They Were Jailed for Hacking an Exchange. Blockchain Data Cleared Them
How blockchain forensics helped two suspects in a cyber crime prove their innocence
Cryptocurrency hacks usually make the news. So do arrests of alleged perpetrators. The recent seizure of around $3.6 billion worth of bitcoin along with the highly publicized arrest of two individuals tied to a 2016 attack on the crypto exchange Bitfinex by federal officials is but one example.
Crypto analytics played a key role in helping federal officials identify the alleged Bitfinex launderers. In another case, blockchain analysis may have helped clear the names of two suspects in an exchange hack.
In November 2020, two Venezuelan software developers, José Manuel Osorio Mendoza and Kelvin Jonathan Diaz, were detained by local authorities under suspicion of stealing around $1 million worth of bitcoin from a local cryptocurrency exchange called Bancar.
Mendoza and Diaz maintained their innocence but remained doubtful they would be able to prove that in court.
“There is a lot of technological ignorance in my country, despite being an economy open to crypto … Even though we worked at a technology enterprise, we felt this doubt about how we could explain something that was so new and so difficult to understand” to a local judge, Mendoza said.
At the time of their detainment, Mendoza and Diaz worked at POSINT, a Venezuelan software development company that had previously provided services to Bancar. Eager to clear his company’s and colleagues’ names, Danny Penagos, chief operations officer at POSINT, hired blockchain analytics company CipherBlade to independently investigate the attack on Bancar.
CipherBlade’s resulting report, reviewed by CoinDesk, tells a complex story of security vulnerabilities and scapegoating while tracking the stolen funds from Bancar through recently blacklisted Suex.io all the way to Russia. The report shows that the stolen bitcoin eventually ended up on leading digital asset exchange Binance.
The Venezuelan court agreed to take a look at CipherBlade’s report. Based on the investigation’s findings, in January 2021, over a month after the developer duo were detained, the court granted Mendoza and Diaz conditional freedom. In August 2021, the court officially dismissed all charges against them, according to an official document obtained by CoinDesk.
While illicit crypto transaction volumes fell by more than half from 2019 to 2020, it’s still a multibillion-dollar market. And the demand for blockchain intelligence services to track illicit transactions is booming. Blockchain intelligence firm Chainalysis has multimillion-dollar contracts with the U.S. government, and last September, global payments giant Mastercard agreed to buy CipherTrace, a firm that scans blockchains for illicit activity.
Miguel Alonso Torres, a senior investigator at CipherBlade (not to be confused with the Mastercard acquisition), said his firm works on a range of cases from hacks and theft to the occasional divorce case where a spouse was suspected of not disclosing their total crypto holdings.
But clearing two suspects was a first for Torres.
The exchange hack
It all started when Bancar hired POSINT in 2018 to help build its cryptocurrency exchange.
In 2018, Venezuela’s president, Nicolas Maduro, launched the petro, the country’s controversial government-issued digital currency backed by a portion of Venezuela's oil reserves. His aggressive tactics to force the petro’s adoption ranged from ordering a number of state-owned companies to convert a part of their sales to petro to reportedly requiring citizens to pay for new passports with petro.
In October 2018, local media outlets began to report that Maduro had approved six local cryptocurrency exchanges to sell petro. According to the reports, Bancar was one of the six exchanges approved by Maduro. Penagos said that following Bancar’s approval, POSINT was hired to build out the firm’s trading platform. He added that after completing the work, POSINT handed the source code over to Bancar.
Bancar didn't respond to multiple requests for comment.
A year later, 103.99 BTC worth around $1 million disappeared from the Bancar exchange in a cyberattack, according to the CipherBlade report. The bitcoin was stolen in five separate transactions that occurred on two different days – three transactions on Sept. 4, 2019, and the rest on Sept. 7, 2019.
According to Penagos, Bancar immediately suspected POSINT, the company that had built the software Bancar was using, of the theft. Penagos, meanwhile, ran a simple trace and found the stolen bitcoin had ended up on Binance.
“I think a professional attacker or hacker would not deposit that amount of money in a big exchange like Binance,” Penagos said.
Penagos says he notified Bancar by email and asked it to consider hiring CipherBlade to investigate the hack or contact Binance to try to recover the funds.
Then, a year later, in December 2020, local media reported that Venezuelan authorities had detained Mendoza and Diaz as the suspects behind the attack. At the time, Mendoza was the chief technology officer at POSINT and Diaz was a senior developer at the company, Penagos said.
“We were confused,” Diaz said, recalling the first days he was detained.
Local news outlets and international crypto news sites published stories on their detainment.
“After circumventing the platform's security, [Mendoza and Diaz] allegedly proceeded to make bitcoin and fiat transfers to various accounts associated with them,” crypto news platform Decrypt wrote.
Meanwhile, Mendoza and Diaz weren't sure how to prove their innocence.
“While we were detained, doubts kept increasing,” Mendoza said.
All POSINT had to do was prove the two couldn't have stolen the funds, but that wasn’t easy.
“Cryptocurrency is uniquely transparent as all transactions are recorded on a public, immutable, permanent blockchain ledger," Gurvais Grigg, global public sector chief technology officer at Chainalysis, said in an email. "The challenge is that the blockchain is not human-readable. It’s difficult to know what services are behind transactions on the blockchain because they are pseudonymous."
After his colleagues were detained, Penagos said he tried to contact Binance himself but received no reply. Failing that, he finally turned to CipherBlade.
“When the investigation started, we finally started to feel relaxed,” Mendoza said.
Tracking the flow of funds
Within a month of starting its investigation, CipherBlade was able to map out the trajectory of the stolen Bancar funds in considerable detail.
“When you look at the flow of funds, you know there were some obfuscation techniques that weren't executed particularly well,” said Paul Sibenik, lead case manager at CipherBlade.
Once the 103.99 BTC were lifted from the exchange in five separate transactions, the perpetrator deposited the stolen bitcoin to two addresses, or virtual locations denoted by a string of numbers and letters where the bitcoin can be sent.
Then, the stolen bitcoin eventually converged to an address on Binance: 1ECeZBxCVJ8Wm2JSN3Cyc6rge2gnvD3W5K.
But something wasn’t adding up.
“We initially saw all funds go to Binance," Sibenik said. "But we could tell that the address that the funds went to was not a personal account at Binance that belonged to the hacker. It was some type of service."
According to the CipherBlade report, Binance informed investigators that the address was associated with Suex.io, a Moscow-based firm that offered over-the-counter (OTC) trading services.
That meant that Bancar’s stolen bitcoin first ended up in two addresses belonging to the perpetrator, and the perpetrator then used Suex.io to convert the bitcoin to another asset. In other words, the perpetrator used Suex.io’s OTC service to launder the stolen bitcoin. Suex.io then sent the stolen bitcoin to its account at Binance.
CipherBlade tried to request information from Suex.io but Sibenik and Torres said the Russian firm wasn't cooperative.
“The first thing is that anyone that was a potential client of Suex.io at the time knew that they didn’t have requirements at all," Torres said. "They didn’t care who they were dealing with or where the funds came from. I respect pseudonymity and privacy a lot but there are also ethical values. This case was critical. There were two people in prison.”
According to the report, Binance helped CipherBlade fill in the blanks by making a source-of-funds request to Suex.io. A crypto exchange can make such a request to clients asking them to explain the origin of the money or assets deposited on the platform.
The information eventually shared by Suex.io allowed CipherBlade to retrieve everything from the perpetrator’s internet protocol (IP) address to their Telegram handle, internet service provider and web browser. All information pointed to a Russian national.
“It became evident to us that, indeed, Mendoza and Diaz were just being scapegoated,” Sibenik said.
Meanwhile, in September 2021, Suex.io became the first cryptocurrency exchange to be sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), placing it in the same category as terrorists and drug traffickers. Interestingly, the Suex.io address on the Binance platform was one of the digital currency addresses flagged on OFAC’s sanctions list. Suex.io didn't respond to multiple requests for comment.
Binance confirmed to CoinDesk that it participated in CipherBlade’s investigation and that it had de-platformed the account in question based on internal safeguards. However, it didn't specify when the account was de-platformed.
“Similarly to banks and other traditional financial institutions, whenever any illicit flows come through exchanges, the exchange itself is not harboring the actual criminal groups, but rather is being exploited as a middleman,” a Binance spokesperson said in an emailed statement.
CipherBlade’s report also looked into Bancar and found a number of vulnerabilities that may have exposed the platform to attack.
For one, the CipherBlade investigation found that there are more than 7,000 spam web pages on "http://bancarexchange.io" that weren't created by Bancar. The CipherBlade report said (and CoinDesk confirmed) that a simple search for the website returns pages advertising everything from Russian brides to car rentals to ghostwriting.
During its investigation, CipherBlade also found the platform’s SSL certificate, which authenticates the website’s identity, had been correctly installed but revoked in December 2020, a year after the hack. A certification can be revoked for a number of reasons, including signs its private keys have been compromised.
At the end of the report, the intelligence firm also outlines potential steps Venezuelan authorities could take to follow the culprit and close the case. It is unclear whether Venezuelan authorities are pursuing the individual in question. But CipherBlade is hopeful.
“I was not super-optimistic at first that the authorities would take our opinions into account. But they obviously did,” Sibenik said.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.