As most know, a significant amount of NEM tokens ($XEM) were hacked from Japanese exchange, Coincheck, last year, in which $530 million were extracted from the exchange.
The NEM was never recovered. However, it is traceable to a certain extent.
Below is one of the transactions associated in connection with this service:
Diving Down the Rabbithole
We’re going to start with the most recent link cited above, which has the transaction ID: 18cb6d0679a19b31b6f2f321088111ba2ee1a22d03ca170d85a96751dba94fa3
The majority of funds from the transaction (which has numerous inputs), can be seen heading directly to 1PQV39VVwfDnwY7W5JPReGFRiMnfJupWFg.
Checking the Affiliated Cluster
The address above is grouped in this cluster: https://www.walletexplorer.com/wallet/044c1db3e953a5a2/addresses
Crystal Blockchain Software confirms this clustering as well.
Notably, that cluster also contains the affiliated address: 18C35bBJxeXw8eUgDruc7Jo7p488wF4WKE
18C35bBJxeXw8eUgDruc7Jo7p488wF4WKE = Coinmarket (or attached to it)
User claims that it is part of their “final exit scam”
Experiences with CoinsMarkets.com?bitcointalk.to‘Coinsmarkets’ is a defunct exchange that essentially extracted all user funds from the site at some point in 2017. Throughout 2018, they feigned solvency for a while before collapsing.
Notably, this 18C35 prefix address also has funds coming from 1AauwKcsQKmL6idtxp64Trv97N5cVrCDTn , which is attached to the original cluster containing Bitcoin that was swapped with hacked NEM coins.
Visualizing the Cluster
Thankfully, because of access to Crystal Blockchain Software, we can gain more information about the cluster address that the stolen bitcoins were attached to.
The metrics for the cluster address are displayed above in detail. However, we’re going to dig a bit deeper than that and see if we can find out more about the source of the bitcoins going into this cluster address.
In order to do so, we will track the highlighted transaction above, which sent the majority (14.1k bitcoins) of the bitcoins into the current cluster we are looking at.
Intro to Cluster #2
This cluster is our ‘source cluster’ address.
Below are pictures of the metrics and connections associated with this cluster.
The above does not necessarily implicate the exchanges listed, but it does give us a better idea of where funds were being sent from if those crypto exchanges wanted to take any action on those accounts.
Proceeding Forth to the Visualization
Now that we have a solid grasp of how the main cluster address was formulated, let’s see if we can track the distribution of funds via Crystal Blockchain’s visualization methods.
Tracking through, we can see a significant amount of illicit funds ended up at Bitfinex in one way or another.
One address that received a particularly large portion of funds is the deposit address 3HfYLED57Pd2pniUxEqUp7LX4sDo1aeos3.
Perhaps what is even more interesting is the fact that the majority of these funds ended up directly at Bitfinex’s cold wallet address. This can be seen in this transaction: d841ee94cee5c07f85d84cd50b9fd823d780e673a77ba81df4741293d0129fbd
Exchanges Where Funds Landed
Based on research, funds ended up at:
Below are some pictures that show the intricacies in the routing of funds:
This most alarming discovery in the passage of wallets is that it appears that Bitfinex as an exchange was involved, in some facet, in the redirection of some of these funds.
This is stated because numerous deposit addresses (determined via their activity) were seen also sending funds out to various addresses. This is extremely unusual behavior for a true deposit address and it also indicates, definitively, that this redirection was done on behalf of the exchange.
Notably, not all Bitfinex deposit addresses function in this manner. In fact, the vast majority (98%+) simply send funds directly to the hot wallet address and on nearly no occasions are they sending funds directly to the cold wallet address, which is what we saw with transaction d841ee94cee5c07f85d84cd50b9fd823d780e673a77ba81df4741293d0129fbd.
It also notable that Bitfinex appears to be the central point of the transferred funds.