Bitcoin Whale 4064 BTC Fortune Captured

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Different Services Used In Laundering

A bitcoin whale who was likely involved with Genesis Trading and had previously promoted an anonymous donation group on memo.sv saw their entire fortune of 4064.37689539 BTC wiped out. The funds were quickly distributed across a wide range of protocols including ThorChain, eXch, Kucoin, ChangeNow, Railgun, and Avalanche Bridge. RailGun came out to declare that the thieves had not gained any privacy through their protocol as they had failed the Proof of Innocense model. Some $505k was recovered from swaps conducted through Firn Protocol and NonKYC.io. Firn Protocol closed down their services due to the risk after this incident. Efforts to recover the remaining funds continue.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32]

About the Bitcoin Whale

"It appears that some of the source funds may be related to Genesis Global Trading" "Notably, the wallet had received 642.4 BTC, worth approximately $37.73 million, from the Genesis Trading Bankruptcy Distributions wallet just two weeks before the breach, while another 2,173 BTC, valued at $127.6 million, had been transferred from Genesis Trading two years earlier."

They had also made transactions promoting memo.sv topic hmwyda, which stands for "How much would you donate anonymously?" and features hundreds of users asking for bitcoin donations for various causes, some of which have been funded.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"According to on-chain investigator ZachXBT, a suspicious transfer was made from a potential victim for 4064 BTC ($238M)."

Key Event Timeline - Bitcoin Whale 4064 BTC Fortune Captured
Date Event Description
August 18th, 2024 9:57:29 AM MDT Theft Blockchain Transaction The theft transaction is accepted by the bitcoin blockchain.
August 19th, 2024 5:46:00 AM MDT ZachXBT Tweet Posted ZachXBT posts on Twitter about the suspicious transfer.
August 19th, 2024 7:21:00 AM MDT RailGun No Privacy RailGun notes that the tokens sent through their protocol did not gain any proviacy as they could not complete a POI (Proof of Innocence) so they didn't join any privacy set.
August 19th, 2024 2:31:00 PM MDT Funds To Kraken Speculation A Tweet suggests that some of the funds may have been sent to Kraken.
August 19th, 2024 4:00:00 PM MDT ZachXBT No Details Shared ZachXBT notes it's not his palce to share details about the victim.
August 26th, 2024 9:25:00 PM MDT Return of $205k Firn Protocol ZachXBT announces that 80 ETH of funds deposited through the Firn Protocol have now been returned to the victim.
September 3rd, 2024 4:28:00 AM MDT Return of $300k NonKYC.io The NonKYC.io platform announces they have assisted with the return of $300k worth of the stolen funds which were attempted to be swapped through their platform.

Technical Details

"While the exact method of the hack remains unclear, experts believe the attackers may have used a combination of phishing, social engineering, and exploiting vulnerabilities in wallet security."

Total Amount Lost

$238,000,000 (4064.37689539 BTC) $58,483.96 x 4064.37689539 BTC = $237,700,855.77

The total amount lost has been estimated at $237,701,000 USD.

Immediate Reactions

"According to on-chain investigator ZachXBT, a suspicious transfer was made from a potential victim for 4064 BTC ($238M). The funds were quickly moved to ThorChain, eXch, Kucoin, ChangeNow, Railgun, and Avalanche Bridge. As of August 27th, $505,000 has been recovered."

Ultimate Outcome

"After the initial theft, the 4,064 BTC was quickly divided into smaller amounts and transferred across various platforms. This complex series of transactions was designed to make it difficult to trace the funds back to their original source."

"However, when the hackers attempted to use RAILGUN to shield the funds, the effort failed. The stolen Bitcoin did not meet the criteria for privacy within RAILGUN, leading to its unshielding and return, which left the stolen assets exposed rather than protected by the intended privacy protocols."

"Whilst RAILGUN is permissionless and anyone can send tokens in, any tokens that fail to generate a Private POI proof CANNOT enter the privacy set. In this case, the tokens @zachxbt mentioned were unshielded back to the original address and gained no privacy."

"The transaction map further illustrates the movement of a portion of the stolen Bitcoin through the Avalanche Bridge, which likely facilitated cross-chain transfers. This step added another layer of complexity to the hackers’ efforts to obscure the trail.

In addition to using these platforms, the hackers employed mixing services to further complicate the traceability of the funds, effectively combining multiple transactions to mask the origins and destinations of the Bitcoin."

"Per the detailed fund map Xian shared, 3,163.59 BTC originated from three wallets linked to Genesis Global trading. These funds were moved in three transfers of 50 BTC, 1,000 BTC, and 2,113.59 BTC."

"When asked whether the Lazarus Group was responsible for the incident, ZachXBT said “Not this time,” noting that the funds’ movement was “a bit different.”"

Total Amount Recovered

The total amount recovered has been estimated at $505,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

Efforts to recover the funds continue.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Sep 4, 2024)
  2. @zachxbt Twitter (Accessed Sep 4, 2024)
  3. Transaction: 4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090 | Blockchain.com (Accessed Sep 4, 2024)
  4. @firnprotocol Twitter (Accessed Sep 4, 2024)
  5. @nonkyc_exchange Twitter (Accessed Sep 4, 2024)
  6. NonKYC Cryptocurrency Exchange (Accessed Sep 4, 2024)
  7. @zachxbt Twitter (Accessed Sep 4, 2024)
  8. @RAILGUN_Project Twitter (Accessed Sep 4, 2024)
  9. @_ntaff Twitter (Accessed Sep 4, 2024)
  10. @anytwocardzz Twitter (Accessed Sep 4, 2024)
  11. Address 1PaYoyzF4G2BasXkA6trg3URgMAZv51BM7 - Bitcoin(BTC) - Professional Data Service for Global Blockchain Enthusiasts (Accessed Sep 4, 2024)
  12. Memo - Topic - hmwyda (Accessed Sep 4, 2024)
  13. RAILGUN - On-chain ZK Privacy Ecosystem (Accessed Sep 4, 2024)
  14. @firnprotocol Twitter (Accessed Sep 4, 2024)
  15. @RAILGUN_Project Twitter (Accessed Sep 4, 2024)
  16. Overview | Wiki (Accessed Sep 4, 2024)
  17. @SearchDecoder Twitter (Accessed Sep 4, 2024)
  18. @TobyFrei4 Twitter (Accessed Sep 4, 2024)
  19. @Eemalir Twitter (Accessed Sep 4, 2024)
  20. @dazai_0x Twitter (Accessed Sep 4, 2024)
  21. @0xDesigner Twitter (Accessed Sep 4, 2024)
  22. @HollanderAdam Twitter (Accessed Sep 4, 2024)
  23. @WazzCrypto Twitter (Accessed Sep 4, 2024)
  24. @evilcos Twitter (Accessed Sep 4, 2024)
  25. @OGLemur Twitter (Accessed Sep 4, 2024)
  26. @Loopifyyy Twitter (Accessed Sep 4, 2024)
  27. @Duncan30414908 Twitter (Accessed Sep 4, 2024)
  28. Bitcoin stolen in $238 million breach fails to get privacy shield, returned to original address (Accessed Sep 4, 2024)
  29. Hacked Bitcoin whale may have lost $238m: ZachXBT (Accessed Sep 4, 2024)
  30. https://dailycoin.com/zachxbt-flags-238m-bitcoin-transfer-from-a-potential-victim/ (Accessed Sep 4, 2024)
  31. MistTrack Investigation (Accessed Sep 4, 2024)
  32. Bitcoin price today, BTC live marketcap, chart, and info | CoinMarketCap (Accessed May 16, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Bitcoin_Whale_4064_BTC_Fortune_Captured&oldid=6304"