In a follow-up tweet, Liquid stated that it is currently tracing the movement of stolen assets and is working closely with other exchanges to freeze and recover these assets.
Shortly after the tweet, Liquid also published a warm wallet incident report, highlighting the status of Liquid services and analyzing the impact of the hack. All the values in this piece are in US Dollars (USD). According to the report, crypto assets amounting to a total of approximately $91.35 million were moved out of Liquid wallets by an unauthorized party.
Further, out of this amount ERC- 20 assets worth $16.13 million have been frozen for on-chain movement with the help provided by the crypto community and other exchanges. The report also states that sixty-nine different crypto assets were misappropriated and sent to other exchanges or DeFi swapping venues.
As per the update provided by the Poly Network on 19 August 2021, assets worth approximately $427 million were returned by the hacker. The update further stated that 28,953 ETH and 1,032 WBTC (about $141 million) were still left in the ¾ multi-signature wallet and that Poly Network is waiting for the hacker to provide his private key authorization.
On 23 August 2021, Poly Network released another update announcing that the hacker has publicly shared the private key needed to regain control of the remaining assets through an on-chain message. The announcement stated that Poly Network has successfully retrieved the remaining $141 million and has fully recovered all the user assets that were transferred out during the attack.
This comes after Poly Network promised the hacker a $500,000 bounty for the restoration of user funds, inviting him to become its “chief security advisor.”
Poly Network after verifying the private key provided by the hacker regained control of the $610 million (not including the frozen $33 million USDT) in assets that were affected in this attack. With respect to the recovery of $33 million USDT, Poly Network stated that they have been in close communication with Tether and that “Tether is in the process of confirming the final unfreezing process” with them. Additionally, Poly Network thanked the hacker for his cooperation and stated that they had officially entered the fourth phase of their roadmap “Asset Recovery.” The Poly Network team is in the process of returning full asset control to their users as swiftly as possible.
As per the panelists of Merkle Science’s “Regulating the DeFi Frontier: Where Consumer Protection & Financial Innovation Collide” webinar, the Poly Network hack is a classic example of the situation where enforcement may arrive before regulation. The panelists noted that the collective action of the crypto industry such as blockchain analytics, blocking certain transactions, and adding the individual tokens to the black lists may have pushed the hackers to return the stolen amount
On 10 August 2021, the Poly Network was attacked by a hacker, losing over $600 million — the largest crypto hack since the Coincheck hack in 2018 — across the Ethereum, Binance Smart Chain, and Polygon blockchains. (The previous record The hack was initially rumored as a leak of the private key of a single keeper in the network but the Poly Network and others in the blockchain community have confirmed that the hacker exploited a smart contract vulnerability between contract calls.
Hugh Karp, the founder of DeFi insurance protocol Nexus Mutual, experienced an attack at 9:40 am (GMT) on December 14 that resulted in a loss of more than...
This article has been updated as of 27 July 2020 — our latest analysis is included at the end of this post.
On Wednesday, 15th July 2020 the global social media platform Twitter suffered a major security breach whereby hackers hijacked the verified accounts (those with blue checkmarks) of major politicians, business leaders, celebrities, and companies with millions of followers and promoted a bitcoin investment scam.
Some of the compromised accounts belonged to Joe Biden, Barack Obama, Elon Musk, Bill Gates, Apple and several cryptocurrency firms including Binance and Gemini. The bitcoin scam asked followers of the compromised Twitter accounts to send bitcoin to a specific wallet address with the promise that double the amount of funds would be sent in return. Many of the scam Tweets contained the following content:
“Due to Covid-19, we are giving back over $10,000,000 in Bitcoin!
All payments sent to our address below will be sent back doubled.
This is only going on for the next 30 minutes! Enjoy!”
The hack took place over the course of several hours on Wednesday and Twitter responded by preventing verified accounts from tweeting and locking the compromised accounts while the company continued to investigate the incident. Inseveral tweets by Twitter Supporton Wednesday evening the company attributed the account hijacking to a “coordinated social engineering attack” on its employees which provided an opportunity for the hackers to access “internal systems and tools”.
There is widespread speculation about the root cause of this hack including that this was in fact an “inside job” and some news reportscite “evidence” of hackers claiming to have bribed Twitter employees to help orchestrate this event. Whatever the reasons behind the incident, the fact that this occurred across so many accounts on one of the world’s largest social networks is troubling and it does not help with bitcoin’s reputation, already soured by earlier associations with criminality and the darknet.
Our Initial Analysis of the Incident
However, thanks to the transparency of the bitcoin blockchain, Merkle Science’s Data Intelligence team has been tracing the funds sent to and from the bitcoin addresses provided in the scam tweets and so far we have found that more than US$120,000 equivalent in bitcoin has been scammed off cryptocurrency holders across the globe. Below is a summary of our analysis.
As seen in the screenshots above, the bitcoin addressbc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh,which we have code-namedTwitter Hack 0is cited in several of the scam tweets from the compromised accounts. As of Thursday, 16th July 23:00 SGT this address has receivedBTC12.86or roughlyUS$120,000equivalent from 323 incoming transactions, most likely from individuals falling victim to this scam.
Incoming Transaction Analysis
Through blockchain transaction analysis, Merkle Science’s team was able to derive more insights into the fund flows for theTwitter Hack 0address:
The addressbc1q0kznuxzk6d82e27p7gplwl68zkv40swyy4d24x, code-namedTwitterHack 1, has received a total ofBTC0.17828423 or US$ 1,625 equivalentfrom 14 incoming transactions and all the funds have been sent to the main scam addressTwitter Hack 0.
Addressbc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l, that we referred to asTwitter Hack 2, has receivedBTC 0.55302586 or US$ 5,038.39from 36 incoming transactions. Of these, 0.63% of the funds are coming from a user account belonging to the exchange ‘Gemini’.
50.13% of the funds in theTwitter Hack 2address have been sent to theTwitter Hack 0address.
TheTwitter Hack 0addresshas received a total ofBTC12.86584703from 323 transactions, of which 5.2% are incoming funds from user accounts at Binance, Bitflyer, Xapo, Kukoin, and Bitso exchanges.
Outgoing Transaction Analysis
45% (BTC 5.817) of the funds from theTwitter Hack 0address have been transferred to an unidentified “cluster”, or group of connected addresses, labeled in our platform as93712089998626and 6.45% (BTC 0.83) of the funds have been transferred to three different addresses:
bc1qas2rvpejpvncd6z5hcscvw52n4wxw5th2de67v
bc1qs0tglr6gfc90q7ngw4yynvl2cmyvlhdqehwy4f
bc1q7jy39ducamer90t4a68y6jhzakvdqlps4ynhs5
The funds from these three addresses have not moved yet.
The remaining 47.66% (BTC 6.16) of the funds remaining in the addressTwitter Hack 0have also not yet been moved.
The93712089998626 clustersis comprised of 13 addresses which in turn are sending funds to multiple addresses. Recipient addresses in this cluster have also sent bitcoin to addresses associated with Coinbase and Coinpayments prior to the scam taking place.
The screenshot above is from Merkle Science’s blockchain forensics tool
UPDATED Analysis — as of Monday, 20 July 2020
The cluster of bitcoin addresses linked toTwitter Hack 0(see above) contains 10 different addresses (including the main hack address), which means all these addresses are controlled/owned by the hacker. More than 99.99% of the funds from this cluster have been transferred to other addresses.
Based on our analysis* it seems the hackers have transferred the bitcoin to addresses associated with several exchanges including Binance, Paxful, and CoinPayments. The breakdown is as follows:
BTC 0.0011 transferred to Binance
BTC 0.016 transferred to Paxful
BTC 0.0090 transferred to CoinPayments
The hackers have also usedcoin mixing servicessuch as Wasabi Wallet and ChipMixer to obfuscate the flow of funds:
On August 26th, the South Korean newspaper Seoul Shinmunpublished a reportstating that 99% of transaction volume was faked through wash trading on Coinbit, one of the largest cryptocurrency exchanges in South Korea, between August 2019 to May 2020. Though the exchange is now seized by police under allegations of fraud, this is not the first instance in which a cryptocurrency exchange is accused of wash trading.
On 7 July 2021, Israel’s National Bureau for Counter Terror Financing (NBCTF) ordered the seizure of 84 crypto asset wallets that it believed to be linked with Hamas. Pursuant to the order given by NBCTF, Israeli officials issued an Administrative Seizure Order (seizure order) under Section 66 of the Anti-Terrorism Law of 2016. According to the seizure order, Hamas-linked crypto asset wallets and associated addresses should be considered as the ‘designated property’ of Hamas that is being used for perpetuation of ‘severe terror crime.’ Hamas is considered to be one of the largest Palestinian militant groups. In fact, a vast majority of nations including the European Union, United States, Israel, and the United Kingdom have classified Hamas as a “terrorist organization.” However, as the efforts to lock Hamas out of traditional financial systems continue, Hamas is witnessing a surge in cryptocurrency donations, particularly Bitcoin.
