{"id":31157,"date":"2020-11-03T10:06:39","date_gmt":"2020-11-03T08:06:39","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=31157"},"modified":"2025-08-28T02:18:08","modified_gmt":"2025-08-27T23:18:08","slug":"kucoin-hacker-began-laundering-bitcoin-through-wasabi-mixer","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/kucoin-hacker-began-laundering-bitcoin-through-wasabi-mixer\/","title":{"rendered":"KuCoin hacker began laundering Bitcoin through Wasabi mixer"},"content":{"rendered":"<p>The attacker who hacked the KuCoin cryptocurrency exchange in September moved part of the Bitcoin through the Wasabi Wallet, which offers mixing. This was noted by user Ergo from OXT Research.<!--more--><\/p>\n<p>According to his observations:<\/p>\n<ul>\n<li>322 BTC <a href=\"https:\/\/forklog.com\/en\/news\/kucoin-stolen-bitcoins-pass-through-chipmixer\">passed through<\/a> the ChipMixer mixing service;<\/li>\n<li>288 BTC were partially mixed in an anonymous Wasabi wallet, and another 245 BTC, in his view, could pass through this route.<\/li>\n<\/ul>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">So far the Kucoin hacker mixed:<br \/>\n~322 BTC with Chipmixer<br \/>\n~288 BTC partially mixed via Wasabi<br \/>\n~another 245 BTC pending partial Wasabi mixing?<\/p>\n<p>Post-chipmixer distribution activity starts here. <a href=\"https:\/\/t.co\/F9VsJvhzCC\">https:\/\/t.co\/F9VsJvhzCC<\/a> <a href=\"https:\/\/t.co\/ZzdmdACruA\">pic.twitter.com\/ZzdmdACruA<\/a><\/p>\n<p>\u2014 Ergo \u2234Politically Charged\u2234 (@ErgoBTC) <a href=\"https:\/\/twitter.com\/ErgoBTC\/status\/1323331122650963969?ref_src=twsrc%5Etfw\">November 2, 2020<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Wasabi Wallet is a privacy-focused, non-custodial Bitcoin wallet with open source. Its main feature is the use of Chaumian CoinJoin\u2014a trustless coin-mixing mechanism with mathematically proven anonymity.<\/p>\n<p>The researcher found that part of the stolen funds that did not pass through this procedure were withdrawn to four new P2SH addresses. An OXT Research analyst believes they could be used in subsequent hacker activities if the funds held on them are not mixed further.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">At least 4 unmixed change UTXOs pulled out early and sent to P2SH segwit addresses (new wallet).<\/p>\n<p>If these remain unmixed, they will likely link much of the hackers postmix activities.<a href=\"https:\/\/t.co\/bBnaKDhWsQ\">https:\/\/t.co\/bBnaKDhWsQ<\/a><a href=\"https:\/\/t.co\/RNfudDsGaF\">https:\/\/t.co\/RNfudDsGaF<\/a><a href=\"https:\/\/t.co\/vRLavRtBGc\">https:\/\/t.co\/vRLavRtBGc<\/a><a href=\"https:\/\/t.co\/KLECgFxCdM\">https:\/\/t.co\/KLECgFxCdM<\/a><\/p>\n<p>\u2014 Ergo \u2234Politically Charged\u2234 (@ErgoBTC) <a href=\"https:\/\/twitter.com\/ErgoBTC\/status\/1323331294713896960?ref_src=twsrc%5Etfw\">November 2, 2020<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/p>\n<p>Analysts noted that before sending funds to Wasabi, the attackers included unmixed transaction outputs (UTXOs) from the darknet marketplace Hydra into the peel chains scheme (literally \u201clayered chains\u201d).<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">In addition to ChipMixer usage, Wasabi usage, and similar wallet fingerprinting, a utxo originating from Hydra was combined with the peel chain distributing to Wasabi.<\/p>\n<p>Via >> <a href=\"https:\/\/t.co\/yXCJPBNJil\">https:\/\/t.co\/yXCJPBNJil<\/a><\/p>\n<p>\u2014 Ergo \u2234Politically Charged\u2234 (@ErgoBTC) <a href=\"https:\/\/twitter.com\/ErgoBTC\/status\/1323331525501349888?ref_src=twsrc%5Etfw\">November 2, 2020<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/p>\n<p>Two Chinese residents were implicated in a similar scheme, charged with involvement in hacking cryptocurrency exchanges and linked to the Lazarus group, which operates in North Korea&#8217;s interests.<\/p>\n<p>In late September, KuCoin <a href=\"https:\/\/forklog.com\/en\/news\/kucoin-bitcoin-exchange-hacked-losses-estimated-at-150-million\">reported<\/a> unauthorized withdrawals from hot wallets of Bitcoin, ERC-20 tokens, and other assets. The losses amounted to more than $280 million.<\/p>\n<p>Later, KuCoin <a href=\"https:\/\/forklog.com\/en\/news\/kucoin-identifies-suspects-in-280-million-hack\">was able<\/a> to identify the suspects in the hack and block part of the stolen funds with the help of partners.<\/p>\n<p>To withdraw the funds, the hackers <a href=\"https:\/\/forklog.com\/en\/news\/hackers-used-uniswap-to-launder-150m-siphoned-from-kucoin\">employed<\/a>, among others, the Uniswap exchange and the mixer <a href=\"https:\/\/forklog.com\/en\/news\/kucoin-hacker-sent-5-million-in-ethereum-to-tornado-cash-mixer\">Tornado Cash<\/a>.<\/p>\n<p>Subscribe to ForkLog news on <a href=\"https:\/\/www.facebook.com\/forklog\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Facebook<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The attacker who hacked the KuCoin cryptocurrency exchange in September moved part of the Bitcoin through the Wasabi Wallet, which offers mixing. This was noted by Ergo from OXT Research.<\/p>\n","protected":false},"author":1,"featured_media":31158,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"KuCoin hacker moved Bitcoin through Wasabi for mixing, per OXT Research.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,1411,1256,933],"class_list":["post-31157","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-kucoin","tag-privacy-and-personal-data","tag-wasabi-wallet"],"aioseo_notices":[],"amp_enabled":true,"views":"40","promo_type":"1","layout_type":"","short_excerpt":"KuCoin hacker moved Bitcoin through Wasabi for mixing, per OXT Research.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/31157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=31157"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/31157\/revisions"}],"predecessor-version":[{"id":31159,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/31157\/revisions\/31159"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/31158"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=31157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=31157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=31157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}