Whoever hacked the Japanese crypto exchange Liquid for an estimated $90 million has been taking steps to cover their tracks, according to public blockchain data.

However, three exchanges told CoinDesk they froze funds deposited from addresses believed to belong to the thieves.

Liquid disclosed the breach Thursday in a tweet, pointing at several wallets that it said hackers used to siphon out bitcoin, ether, multiple ERC20 tokens, TRON and XRP. 

Later, Liquid tweeted more crypto addresses it identified as the hacker’s, said it halted crypto withdrawals and filed a suspicious transaction report with the Monetary Authority of Singapore (MAS), the country’s financial regulator. On Saturday, Liquid said it updated the exchange's wallet infrastructure and had been migrating users' funds "to the new secure vaults."

The hack is one of the largest of a crypto exchange in recent history, although smaller than the $146 million hack of Italian exchange BitGrail in 2020 and the more than $500 million hack of Tokyo-based Coincheck in 2018.

Since blockchain data is public, everyone from sophisticated analytics vendors who contract for law enforcement to curiosity-seekers and autodidacts can trace the movement of the crypto – up to a point. 

According to a CoinDesk review of the Etherscan block explorer, a little over 6,000 ETH (or about $19.7 million) stolen from Liquid has been sent to Tornado.cash, a non-custodial mixer for ether and ERC20 tokens that allows users to obfuscate their transactions by commingling their crypto with the coins of others. 

From there, the trail goes cold.

Blockchain analysis to a certain extent relies on assumptions about the relationships of addresses to each other and to people in the real world. So on-chain data alone does not provide definitive answers as to who sent money to whom. However, combined with off-chain, real-world information, it can produce valuable insights about the ways crypto works.

Etherscan also shows that the hacker used Uniswap, a decentralized exchange (DEX), and other DEXs to liquidate ERC20 tokens, which run on top of the Ethereum network, over the past two days.

Some 9,319 ETH, or $30 million worth of crypto, is still sitting in the hacker’s wallet, according to Etherscan. 

Elliptic released similar findings in a blog post Thursday. Over $97 million in crypto has been sent to the presumed thief’s wallets, the blockchain research firm wrote.

“This includes $45 million in Ethereum tokens, which are currently being converted into ether using decentralised exchanges (DEXs) such as Uniswap and SushiSwap," Elliptic said. 

According to Liquid’s Friday blog post, various issuers of ERC20 tokens have now frozen those stolen assets. Overall, 69 assets have been stolen from the exchange’s wallets “and sent to other exchanges or defi swapping venues,” Liquid said.

Another ETH wallet controlled by the hacker, identified by Liquid in another tweet, hasn’t liquidated any funds yet and contains over 538 ETH worth $1.7 million.

The bitcoin stolen from Liquid also remains in the hacker’s wallets and hasn’t moved to any exchange yet: According to data from Blockchain.com, all the 107.4 BTC ($4.8 million worth) sent to the address cited by Liquid is still there.

A portion of the stolen TRON tokens worth about $1 million was sent in large batches to an address belonging to the centralized crypto exchange (CEX) Huobi, according to the Tronscan blockchain explorer. The funds reached Huobi in several hops via four interconnected wallets.

Mark Lee, a spokesperson for Huobi, confirmed to CoinDesk that the address was indeed a Huobi user's deposit address.

"After Huobi was alerted of this incident, we quickly placed restrictions on the account, and are currently in the internal process of investigating both the transaction and the account," Lee added.

Another portion of the stolen TRON, about 3.5 million TRX (or $321,000), didn't go to Huobi but ended up in a separate wallet.

As for the XRP tokens, the wallet identified by Liquid as the hacker's sent 11.5 million XRP, about $14.5 million worth, to centralized exchanges Binance, Huobi and Poloniex, according to data from XRPScan. 

Some of those XRP had been successfully swapped for bitcoin on one of the exchanges, Liquid tweeted, and the hacker also managed to withdraw the bitcoin to two addresses (link 1, 2), which now together hold some 192 BTC.

That exchange, it turned out, was Binance: spokesperson Jessica Jung confirmed to CoinDesk that Binance identified the XRP stolen from Liquid in its wallets. "We provided Liquid with relevant information, including the BTC withdrawal addresses," Jung said. Binance has frozen "associated accounts," she said.

Poloniex spokesperson Gabriel Wang also confirmed to CoinDesk that the exchange blocked addresses related to the hack.

KuCoin's CEO Johnny Lyu tweeted Thursday that his crypto exchange has blacklisted the addresses Liquid pointed at as related to the hack.

UPDATE (Aug. 21, 15:30 UTC): Adds detail about bitcoin wallet in 16th paragraph.
UPDATE (Aug. 21, 17:19 UTC): Clarifies that it's one of the largest hacks of a crypto exchange in recent history.
UPDATE (Aug. 23, 2021, 10:50 UTC): Adds comment from Poloniex that the exchange also blocked addresses related to the hack.

UPDATE (Aug. 23, 13:50 UTC): Fixes typo in 19th paragraph.