Date:: March 25th, 2019
Amount Stolen: $105,000,000
Initially, after huge outgoing transactions from CoinBene’s hot wallet to an unknown wallet in March 2019, the platform said it was undergoing maintenance. However, with every one of the platform’s ERC-20 tokens reportedly moving into an unknown wallet (which didn’t exist until the day of the transfer), rumors quickly circulated that this was an attack. Data scientists also found that the tokens were promptly moved to Etherdelta where they were sold for ethereum (ETH). This amounted to $105M at the time.
Crypto exchange, CoinBene, was reported to be hacked, although the exchange denied it. Leveraging the home-grown digital asset tracking and recovery (DATAR) system, our research found several key patterns matching the ones in exchange hacking events, such as, particular event sequence, large number of asset types, and very high value tokens were moved from CoinBene to other competing exchanges in a short period of time.
Back in March 2019, the CoinBene cryptocurrency exchange denied that it suffered a hack but claimed to be undergoing maintenance, despite losing 109 ERC-20 tokens worth about $105 million. Crypptocurrency expert Nick Schteringard said on Twitter yesterday, that the hacker appears to have stolen roughly $6 million in Coinbene Coin and $39 million in Maximine Coin, which it later dumped on the market
-
The funds seized from Coinbene on March 25 were 107 types of cryptocurrencies, total KRW 5.8 billion.
-
A day after, the hacked funds were withdrawn from hackers’ wallets to Huobi and Etherdelta wallets starting March 26.
-
Among them, the Ethers were withdrawn from the wallet where the token was deposited with EtherDelta and gathered into 0x6bbd2c904161f0d09f27a5abe42ce47997e0e2fe. The total amount was 10,817 ETH.
-
Since then, Ether has been sent to 0x6bbd2c904161f0d09f27a5abe42ce47997e0e2fe and sent to 0x1cab134c69a361d880a33eb98237b5557ad4cd2 on September 20, and after that, a total of 26 transactions have flowed into Yobit through approximately 6,800 ETH. The remaining 4,000 ETH was sent back to the wallet 0x43b69c2927e53f8cccdcb2bbb73bf637215405c7.
-
Later, in November, hacker transferred some of the laundry funds to Yobit, remitted the remaining funds to another account, and then slowly flowed the funds into Yobit on over several times.
-
Finally, the funds that have not yet flowed into the exchange are around 3,030 ETH, which was sent to the wallet on November 17th at 0x698a98afbca7423b413b5f0f7efabbb08a773767 and is still kept in there.
-
In addition, on November 16, about 55 ETH flowed from the hacker’s account to the Binance. After 28 minutes, there was a record of withdrawal of approximately 53 ETH from Binance’s wallet to one of the money laundering accounts, 0x8d419c8b98885a899844dc74f0213431a620be2c, possibly withdrawing the funds back.
-
Therefore, each exchange should take action as soon as possible, including registration the wallet addresses below as blacklist.
- 0xb3df999c5dc026dea265aeb02b8519844c9b6d5e
- 0xfe51c743cc2bd9546b4fdfba6478c229229c5ad0
- 0xdbe9dfaf4a94da4cdc9da677048c2d5ae6cd401a
- 0x6709b9bba3eafdb5dd7d3d0cc3a1d5178a77bacf
- 0x2521b8f714bf17baf3d7462ed86544c8592638b5
- 0xe83031ff3ff1f8b6e12fb80566a489ffc93392af
- 0x8c67d5ad5b9f28bc6cb31c81afc4fcf5cbb9609c
- 0x8c3d690ed8289358b837366250ea4aea80f9e129
- 0x82e047410fc84f904261a993333209f01dc952ba
- 0xa95527fb3a5473adf67c5ffbd514191d504cf76c
- 0x8d797502dd801b7ebddbe9180d29ba7fc9607012
- 0x45f951ae837823ab4fcac62391418bce4bcdc16b
- 0x42aaba73a577a1a3a2bde883b77ad4b972e6852d
Wallet address related to Etherdelta
- 0x6ec8572dac56c5a400cf2a94eb629b3eae029550
- 0xc7124291ddbef24f800e90b8476e03284ad18757
- 0x8173e3d5bb53a9e869307e0e19b6a4b4927bfb1b
- 0xba351e7f0c630b3baa30a0ff38f6f4a333ef2133
- 0x3d2b314516a614c821e586fb0ea4e645c66ede4e
Wallet address related to Huobi
- 0x712ae2390e296311d69fcd143a2ad2117a7ca997
Wallet address related to Binance
- 0xd9ee699014aefd7084033255af0cab02367c5b70
Wallet address needed constant monitoring
- 0x698a98afbca7423b413b5f0f7efabbb08a773767
The wallet address took part in this money laundering process
- 0x652fcc141c14fb95e3160b49e94dd868b6d2cd9e
- 0x84b60e8265d1a7c51592cd017e830357f644c7df
- 0x1be8ff95af0a819a7cb2494739b9903145c46d31
- 0x9664c954933bebbe320a24221b75d1efce058020
- 0x1f67836a991cd319db778b80806071eb05b42b4b
- 0x257dab66a7afe1a694676838695c7af644728b56
- 0x1c0f883fc1fb85bb10655f1a63d947fca49a46d1
- 0x9f2da349b5cfba583f70d2e03c60397bc92f49b9
- 0x8d419c8b98885a899844dc74f0213431a620be2c
- 0xe0071cbf23231b60c43051407a6029a37ba946f5
- 0xd59688b87e56621696f5bc994e91f027883c60f8
- 0x4fa909ccde53d08bdeaef158a1726d4d16d42110
- 0x17989484435e3ec07a0364189f6095d13f05b3f4
- 0x43b69c2927e53f8cccdcb2bbb73bf637215405c7
- 0x1cab134c69a361d880a33eb98237b5557ad4cd26
- 0x6bbd2c904161f0d09f27a5abe42ce47997e0e2fe
- 0x5af89ddde021869679530dc77ceb5cdb72f7d5e0
- 0xff74e337fd08960843d94e08771cc1d2cda2ecb1
- 0xee278bea06d3be84f69ae2dd15a77fbdcb27bd86
- 0x8db0620362b5a83ff77734831ded9f2d25f949f3
- 0xd1917932a7db6af687b523d5db5d7f5c2734763f
- 0xeefe879ca85b53ae6f48ba5f0bf4a74a841d83d1
- 0xcc1966c28d2bd35a99aa6b674937c33af2608fdc
- https://zdnet.com/article/cryptocurrency-platforms-dragonex-and-coinbene-disclose-hacks/
- https://www.quadrigainitiative.com/casestudy/coinbenehackcoverup.php
- https://peckshield.medium.com/coinbene-incident-investigation-report-6d4a3ed3b715
- https://www.web3rekt.com/hacksandscams/coinbene-638
- https://cryptoxdirectory.com/coinbene
- https://www.coinbene.com
- https://cointelegraph.com/news/over-100-million-missing-coinbene-claims-maintenance-a-month-of-questions-point-toward-a-hack