<img src="https://secure.glue1lazy.com/215876.png" style="display:none;">
Analysis of C.R.E.A.M. Finance Hack

Hack Track: Analysis of C.R.E.A.M. Finance Hack

On October 27, 2021, C.R.E.A.M. Finance lending markets were exploited. The attacker stole over $136 million worth of crypto assets from the C.R.E.A.M. v1 lending markets. The majority of the crypto assets stolen are reportedly ERC-20 coins and C.R.E.A.M. Liquidity Protocol tokens. 

Read More
Analysis of the Bilaxy Hack

Hack Track: Analysis of the Bilaxy Hack

On 29 August 2021, Bilaxy, a Seychelles-based centralized crypto exchange, released a statement on Twitter, informing its users that its hot wallets were hacked. Additionally, Bilaxy advised its users to not deposit any funds into Bilaxy accounts until further notice. All the values in this piece are in US Dollars (USD). This news comes shortly after the Liquid Global Official Hack, wherein the attacker, due to a security breach, stole around $91 million in cryptocurrency from Liquid’s warm wallets.

Read More

Hack Track: Analysis of Liquid Global Security Breach

[Update 2021.08.20]

In a follow-up tweet, Liquid stated that it is currently tracing the movement of stolen assets and is working closely with other exchanges to freeze and recover these assets.

Shortly after the tweet, Liquid also published a warm wallet incident report, highlighting the status of Liquid services and analyzing the impact of the hack. All the values in this piece are in US Dollars (USD). According to the report, crypto assets amounting to a total of approximately $91.35 million were moved out of Liquid wallets by an unauthorized party.

Further, out of this amount ERC- 20 assets worth $16.13 million have been frozen for on-chain movement with the help provided by the crypto community and other exchanges. The report also states that sixty-nine different crypto assets were misappropriated and sent to other exchanges or DeFi swapping venues.

An updated list of hacked address from Liquid:

Read More

Hack Track: An Analysis of Poly Network Hack and Latest Related Events

[UPDATE 2021.08.23]

As per the update provided by the Poly Network on 19 August 2021, assets worth approximately $427 million were returned by the hacker. The update further stated that 28,953 ETH and 1,032 WBTC (about $141 million) were still left in the ¾ multi-signature wallet and that Poly Network is waiting for the hacker to provide his private key authorization.

On 23 August 2021, Poly Network released another update announcing that the hacker has publicly shared the private key needed to regain control of the remaining assets through an on-chain message. The announcement stated that Poly Network has successfully retrieved the remaining $141 million and has fully recovered all the user assets that were transferred out during the attack.

This comes after Poly Network promised the hacker a $500,000 bounty for the restoration of user funds, inviting him to become its “chief security advisor.”

Poly Network after verifying the private key provided by the hacker regained control of the $610 million (not including the frozen $33 million USDT) in assets that were affected in this attack. With respect to the recovery of $33 million USDT, Poly Network stated that they have been in close communication with Tether and that “Tether is in the process of confirming the final unfreezing process” with them. Additionally, Poly Network thanked the hacker for his cooperation and stated that they had officially entered the fourth phase of their roadmap “Asset Recovery.” The Poly Network team is in the process of returning full asset control to their users as swiftly as possible.

As per the panelists of Merkle Science’s “Regulating the DeFi Frontier: Where Consumer Protection & Financial Innovation Collide” webinar, the Poly Network hack is a classic example of the situation where enforcement may arrive before regulation. The panelists noted that the collective action of the crypto industry such as blockchain analytics, blocking certain transactions, and adding the individual tokens to the black lists may have pushed the hackers to return the stolen amount

On 10 August 2021, the Poly Network was attacked by a hacker, losing over $600 million — the largest crypto hack since the Coincheck hack in 2018 — across the Ethereum, Binance Smart Chain, and Polygon blockchains. (The previous record  The hack was initially rumored as a leak of the private key of a single keeper in the network but the Poly Network and others in the blockchain community have confirmed that the hacker exploited a smart contract vulnerability between contract calls. 

Read More

UPDATED: Hack Track: #Twitterhack bitcoin scam

This article has been updated as of 27 July 2020 — our latest analysis is included at the end of this post.

On Wednesday, 15th July 2020 the global social media platform Twitter suffered a major security breach whereby hackers hijacked the verified accounts (those with blue checkmarks) of major politicians, business leaders, celebrities, and companies with millions of followers and promoted a bitcoin investment scam.


Some of the compromised accounts belonged to Joe Biden, Barack Obama, Elon Musk, Bill Gates, Apple and several cryptocurrency firms including Binance and Gemini. The bitcoin scam asked followers of the compromised Twitter accounts to send bitcoin to a specific wallet address with the promise that double the amount of funds would be sent in return. Many of the scam Tweets contained the following content:

“Due to Covid-19, we are giving back over $10,000,000 in Bitcoin!

All payments sent to our address below will be sent back doubled.

BTC address: bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh

This is only going on for the next 30 minutes! Enjoy!”

The hack took place over the course of several hours on Wednesday and Twitter responded by preventing verified accounts from tweeting and locking the compromised accounts while the company continued to investigate the incident. In several tweets by Twitter Support on Wednesday evening the company attributed the account hijacking to a “coordinated social engineering attack” on its employees which provided an opportunity for the hackers to access “internal systems and tools”.

There is widespread speculation about the root cause of this hack including that this was in fact an “inside job” and some news reports cite “evidence of hackers claiming to have bribed Twitter employees to help orchestrate this event. Whatever the reasons behind the incident, the fact that this occurred across so many accounts on one of the world’s largest social networks is troubling and it does not help with bitcoin’s reputation, already soured by earlier associations with criminality and the darknet.

Our Initial Analysis of the Incident

However, thanks to the transparency of the bitcoin blockchain, Merkle Science’s Data Intelligence team has been tracing the funds sent to and from the bitcoin addresses provided in the scam tweets and so far we have found that more than US$120,000 equivalent in bitcoin has been scammed off cryptocurrency holders across the globe. Below is a summary of our analysis.


As seen in the screenshots above, the bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh, which we have code-named Twitter Hack 0 is cited in several of the scam tweets from the compromised accounts. As of Thursday, 16th July 23:00 SGT this address has received BTC 12.86 or roughly US$120,000 equivalent from 323 incoming transactions, most likely from individuals falling victim to this scam.

Incoming Transaction Analysis

Through blockchain transaction analysis, Merkle Science’s team was able to derive more insights into the fund flows for the Twitter Hack 0 address:

  • The address bc1q0kznuxzk6d82e27p7gplwl68zkv40swyy4d24x, code-named Twitter Hack 1, has received a total of BTC 0.17828423 or US$ 1,625 equivalent from 14 incoming transactions and all the funds have been sent to the main scam address Twitter Hack 0.
  • Address bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l, that we referred to as Twitter Hack 2, has received BTC 0.55302586 or US$ 5,038.39 from 36 incoming transactions. Of these, 0.63% of the funds are coming from a user account belonging to the exchange ‘Gemini’.
  • 50.13% of the funds in the Twitter Hack 2 address have been sent to the Twitter Hack 0 address.
  • The Twitter Hack 0 address has received a total of BTC 12.86584703 from 323 transactions, of which 5.2% are incoming funds from user accounts at Binance, Bitflyer, Xapo, Kukoin, and Bitso exchanges.

Outgoing Transaction Analysis

45% (BTC 5.817) of the funds from the Twitter Hack 0 address have been transferred to an unidentified “cluster”, or group of connected addresses, labeled in our platform as 93712089998626 and 6.45% (BTC 0.83) of the funds have been transferred to three different addresses:

  • bc1qas2rvpejpvncd6z5hcscvw52n4wxw5th2de67v
  • bc1qs0tglr6gfc90q7ngw4yynvl2cmyvlhdqehwy4f
  • bc1q7jy39ducamer90t4a68y6jhzakvdqlps4ynhs5

The funds from these three addresses have not moved yet.

The remaining 47.66% (BTC 6.16) of the funds remaining in the address Twitter Hack 0 have also not yet been moved.

The 93712089998626 clusters is comprised of 13 addresses which in turn are sending funds to multiple addresses. Recipient addresses in this cluster have also sent bitcoin to addresses associated with Coinbase and Coinpayments prior to the scam taking place.

The screenshot above is from Merkle Science’s blockchain forensics tool

UPDATED Analysis — as of Monday, 20 July 2020

The cluster of bitcoin addresses linked to Twitter Hack 0 (see above) contains 10 different addresses (including the main hack address), which means all these addresses are controlled/owned by the hacker. More than 99.99% of the funds from this cluster have been transferred to other addresses.

Based on our analysis* it seems the hackers have transferred the bitcoin to addresses associated with several exchanges including Binance, Paxful, and CoinPayments. The breakdown is as follows:

  • BTC 0.0011 transferred to Binance
  • BTC 0.016 transferred to Paxful
  • BTC 0.0090 transferred to CoinPayments

The hackers have also used coin mixing services such as Wasabi Wallet and ChipMixer to obfuscate the flow of funds:

  • BTC 2.89 transferred to Wasabi Wallet
  • BTC 0.1092 transferred to ChipMixer
Read More

Coinbit Seizure: Examining Why New Cryptocurrency Exchanges Conduct Wash Trading

On August 26th, the South Korean newspaper Seoul Shinmun published a report stating that 99% of transaction volume was faked through wash trading on Coinbit, one of the largest cryptocurrency exchanges in South Korea, between August 2019 to May 2020. Though the exchange is now seized by police under allegations of fraud, this is not the first instance in which a cryptocurrency exchange is accused of wash trading.

Read More