SlowMist notes that not too long ago, they had released an update in regards to the Bitfinex incident.
The report from SlowMist had covered how the stolen funds had allegedly been laundered using a technique known as “peel chain.” The company reveals that they received many questions about this method and how it actually works, so they “decided to write an educational piece to inform [their] readers.”
As explained by SlowMist, peel chains are “a method of laundering large sums of cryptocurrency through a series of transactions.” The stolen funds are often “split into two separate addresses, peeling off a small amount each time they’re transferred.” This process is “repeated over and over until it reaches its final destination,” the SlowMist team noted in a blog post.
The company also mentioned:
“We will be using our AML (Anti-Money Laundering) system MistTrack to analyze how the peel chain method was used to launder the stolen funds from the Bitfinex incident.”
The firm has also shared background information on the Biffinex incident: “on August 3, 2016, Bitfinex suffered from an exchange hack, resulting in the loss of 119775 Bitcoins.” At the time of the incident, it was “only worth around $60 million, but it is worth over $4.5 billion today.” The stolen funds were initially “deposited into 2072 different addresses, which were marked with MistTrack.”
As noted by SlowMist, the stolen funds “remain untouched until January of 2017.” It then began to “slowly transfer out of these wallets using the peel chain method.”
SlowMist further noted that they will start with one of these crypto addresses and “track the transfer of funds along the way.”
Starting with this address: 19Xs96FQJ5mMbb7Xf7NXMDeHbsHqY1HBDM.
According to MistTrack, nearly 30 BTC were transferred from the exchange to this address. It was then “sent through two other addresses before landing at a third (3CA… AcW) address to begin the peeling process.”
The firm pointed out that they analyzed different flowcharts to determine that the address (3CA…AcW) “started the peeling process by sending the funds into address 1 and 2.”
- Address 3CA…AcW -> 30.6675
- Address 1 -> 2.27 btc
- Address 3 -> 0.165 btc
- Address 5 -> 0.0385 btc
- Address 6 -> 0.1262 btc
- Address 4 -> 2.1107 btc
- Address 7 -> 0.3877 btc
- Address 8 -> 1.7227 btc
- Address 2 28.39 btc
Following that, each address had “branched off into two new addresses, repeating the peeling process until it reached the designated address,” SlowMist noted.
The company added:
“Zooming out, we can see the hacker was very [careful] in the peeling process. Most of these funds were transferred multiple times before arriving at the designated address. Each wallet created two additional wallets that slowly shaved off a small portion with every transfer. The funds from address 1 eventually ended up in cold storages, Wasabi wallets (Bitcoin privacy wallet), or Hydra market (Russian darknet market).”
The firm then looked at how the peel chain is used for bigger transfers. This time they will be “following this address: 1BprR3VRh8AsJVXFR8uNzzZJnyMhF1gyQE.”
According to the Bitcoin explorer, more than 271.22 BTC was “transferred to this address from the incident.”
As noted in the update, each wallet “branched off into two additional wallets, peeling off a small amount with every transfer.” The team at SlowMist pointed out that they had to “omit some transactions since there was a large number of transfers.”
They added that this process “continued until it was down to about 1 btc that was deposited into Hydra Market.” As you can see, “one address can branch into hundreds of transactions and wallets using this method.”
As explained by the firm, the peel chain technique usually has these characteristics:
- Usually start with a single address with stolen funds
- Continuously gets split into two new addresses, one large, one small
- Final deposits are usually cold storage, exchanges, darknet markets, or privacy wallets
SlowMist added that hackers “frequently use the peel chain method due to its complexity. When done right, the small amounts transferred into exchanges rarely raise any red flags.” This also “makes it extremely difficult to track down.”
The firm further noted that most complex and lengthy Peel Chains techniques “are facilitated with programs to automate the process.”
But they can also “use scripts and tracking tools for situations like this.” That is the reason why they created MistTrack, “an anti-money laundering tracking system under the SlowMist AML umbrella.”
It also contains “a database of over 100,000 malicious addresses across various blockchains as reference.” These tools were “developed to assist exchanges, individuals, and the blockchain community to track and monitor stolen funds in real time,” the SlowMist team noted.