His nostrils were permanently flared, as though he sniffed invisible winds of art and commerce. William Gibson, "Count Zero"
In this article I will show:
How, using the basics of financial investigation and OSINT, we can prove the affiliation of cryptocurrency addresses
How by analyzing the transactions of two or more ETH addresses, we can aggregate them into a cluster (i.e. multiple addresses controlled by the same entity)
How the attacker's economic activity dataset changes once the addresses are clustered together
Let's get started!
The most popular onchain detective ZachXBT once posted the following tweet
For those unfamiliar with English, let me explain. Using a phishing site, a hacker gained access to the victim's address and stole 3 ERC-721 tokens (NFT). Immediately after the theft (i.e. after sending the tokens from the victim's address to his address, 0x864875aef79B107221bEE89C8ff393BD2B666d96) the hacker sold the NFT on the marketplace Opensea.io. The criminal profits were then laundered through the Tornado.Cash mixer.
While our hands are itching to get the target address into https://etherscan.io sooner rather than later, we'll stop on the shore and turn to the theory. The criminal first stole and then sold tokens that use the Ethereum blockchain infrastructure.
In order to operate the tokens, you need some amount of cryptocurrency to pay transaction fees. In our case it is the Ethereum blockchain, which means you need some ETH to send tokens or sell them.
Let's try to find out where the hacker's address 0x8648... ETH he needed to pay commissions came from.
This line of enquiry is called a source search
Open Etherscan, insert the address, see the first transactions. They will be right at the bottom of the page.
And here are the ones we need: 1, 2. The sender of the funds in the transaction table is always shown on the left of the IN (incoming transaction) or OUT (outgoing transaction) bar
So, we have identified the source of the funds, which is address 0xA474cE48300D91334339fb5aDeF99A1B11B1cfe6. What can we extract from this information?
In our case, the first address of the hacker, 0x8648... (aka Fake_Phishing5435 in the picture above) never received any funds before the transactions we detected. So address 0xa474... is the sponsor address (or funding address) with respect to the hacker address, or 0x8648..., or Fake_Phishing5435.
Most often the sponsor address is affiliated with a target address. The owner of the sponsor address could be, for example, some customer who has paid for services with crypto. Or, for example, the sponsor address is operated by a cryptocurrency exchange whose services are used by the owner of the target address.
But even more often, both the target address and the sponsor address have the same owner. Let's analyze the transactions of the sponsor address and try to figure out which option would be correct in our case.
The most interesting direction in the case of the sponsoring address is to try to detect suspicious transactions (such as the theft of NFT). To do this, open the address in Etherscan.io and go to "ERC-721 token Txns", which is the section responsible for NFT transfers.
We see four transactions, two incoming, two outgoing. The first NFT, Mutant Ape Yacht Club (MAYC), was sold half an hour after receipt. The second, Azuki, 9 (!) minutes later. Seems suspicious to me!
But how do we prove that these transactions are not a normal sale, but a real theft? By the consequences!
In order to sell MAYC, you have to contact the Opensea marketplace's smart contracts. When you interact with them, the marketplace will automatically generate a profile for you, accessible via a link like "https://opensea.io/ETH_Address".
I should also add that Opensea.io actively cooperates with law enforcers and also actively assists victims. In case of hacking, the stolen tokens are blocked and the hacker's account is banned, making his profile inaccessible.
Let's try to open the profile of address 0xa474... and examine the transaction history. To do so, go to https://opensea.io/0xA474cE48300D91334339fb5aDeF99A1B11B1cfe6.
oops! the address was banned....... We now know two facts about the sponsor address: it transferred money to the hacker's address, which was then used as a commission, and also made questionable transactions with NFT, for which it was banned from Opensea.io.
The target address also made questionable transactions with NFT and was banned from Opensea.io.
Now let's find out where the criminally obtained coins were sent to. To do this, let's examine the transactions in chronological order and try to find the incoming transactions immediately after the sale of (possibly) stolen NFTs. In this way, we will determine the amount of criminally acquired funds.
The transactions we are looking for are found in the Internal Txns section:
The hacker received a total of 23.8 ETH. To do this, let's examine the transactions in chronological form and try to find the incoming transactions immediately after the sale of (possibly) stolen NFTs. Who else sent the stolen coins to address 0x945b...? Target address!
Withdrawal transactions of stolen funds highlighted in yellow
Let's find out what address 0x945b was used for... To do that, we again study the transactions in chronological order, we are interested in all incoming and outgoing transactions after the address received the stolen funds.
Target email address (13 ETH) was the first one to receive the stolen funds. Next, address 0x945b accumulated presumably stolen funds from several other addresses, including the target address. The money was then, as ZachXBT wrote, withdrawn to the Tornado.Cash mixer
The money sent to the mixer was grouped into two payments of 100 ETH, of which 125 ETH originally belonged to the target address, 13 ETH to the sponsoring address, and the remaining 62 ETH to other addresses.
It turns out that either the hacker owns all five addresses and uses 0x945b as an intermediate point before money laundering, or the owner of 0x945b is a separate criminal (money launderer) whose services are used by several criminals at the same time.
Let's briefly examine the other hacker addresses: as you can see from the graph, they too have interacted with NFT on Opensea. Let's use the old vetting method and... one of the addresses is in a ban on Opensea! The second address is not in the ban, but appears in the ZachXBT investigation. Here you can see the names and faces of our heroes, the dangerous cybercriminals.
Mathys and Camille together
Well here comes our friends Mathys and Camille from romantic France shitting themselves hard by posting a screenshot of one of their profiles on Opensea with previously stolen NFTs on their personal Twitter. This profile appears in our investigation, on the graph is address 0x5bb51...
Admittedly, I even got a little upset at this stage. How is it, we've only just started and they've already found everyone for us!
But I decided not to dwell on Mathis and Kamila and go a bit further and try to add new factors to my investigation.
Back to the sponsor address. The sponsor address, like most addresses on the Ethereum network, has its own sponsor address (pardon the recursion). Let's find it!
This time the sponsor address is signed in the block browser as Fake_Phsihing5099. Comments about the affiliation of all the addresses appearing in the investigation seem to me to be redundant with:
Having discovered the new sponsor address I decided to go towards the final destination of the funds and figure out exactly where Fake_phishing5099 was sending the dirty money.
After looking through all the transactions, I found an interesting address 0x27429f480a3E2a69D7E4D738EBc54AeB4096eb43.
The owner of this address, according to a thread on epicnpc.com, is spamming in Discord (Discord is where many of the victims received the phishing links).
Diwan Nuri (judging by the content of the thread, that's the name of the address owner) was so far-sighted and wise that he registered the forum account with his personal email.
This wasn't enough, so he decided to screw one of his potential clients by sending them his ETH address in addition to the email.
According to the record we found, Diwan graduated from German Aletta-Haniel-Gesamtschule and now earns his living by spamming and scamming.
So, after studying 6 cryptocurrency addresses and their transactions, we found out that:
5-6 of the addresses in question were communicating with NFT.
4 six analyzed addresses were involved in illegal activity and got banned at Opensea
4 six investigated addresses were "skimming" for the withdrawal of funds to the Tornado.Cash mixer
2/six of the addresses have been implicated in existing investigations
6 addresses have close economic ties
The couch is not as simple as it looks!
In my opinion, the discovered facts are enough to merge the addresses into a cluster. Which addresses do we merge:
Target address 0x864875aef79B107221bEE89C8ff393BD2B66d96
Target Address 0xA474cE48300D91334339fb5aDeF99A1B11B1cfe6
Hackers' complementary address #1 0x38dB16DA44A61560e04E94DCb71c3E64Aa94d318
Hackers secondary address #2 0x5bb5180D8b84d754F56e2BC47Dc742d0f5Ac37FE
The laundering address 0x945b4a77649Ebe89eABAf03F78A0C8993f99bd41
What can we learn after clustering the addresses together?
First, our 'friends made about $1.7M on such a scam. One million was sent to the Tornado.Cash mixer.