 Bitcoins. The crooks also must have been extremely patient, waiting for the best possible moment to abscond with the funds.

Luckily for Binance, the loss was covered by an internal insurance fund that had been set up for just this kind of contingency. Authorities now have more information and analytical techniques to follow hacked funds, a process that reveals the technical underbelly of blockchain technology. Firstly, Chainalysis, another crypto analytics firm, analyzed previous hacking events to determine that hackers fell into two distinct personalities – “Alpha” tended to move money quickly out of the system, while “Beta” chose to wait until publicity died down.

We appear to have a “Beta” group associated with the Binance hack, if the three-month delay is any indication. Chainalysis also described a “Beta” hacking group as “a smaller and less organized heavily sanctioned organization heavily focused on the money.” Of more importance, however, is the process that ensues: “In a typical money-laundering technique, each group would “layer” fund transfers multiple times, on average 5,000 times, before cashing in their stolen tokens”.

The latest fund movements seem to follow this storyline, but they are the second phase, which follows an earlier consolidation. A day after the original hack took place, the 7,074 BTC in question were relocated again. The initial outflow in nearly its entirety went to what are called “native Segregated Witness” addresses, 21 in number, while minimal amounts went to 23 other addresses, possibly for testing purposes.

Investigation had shown that these funds were then moved to 7 addresses, six with 1060.6 BTC, and one with the remaining 707.1. This last amount was soon moved in early July to two new separate addresses. Oddly enough one of the transactions was for only 1 BTC. Also of note is that other major exchanges, i.e., Coinbase, Poloniex, Kraken, and Huobi, immediately moved to “freeze” the minimal amount of funds that had been transferred to their respective exchanges.

One technical term begs for an explanation – “native Segregated Witness” or “SegWit”. The SegWit upgrade to the Bitcoin protocol occurred in 2017 and allowed for greater scalability and faster transaction processing times. Each transaction in a block is 1 MB, much of which is the signature or “Witness” portion. By removing the signature and making it available elsewhere, transactions take up less space. SegWit addresses are so noted and assure the money launderer of quicker processing times, when needed.

The recent coin movements involve only 6.5 BTC or about $76,000. Roughly $70,000 went to Kraken, with the remaining small bits going to Huobi,, BTC-Alpha, CoinGate, and BitPay. Observers again believe the crooks are testing the various exchanges to see which ones detect and freeze these small amounts before the larger amount is layered. In any event, the smaller exchanges are unregulated and may not pose any threat of detection for the crooks.

There is, however, one more unique technical “twist”. The 6.5 BTC went to wallet addresses owned by ChipMixer, a well-known Bitcoin “tumbler” in the UK. According to one source: “A crypto tumbler or mixing service is a service offered to mix potentially identifiable or “tainted” cryptocurrency funds with others, so as to obscure the trail back to the fund’s original source”. The process improves upon existing anonymity. Observers have called for these sites to be classified as illegal, since they provide a protective cover for illicit activities and hinder law enforcement efforts.

Once again, the “bad guys” are testing out what is claimed to be the “best mixing service” in Crypto-Land, but it appears that Coinfirm had no problem tracking the flows down to their destination address. The problem, however, is that ChipMixer has already deposited new BTC in addresses that cannot be immediately detected. The crooks are now free to split, withdraw or transfer their loot at will, with no prying eyes peering over their virtual shoulders.

And Bitcoin evangelists wonder why regulators and government officials want to shut Bitcoin down? This “anomaly” must be addressed in some fashion, which will be a challenge since there are over one hundred “mixers” in the network.

Read Also: