In the blockchain industry, address traceability is a relatively sensitive topic. Although in anti-money laundering, coin loss incidents, and tracking hackers, we can obtain more information by tracing addresses and on-chain transfers, but due to the anonymous/encrypted properties of the blockchain itself, coupled with various anti-tracking and anonymity With the development of technology, address tracing seems to have become a hard work. This time we will take tracking the Ethereum funds stolen from the Upbit exchange recently as an example, and also talk about the address tracing methods and tools on Ethereum.
In general, we can split address tracing into the following four steps:
1. Guidance for large transfers
2. Focus on small capital flows
3. Analyze the deposit and withdrawal address of the exchange
secondary title
1. Large amount transfer
After we receive funds stolen from an exchange/address, we usually get a suspicious address first, which is the address from which the hacker transferred the stolen funds. At this time, we can first pay attention to the large transfer trend of this address, so as to determine the first action of the hacker after stealing funds.
Blockchain explorerBlockchain explorerEnter a suspicious address, query the transaction of the address, find out the large amount of capital flow from the transaction result list, open each layer of addresses according to the new flow direction, and inquire deeply layer by layer to get a large amount of capital flow diagram.
Here is an example of the stolen Ethereum funds flow from the Upbit exchange:
The address where the stolen Ethereum flows from the exchange is0x5e032243d507c743b061ef021e2ec7fcc6d3ab89, and the incoming hacker address is0xa09871aeadf4994ca12f5c0b6056bbd1d343c029. Follow the steps in the figure below to get the hackers first move:
1. openTokenviewBlock browser, enter hacker address 0xa09871aeadf4994ca12f5c0b6056bbd1d343c029, click Search
2. Click the address in the search results to open the transaction details page of the address
As of the deadline for this article, it can be seen that this address has carried out 114 transactions. We can first check the first two transactions of this address.
The first transaction came from the above-mentioned Upbit exchange address starting with 0x5e03, indicating that the hacker’s address was a newly generated address on the chain, and the transfer amount was 342,000 ETH.
Next, observe the transfer-out transactions in subsequent transactions. For subsequent transfer-out transactions starting from the first transfer-out transaction, its transfer-out address will be the decentralized address of the first layer.
It was observed that 111,000 ETHs were transferred from 0xa098 to the address0x9a207194cbed9f229694fdf5a28caab59157920d,
Transfer 111010 ETH to the address0x3408edca2d47ddaa783a3563d991b8ddebcd973b,
Transfer 120280.16 ETH to the address0xc7d64e6509333a3b68f6fc09d7d19404bfdd229a;
So far, most of the Ethereum in this address has been transferred out, we can focus on monitoring the above three addresses, and analyze the subsequent capital flow, so as to obtain further capital flow:
secondary title
2. Pay attention to small capital flows
After obtaining the large amount flow diagram, we also need to sort out the small amount of funds involved. Usually small amount of funds will find the entrance of the exchange through various channels after multi-layer transfer. In response to this situation, we need to sort out addresses and transaction records in multiple layers.
1. Multi-layer transfer, small penetration
Still taking the Upbit hacker address as an example, let’s explain the first way to enter the exchange. The transaction whose hash is 0x8237dc359f2af9d23759cfa7c692da3e12a21cdc45e3d8a8e28190d29974bf2a was transferred to the Dutch exchange 60cek when the hacker’s address was transferred to the 9th layer, and his transferred amount was 123.99 ETH. The specific transaction transfer situation is as shown in the figure below. The method is to find the transfer address through the transaction details page when tracking large transactions.0xf4678169b1eb0c141fd99942ac02191145fefe3f, and then click on the address to view the transaction details page, continue to click on the transfer-out address of the transfer-out transaction at this address, repeat this step in turn, and you can get the following 9-layer transfer diagram:
The details of the last transaction entering 60cek are as follows:
As of 15:00 on December 10, the hacker has transferred more than 2,000 ETH to the exchange address through multi-layer transfer and small amount penetration. The exchanges involved are 60cek, Binance, Cryptonator, Bitmax, MXC, Bilaxy, Bitfinex, Bit-Z, ZB, etc. Of course, we have every reason to believe that hackers are still only testing the threshold of exchanges, which may be the reason why hackers have not recharged large exchanges so far.
2. Call the exchange recharge interface
This method of access to exchanges is not commonly used, but the possibility cannot be ruled out. Lets take Upbit as an example to briefly understand this mode of operation.
First, create a smart contract such as0x9d5b674163336c0945c28990a4ff364541282777;
Second, call the exchange’s deposit API in the contract;
Third, call the smart contract to transfer money into the exchange.
The specific implementation method needs to be implemented through the developers code, which is not covered in detail in this article.
3. Call the smart contract to disperse funds
secondary title
3. Analyze the deposit/withdrawal address of the exchange
First of all, we need to understand what is an exchange deposit/withdrawal address.
The deposit address of the exchange is the wallet address where the individual recharges to the exchange. Because the exchange has KYC certification, if funds enter the exchange through a personal address, then we can obtain specific user information from the KYC information of the exchange. The withdrawal address refers to the address where individuals withdraw coins from the exchange.
Taking the Upbit incident as an example, the hacker’s address transferred a small amount of 19.6 ETH to Binance after 9 layers of transfer.
We can query the details of this transaction from the Tokenview block explorer:
Hash-0xd16223c470823219c73e7e357826fed73bc6514d03328039f877c4ba8cdc623d
secondary title
4. Continuous monitoring of addresses
Generally speaking, hackers will not transfer stolen funds to exchanges in the short term. From stealing funds to completely selling, the whole process may last for half a year or even longer. This also brings many difficulties to our monitoring. At this time, if you can subscribe to the balance changes of an address and obtain relevant information at the first time, then monitoring will become much easier. Here we mainly introduce the [Address Monitoring] function developed by Tokenview.
Open WeChat search and follow Tokenvew Blockchain Browser, click Data Monitoring in the menu bar, then click Address Monitoring, enter the address to be monitored on the subsequent page, and select the threshold. After the monitoring is successful, once the balance change of the address meets the monitoring range, the official account will send a balance change notification.
We can use this tool to obtain the balance changes of any address, not only Ethereum, but also Bitcoin and USDT on the Omni chain.
Of course, the method of address traceability is not limited to the points mentioned above, and hackers who can break through the exchange will inevitably use various anti-traceability methods to deal with it, including using decentralized exchanges to cash out, and using mixed coins/blenders and other technical means hinder traceability, etc. Behind the ever-changing address, it also reflects the regulatory and regulatory problems of the blockchain itself.
How to reasonably and effectively manage the blockchain network on the premise of ensuring the rights and privacy of users; whether to reserve super permissions in some scenarios to deal with hackers or similar incidents; how to balance the impossible triangle Relationship? These are issues that the industry needs to address.
