Date:: July 1st, 2019
Amount Stolen:: $272k in PTT, PlayGame, IHT Real Estate Protocol
Attribution:: US v. 280 Virtual Currency Accounts
Tags:: CEX Hack, Singapore
The cold wallet of the CoinTiger exchange was stolen, and the 400 million PTT of the Proton chain disappeared. According to the exchange announcement, they discovered that the cold wallet storing PTT was hacked during their regular cold wallet verification work recently, resulting in the theft of 401,981,748 PTT from the wallet
The hacker allegedly stole over $272,000 crypto and tokens: Proton Tokens, PlayGame tokens, and IHT Real Estate Protocol tokens
"Cold wallets stolen from the CoinTiger exchange, 400 million PTT's in the wallet disappeared." "On August 17, the CoinTiger exchange suddenly released an announcement. According to the announcement, they recently found that the cold wallet storing PTT was hacked during the regular cold wallet verification check, resulting in theft of the wallet 401,981,748] PTT."
According to the hacker address provided by the CoinTiger exchange, 400 million PTT was hacked away as early as July 1. After more than 47 days, CoinTiger officially disclosed the matter to project parties and users.
The cold wallet of CoinTiger exchange was stolen, and the proton chain of 400 million PTTs was missing, which made investors suffer huge losses. After the incident, the exchange and the project side launched a number of rounds of announcements, which formed a confrontation, but CoinTiger did not come up with a valid compensation plan. Instead, it closed the PTT coin-return function (the coin channel was still open).
On August 21st, the Proton Chain (PTT) official website issued a comprehensive warning statement on the CoinTiger exchange regarding the recent theft of PTT, and launched a comprehensive risk warning to the CoinTiger exchange. The announcement stated that PTT holders and supporters are strongly reminded that any PTT-related recharges and transactions on the CoinTiger exchange are extremely risky.
At the same time, CoinTiger directly asked the project side to upgrade the contract, hoping to create a new currency, and then map the 260 million PTT that had been frozen to the new currency. We ask that the return is not to let the project party pay for our mistakes, but to ask the ‘return to the original owner’.
from 0x60d61a180404d86b8d2747c2e5c0099415fec65c
to hacker addresses 0x52cbb6be7ad204904486f89e264029c94525966d
CoinTiger 0x60d61a180404d86b8d2747c2e5c0099415fec65c
to hacker address 0xeda8b016efa8b1161208cf041cd86972eee0f31e
The HitBTC account owning the two addresses was opened on or about July 1, 2019 at 02:24, mere hours before the theft from CoinTiger.
The account was registered with TargetEmail1.
Specifically, TargetActor1 provided the photo of the biographical page of a Russian Federation passport. TargetActor1 provided the same name to the provider of TargetEmail1, but claimed to be from Canada.
All deposit activity for TargetActor1’s account at HitBTC occurred on or about July 1st, 2019, the same day as the theft from CoinTiger, and is as follows:
As stated previously, the PXG and IHT deposits came directly from the theft at CoinTiger.
9,064,558.36 Olive (“OLE”) were traded for USDT and sent: to hacker address 0xac186f896de706c4946c88a9ca7dd0147db8ae50 and then deposited at Exchange5
They were then converted into USDT and at approximately 10:29 and 18:10 sent to the HitBTC account:
TargetActor1 received USDT-Deposit2 and USDT-Deposit7 in another address (“DefendantProperty4”) held within TargetActor1’s account at HitBTC.
The timing of the deposits and TargetActor1’s modus operandi of converting cryptocurrencies, as further described below, suggest that TargetActor1 converted at least portions of the stolen OLE into USDT before depositing the funds into HitBTC.
Other Tokens: YEE, SOC, SNT, CTXC
4,342,294.43 YEE, 171,145.04 All Sports Coin SOC
71,237.03 StatusNetworks SNT
23,300.29 Cortex Coin CTXC stolen
were sent to intermediary address 0x1016b7835d409692e02ed2035e053fbfb4602982-DefendantProperty5
and then deposited into Exchange 6 (Huobi).
They were then traded for USDT
and sent to TargetActor1’s account at HitBTC received Deposit4 from Exchange 6 (Huobi) in the form of USDT (“DefendantProperty4”).
This transaction was again consistent with TargetActor1 converting the cryptocurrency based on the timing and his modus operandi.
1,963.28 REP -> cluster 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc
sent to 0x2DBC0f6B71e341C7Eca01c5287Eb57AF3038A9c5
0x2DBC0f6B71e341C7Eca01c5287Eb57AF3038A9c5 also received approximately 41,702 USDT from an account at KuCoin via 14 transactions between August 12th, 2019 and August 14, 2019.
The originating account at KuCoin was opened on or about July 2, 2019 and was registered with TargetEmail1 and no other identifiable information.
The USDT at 0x2DBC0f6B71e341C7Eca01c5287Eb57AF3038A9c5 was sent to HitBTC, converted to BTC, and withdrawn to cluster 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc.
The stolen REP at 0x2DBC0f6B71e341C7Eca01c5287Eb57AF3038A9c5 was then sent to Exchange9-Binance, converted to BTC, and also withdrawn to cluster 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc.
TargetActor1 then used his HitBTC to convert the various forms of stolen virtual currency received into BTC.
TargetActor1 withdrew approximately 0.46306721 BTC from HitBTC via three transactions.
TargetActor1 sent the BTC successfully withdrawn from his HitBTC account to a cluster including the bitcoin address beginning with 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc (“DefendantProperty8”) and approximately 14 additional BTC addresses (“DefendantProperty9” through “DefendantProperty22”).
TargetActor1 then attempted to withdraw an additional approximately 9.53868454 BTC from HitBTC, but HitBTC blocked this transaction.
BTC cluster 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc received approximately 80.86041444 BTC via 119 transactions between
DefendantProperty8 also received approximately 15 BTC from accounts at CoinTiger, Biki, and Huobi.
BTC from cluster 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc, containing DefendantProperty8 through DefendantProperty22, was sent primarily to three intermediary BTC clusters and then to 1DXbMUZwLea1jiYay1CaCNvYwR3chmVfvf
1DXbMUZwLea1jiYay1CaCNvYwR3chmVfvf-DefendantProperty23 sent approximately 441.791834 BTC to approximately 14 different accounts at Exchange 6 (Huobi)
Many of these accounts were known to law enforcement as over-the-counter (“OTC”) virtual currency traders acting as money services businesses that convert virtual currency into fiat currency for a profit.
In so doing, these OTC traders fail to collect the legally required KYC information about their clients and the source of the virtual currency being converted.
Many owners of illicit funds seek out these OTC traders because they are otherwise unable to obtain accounts at law-abiding virtual currency exchanges or risk having their funds frozen, as was the case with TargetActor1’s account at HitBTC.
From the period of the opening of TargetActor1’s account at HitBTC to October 2019, the account was accessed by IP addresses resolving to VPN providers, in an attempt by the user to conceal his location. The VPN IP addresses have been used by other DPRK cyber actors in related facets of the overall criminal schemes. Specifically, over 50% of the IP addresses used by TargetActor1 at HitBTC matched IP addresses previously utilized by DPRK cyber actors who have been tied to hacks of at least two other cryptocurrency exchanges, including the previously mentioned theft from Upbit, and who subsequently laundered funds through the United States.
Additionally, an IP address utilized to log into TargetActor1’s account at HitBTC matched the IP address utilized by the same DPRK cyber actors to log into a malicious website created by them. The website appears to target owners of cryptocurrency and solicit information from them.
HitBTC received approximately 8.65658 ETH that was converted to 0.15012721 BTC and sent to a BTC address starting with bc1qxsafg-DefendantProperty24
bc1qxsafg5y5tnt7w343tec8l4mehzwhkkqwzvv5yf has transacted with cluster 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc, containing DefendantProperty8 through DefendantProperty22.
The source of the 8.65658 ETH was the November 27th, 2019 theft from Upbit, after being layered through multiple ETH addresses.
The request to convert ETH to BTC at HitBTC came from an IP address at a Hong Kong-based Internet service provider (ISP) that has previously received payment via stolen BTC from DPRK cyber actors.
Multiple addresses connected to cluster 1BHnp77MqZGGFaCGQ9J4GhLstPUeBshVcc sent payments to a U.S.-based BTC payment processor to purchase services from the Hong Kong-based ISP.
The account at this U.S.-based BTC payment processor was registered using “TargetEmail2.”
several months before the hack of CoinTiger, TargetActor1, using TargetEmail1, communicated via email with another individual (“TargetActor2”), who was using TargetEmail2.
According to a website tracking malware submitted by community users, TargetEmail2 was contained within a piece of malware designed to allow an attacker to execute code on a victim computer after the victim opened a word processing document, giving the hacker the ability to gain access to the victim’s computer and/or network.
The file type was a Korean word processor file related to exploits used by North Korea against cryptocurrency exchanges since at least 2017.