$308 million Bitcoin.DMM.com hack: laundering stolen funds
On May 31, 2024, as a result of the hacking 4502.9 BTC (worth approximately $308M) were stolen from the Japanese exchange Bitcoin.DMM.com.
The cybersecurity agency Match Systems conducted current satiation of the case.
The following was determined:
1. To launder the stolen funds, the hacker mostly uses the cryptocurrency mixer JoinMarket. At the moment, more than 2500 BTC have been sent to the JoinMarket related addresses. The rest funds (2000 BTC) are located on the 4 initial addresses of the hacker:
bc1q2tu4dxyvnaquar96mj99yqjanfzgg3fv4gzytd
bc1qr4vnu4f4tl3gwfxt6a5hgt6vuusgsd0j2cnz74
bc1qrtltlc7zjzj3knde2tqjt7tl2p5l2keh4l2uka
bc1qx6jpnnfjrfcx9ehhdmj7qqyzpyd8pek00trrq7
2. Using methods of software analysis of characteristics and patterns before and after the JoinMarket mixer, considering transaction volumes and dates/times, as well as other specialized methods, the Match Systems team managed to identify the first possible large withdrawal from the mixer of 222.8 BTC (worth $12.8 million) to the address:
bc1qjws6r0r8zhy7dm329l0wnfpn2fra68pltfkrtz
It was also determined that a significant part of the stolen funds, totaling over 37.2 million US dollars, after the JoinMarket mixer could have been withdrawn through the Avalanche bridge, THORChain. Threshold and the SWFT.pro service to the several deposit addresses of the HuionePay processing service:
TLk8xMroBtfktfhbEQRjukAYiKfpZZZZZZ
TC8eG6oqZVr2xsZ3V9DJjZZABsGUbwrtzS
TXNdzqFtG6P6rgC1QRTUkCinJFkPV5ghti
TQXU95jk1BgwD6bDGAwki3utcq5ZuXyiVN
TJyM81bZ1WAcTTVBxJhddcZhbRM3TKVtRw
TNyw5peRGP7SHyuRH8k4SzzJixRvVVVVVV
TYPoqic5ZdSgJTMPXdhJra7QeDwja6jcP9
TDWejoQGGBWTvioz34UyS6YF6S2Xry1naJ
TQ3udS9wzy73yYWJ3mcQyjBqwYJyNq1zaM
Detailed information about this is also provided by the well-known investigator ZachXBT in his channel «X» (formely Twitter).
Some of the funds on the above deposit addresses could have been obtained from other major hacks.
Interestingly, one of HuionePay's operational addresses was blocked at the Tether Limited smart contract level on July 13, 2024 - TNVaKWQzau7xL9bcnvLmF9KSEQkWEs4Ug8 (the current balance on this address is over 29.6 million USDT).
3. It should be noted that a full money laundering cycle (taking into account the total amount of funds stolen) can take from several months to a year. Match Systems will continue to monitor the movement of stolen funds.
The cybersecurity agency Match Systems conducted current satiation of the case.
The following was determined:
1. To launder the stolen funds, the hacker mostly uses the cryptocurrency mixer JoinMarket. At the moment, more than 2500 BTC have been sent to the JoinMarket related addresses. The rest funds (2000 BTC) are located on the 4 initial addresses of the hacker:
bc1q2tu4dxyvnaquar96mj99yqjanfzgg3fv4gzytd
bc1qr4vnu4f4tl3gwfxt6a5hgt6vuusgsd0j2cnz74
bc1qrtltlc7zjzj3knde2tqjt7tl2p5l2keh4l2uka
bc1qx6jpnnfjrfcx9ehhdmj7qqyzpyd8pek00trrq7
2. Using methods of software analysis of characteristics and patterns before and after the JoinMarket mixer, considering transaction volumes and dates/times, as well as other specialized methods, the Match Systems team managed to identify the first possible large withdrawal from the mixer of 222.8 BTC (worth $12.8 million) to the address:
bc1qjws6r0r8zhy7dm329l0wnfpn2fra68pltfkrtz
It was also determined that a significant part of the stolen funds, totaling over 37.2 million US dollars, after the JoinMarket mixer could have been withdrawn through the Avalanche bridge, THORChain. Threshold and the SWFT.pro service to the several deposit addresses of the HuionePay processing service:
TLk8xMroBtfktfhbEQRjukAYiKfpZZZZZZ
TC8eG6oqZVr2xsZ3V9DJjZZABsGUbwrtzS
TXNdzqFtG6P6rgC1QRTUkCinJFkPV5ghti
TQXU95jk1BgwD6bDGAwki3utcq5ZuXyiVN
TJyM81bZ1WAcTTVBxJhddcZhbRM3TKVtRw
TNyw5peRGP7SHyuRH8k4SzzJixRvVVVVVV
TYPoqic5ZdSgJTMPXdhJra7QeDwja6jcP9
TDWejoQGGBWTvioz34UyS6YF6S2Xry1naJ
TQ3udS9wzy73yYWJ3mcQyjBqwYJyNq1zaM
Detailed information about this is also provided by the well-known investigator ZachXBT in his channel «X» (formely Twitter).
Some of the funds on the above deposit addresses could have been obtained from other major hacks.
Interestingly, one of HuionePay's operational addresses was blocked at the Tether Limited smart contract level on July 13, 2024 - TNVaKWQzau7xL9bcnvLmF9KSEQkWEs4Ug8 (the current balance on this address is over 29.6 million USDT).
3. It should be noted that a full money laundering cycle (taking into account the total amount of funds stolen) can take from several months to a year. Match Systems will continue to monitor the movement of stolen funds.
