KuCoin hacker began laundering Bitcoin through Wasabi mixer

KuCoin hacker moved Bitcoin through Wasabi for mixing, per OXT Research.

The attacker who hacked the KuCoin cryptocurrency exchange in September moved part of the Bitcoin through the Wasabi Wallet, which offers mixing. This was noted by user Ergo from OXT Research.

According to his observations:

• 322 BTC passed through the ChipMixer mixing service;
• 288 BTC were partially mixed in an anonymous Wasabi wallet, and another 245 BTC, in his view, could pass through this route.

So far the Kucoin hacker mixed:
~322 BTC with Chipmixer
~288 BTC partially mixed via Wasabi
~another 245 BTC pending partial Wasabi mixing?

Post-chipmixer distribution activity starts here. https://t.co/F9VsJvhzCC pic.twitter.com/ZzdmdACruA

— Ergo ∴Politically Charged∴ (@ErgoBTC) November 2, 2020

Wasabi Wallet is a privacy-focused, non-custodial Bitcoin wallet with open source. Its main feature is the use of Chaumian CoinJoin—a trustless coin-mixing mechanism with mathematically proven anonymity.

The researcher found that part of the stolen funds that did not pass through this procedure were withdrawn to four new P2SH addresses. An OXT Research analyst believes they could be used in subsequent hacker activities if the funds held on them are not mixed further.

At least 4 unmixed change UTXOs pulled out early and sent to P2SH segwit addresses (new wallet).

If these remain unmixed, they will likely link much of the hackers postmix activities.https://t.co/bBnaKDhWsQhttps://t.co/RNfudDsGaFhttps://t.co/vRLavRtBGchttps://t.co/KLECgFxCdM

— Ergo ∴Politically Charged∴ (@ErgoBTC) November 2, 2020

Analysts noted that before sending funds to Wasabi, the attackers included unmixed transaction outputs (UTXOs) from the darknet marketplace Hydra into the peel chains scheme (literally “layered chains”).

In addition to ChipMixer usage, Wasabi usage, and similar wallet fingerprinting, a utxo originating from Hydra was combined with the peel chain distributing to Wasabi.

Via >> https://t.co/yXCJPBNJil

— Ergo ∴Politically Charged∴ (@ErgoBTC) November 2, 2020

Two Chinese residents were implicated in a similar scheme, charged with involvement in hacking cryptocurrency exchanges and linked to the Lazarus group, which operates in North Korea’s interests.

In late September, KuCoin reported unauthorized withdrawals from hot wallets of Bitcoin, ERC-20 tokens, and other assets. The losses amounted to more than $280 million.

Later, KuCoin was able to identify the suspects in the hack and block part of the stolen funds with the help of partners.

To withdraw the funds, the hackers employed, among others, the Uniswap exchange and the mixer Tornado Cash.

Subscribe to ForkLog news on Facebook!