Lowdown on what hackers typically do with hacked bitcoins
On July 15 several prominent Twitter accounts were hacked and a fraudulent Bitcoin campaign and address propped up as part of a coordinated attack. Among the celebrities targeted were Elon Musk, Jeff Bezos and Barack Obama. This high-profile scam saw the hackers make 12.86 BTC or $118,000. While this grabbed headlines in crypto and traditional media, another scam that took place days earlier and funneled 26 times the amount of Bitcoin was largely ignored. What’s worse is the Bitcoin siphoned in the forgotten scam has now made its way into the darknet.
A few days prior to Twitter erupting with news of a Bitcoin hack, a little known UK-based cryptocurrency exchange Cashaa saw 336 of its Bitcoin hacked on 10 July 2020. According to a report shared with AMBCrypto by Janina Lowisz, co-founder at Cashaa, the hacker sent all Bitcoin from one of the “employee wallets” to the address: 14RYUUaMW1shoxCav4znEh64xnTtL3a2Ek.
While the investigation is ongoing, there seems to be a break in the case. CipherTrace, a blockchain analytics firm told AMBCrypto that the larger majority of the Bitcoin stolen as part of the Cashaa hack remains unspent.
Citing the analysis as an example of “real-time predictive scoring,” John Jefferies, chief financial analyst at CipherTrace stated that analysis of the hacker’s address and transactions reveals that the funds “have split into multiple changes and begun the process of peeling.”
Peeling is a process by which Bitcoins procured as part of a criminal activity is moved around to prevent traceability to the source address. The source address which contains the hacked Bitcoins are sent to multiple addresses, mixed with “clean” Bitcoin and ‘hopped’ around to prevent third-party assessments.
Tracking the ‘peeling’ process, Jefferies stated “with confidence” that as of July 15, 85 percent of the funds “remain unspent.” Which means that 286.4 Bitcoin worth an estimated $2.6 million are unspent, and are still undergoing the process of ‘peeling.’
More pertinently, the remaining 50 Bitcoins worth $460,000 have been combined with funds from other sources, not part of the Cashaa hack and sent to Hydra, a market on the darknet, and five exchanges. Jefferies stated,
” The remainder of the funds have combined with additional funds unrelated to the initial hack, and moved into the dark market Hydra and five unique cryptocurrency exchanges.”
While CipherTrace has not confirmed which 5 exchanges the 15 percent of Bitcoins hacked were sent to, the concern should be with those sent to Hydra.
According to a report by Chainalysis, Hydra is the single-largest darknet marketplace holding over 65 percent of total darknet market share. Further, the Hydra market caters “only to customers in Russia.”
This does not necessarily imply that the hackers are Russian, the Hydra destination could be part of the peeling process, and the final destination could be somewhere else entirely. However, it does imply that the importance of the Cashaa hack should not rest on just the amount of Bitcoin siphoned by where and how it has been funneled to.