Cybersecurity Insights | How do hackers launder stolen funds through Tornado.Cash?
This article is authorized for reprint from SlowMist Technology
- By: Lisa@SlowMist AML Team
- Proofreading: Zero@SlowMist AML Team
Some time ago, we published On-chain Tracing: A Guide to Money Laundering Techniques - Peel Chain, and today we continue with this series. This time, the topic is the mixer Tornado.Cash.
As hacking and stolen funds incidents escalate, Tornado.Cash is becoming more and more "famous," with most hackers mercilessly transferring "loot coins" to Tornado.Cash after making a profit. We have discussed the anonymity of Tornado.Cash before, see: SlowMist AML: Unveiling the Anonymity of Tornado.Cash. Today, let's look at how a hacker laundered money through Tornado.Cash with a real case.
Advertisement - Please scroll down for more content
Table of Contents
Basic Knowledge
Tornado.Cash is a fully decentralized non-custodial protocol that enhances transaction privacy by breaking the on-chain link between the source and destination addresses. To protect privacy, Tornado.Cash uses a smart contract that accepts ETH and other token deposits from one address and allows them to be withdrawn to different addresses, effectively sending ETH and other tokens to any address while hiding the sending address. These smart contracts act as pools that mix all deposited assets, generating a private note (random key) when you deposit funds into the pool, proving that you have executed the deposit operation. Later, this private note serves as your private key when withdrawing, and the contract transfers the ETH or other tokens to the specified receiving address. The same user can use different withdrawal addresses.
Case Study
Today's analysis focuses on a real case where stolen funds on Ethereum, BSC, and Polygon were transferred to Tornado.Cash when the affected platform reached out to us (specific platform details omitted).
Hacker addresses:
(Addresses are obfuscated to protect the affected platform)
0x489…1F4 Ethereum/BSC/Polygon
0x24f…bB1 BSC
Ethereum Section
With the help of SlowMist MistTrack anti-money laundering tracking system, we conducted a preliminary feature analysis of the addresses.
From the partial display results, we can see that apart from Bridge, the hacker predominantly used Mixer in their transaction behavior, which is crucial for profiling the hacker.
Subsequently, we conducted an in-depth analysis of the funds and behaviors on Ethereum: according to SlowMist MistTrack anti-money laundering tracking system analysis, the hacker transferred 2450 ETH to Tornado.Cash in batches of 5×10 ETH and 24×100 ETH, and transferred 198 ETH to FixedFloat, prompting us to continue monitoring the Tornado.Cash section.
To attempt tracking the addresses the hacker transferred from Tornado.Cash, we started from the first instance of funds being transferred to Tornado.Cash on Ethereum. We observed a significant time gap between the first 10 ETH and the second 10 ETH, so we began with the smaller 100 ETH batch for analysis.
Identifying the transaction corresponding to Tornado.Cash:100 ETH contract, we found numerous addresses from which funds were transferred out of Tornado.Cash. Through SlowMist MistTrack analysis, we filtered out addresses that matched the timeline and transaction characteristics. Although there were still many addresses to analyze, we soon encountered the first suspicious address (0x40F…952).
According to SlowMist MistTrack analysis, the address (0x40F…952) received ETH from Tornado.Cash and subsequently split the ETH into three transfers to FixedFloat.
Of course, this could be a coincidence, and further verification is needed.
Continuing the analysis, we found three addresses with similar characteristics:
A→B→(multiple) FixedFloat
A→(multiple) FixedFloat
Based on these characteristics, we identified 24 addresses that fit the profile, aligning with our hypothesis.
Polygon Section
As shown below, the hacker transferred a portion of the profits of 365,247 MATIC to Tornado.Cash in seven transactions.
The remaining 25,246.722 MATIC was transferred to address (0x75a…5c1). Upon tracking this fund, we found that the hacker transferred 25,246.721 MATIC to FixedFloat, prompting us to consider if the hacker would employ a similar tactic for money laundering on Polygon.
We initially located the contract Tornado:100,000 MATIC and the last three corresponding transactions from the image above. We noticed that there were not many addresses that funds were transferred out of the Tornado.Cash contract, allowing for a detailed analysis of each.
Soon, we identified the first address (0x12e…69e) that raised suspicion. We observed familiar FixedFloat addresses, with funds being transferred from FixedFloat to address (0x12e…69e), and subsequently, the receiving addresses from address (0x12e…69e) also transferred MATIC to FixedFloat.
Similar analysis of other addresses revealed the same money laundering tactic, which will not be elaborated here. The hacker seemed to have a preference for FixedFloat based on the earlier analysis, providing a potential lead for further investigation.
BSC Section
Next, we delve into the BSC section. There are two hacker addresses on BSC, starting with address (0x489…1F4):
The hacker address transferred 1700 ETH to Tornado.Cash in 17 transactions, with a coherent time range. Contrary to our expectations of a repeat strategy, we discovered otherwise. Through SlowMist MistTrack analysis and filtering, we identified addresses that matched the timeline and transaction characteristics, proceeding to analyze each address.
During the analysis, address (0x152…fB2) caught our attention. As shown, SlowMist MistTrack indicated that this address transferred ETH from Tornado.Cash to SimpleSwap.
Further analysis revealed a similar modus operandi, where the hacker changed platforms but maintained similar characteristics:
A→SimpleSwap
A→B→SimpleSwap
Another hacker address (0x24f…bB1) transferred funds to Tornado.Cash in increments of 10 BNB.
In this money laundering tactic, the hacker opted for another platform, but the method remained similar. Further detailed analysis is omitted.
Conclusion
This article began with a real case study, analyzing how hackers attempted to use Tornado.Cash across different chains to launder stolen funds. The money laundering tactics in this case study exhibit extreme similarity, primarily characterized by withdrawing from Tornado.Cash and transferring funds either directly or through an intermediary address to popular mixing platforms (FixedFloat/SimpleSwap/Sideshift.ai). However, this is just one method of money laundering through Tornado.Cash, and more techniques await discovery.
To analyze results more efficiently and accurately, tools are indispensable. With over 200 million labeled wallet addresses, the SlowMist MistTrack anti-money laundering tracking system can identify various wallet addresses on global mainstream trading platforms, such as user deposit addresses, warm wallet addresses, hot wallet addresses, cold wallet addresses, etc. The MistTrack anti-money laundering tracking system plays a crucial role in anti-money laundering analysis and evaluation, providing robust technical support for analyzing address behaviors and tracking origins for cryptocurrency trading platforms, individual users, and more.
Related
- After being hacked for $235 million, WazirX publicly disclosed 240,000 wallet addresses and implemented debt restructuring.
- Suspected Official Hack? Well-known game L3E7 faces cybersecurity concerns, downloading the game leads to adult websites.
- Cybersecurity company Certik accused of ransomware and cryptocurrency theft? Kraken explodes in anger, online comments: Already notorious for bad behavior