Hackers who stole about $97 million in cryptocurrency from the Liquid exchange used the non-custodial, privacy-focused Wasabi wallet to protect some of their gains, according to sleuthing firm Crystal Blockchain.
Bitcoin from the wallets Liquid identified as belonging to the hackers has been on the move over the past two weeks, public blockchain data shows. For example, on Aug. 29, 100 BTC (worth over $4.8 million) from one hacker-linked address was split up and sent to two separate addresses, then further broken into smaller pieces and distributed to yet more addresses.
At least some of that bitcoin was then sent to addresses believed to be generated by a Wasabi wallet, according to Crystal Blockchain data.
This was one of many similar transactions that the hackers made using Wasabi, presumably to disconnect the stolen funds from their criminal history, according to Crystal. This would be a necessary step to spend such funds or sell them for fiat money, because centralized exchanges tend to freeze funds that are known to come from hacks, exploits and scams.
Over 437 BTC (worth over $20 million) associated with the Liquid hackers have been laundered using Wasabi’s CoinJoin feature, and the process is still ongoing, according to Crystal.
Wasabi is a privacy-focused desktop wallet that allows users to make their bitcoin less traceable on the public ledger by arranging so-called CoinJoin transactions. Multiple users can commingle their bitcoin in joint transactions and get it back disconnected from the previous history of payments. It also routes transactions over the Tor network which further helps to conceal the user’s IP address.
Although Wasabi is a non-custodial wallet that doesn’t store users’ funds, it generates addresses for CoinJoin transactions that blockchain analytics tools have learned to identify. Crypto sleuthing firm Elliptic did this last year, following bitcoin coming from the infamous Twitter hack to addresses associated with Wasabi.
According to Kyrylo Chykhradze, product director for Crystal Blockchain, identification of such addresses is more challenging than attributing addresses to custodial crypto services, so Crystal makes “a lot of double-checks before the final labeling” of the addresses in their analytics system.
Wasabi did not immediately respond to a request for comment.
Swapped and tumbled
According to Crystal Blockchain, wallets associated with the Liquid hackers received some 1,168 BTC in total, most of which they got by swapping other cryptocurrencies for bitcoin on several exchanges.
CoinDesk previously reported that the hackers sent stolen XRP tokens to three exchanges – Binance, Huobi and Poloniex – where they managed to exchange them for bitcoin on the first day after the hack. That bitcoin stash was later partially laundered via Wasabi’s CoinJoin addresses, according to Crystal.
ERC20 tokens, which run on the Ethereum blockchain, had been sent to decentralized exchanges (DEXs), swapped for ether and then sent to Tornado.cash, an online mixer for ether. Some tokens were also swapped for bitcoin on the decentralized exchange Ren, resulting in additional 394 BTC in the hackers’ stash, Chykhradze said.
“For almost two weeks hackers have been using different methods to cover their tracks – substantial amounts of XRP, ETH and ERC20 tokens were either converted into BTC or mixed through the Tornado tumbler service,” Chykhradze said.
Plus, several dozen BTC were put on multiple unidentified wallets and left there for now.
Several exchanges worked with Liquid to label and block the addresses related to the hackers, they previously told CoinDesk. However, in many cases the hackers managed to get funds out faster than the exchanges reacted.