How to trace crypto currency and Blockchain security skills

Detailed explanation of how to trace virtual currency and Blockchain security skills, Welcome to follow and discuss with us

Author: hzq

lunaray.sec@outlook.com

0x01 Preview

Due to the high-yield, anonymity, and financial speculation properties of blockchain virtual cryptocurrencies, more and more people are exposed to virtual cryptocurrencies, and they all want to get rich overnight in this speculative circle, just when everyone is staring at high When making profits, what the virtual currency project wants is your principal, and the hacker wants your wallet assets, and eventually loses money overnight.

Therefore, the Lunaray security team can receive feedback and help from social channels almost every day, asking for assistance in recovering virtual currency. The lost funds range from hundreds of thousands of USD to tens of millions. There are numerous situations, and the methods of loss, theft, cheating, running away, respectively and hacking is becoming more and more complicated.

Here, the Lunaray security team has compiled a series of real events for analysis. We hope everyone can learn some methods of tracing virtual coins, find criminals, and protect their assets.let’s dive into it.

0x02 Introduction to basic tools

  • Understand the basic concepts of blockchain, such as Bitcoin network foundation, Ethereum network foundation, the concept of tokens, the use of cryptocurrency wallets, identification of wallet addresses, identification of popular virtual coins, etc.;
  • Corresponding to the use of virtual cryptocurrency browsers, common Bitcoin browsers, Ethereum browsers, TRON browsers, and the most important browser transaction viewing of USDT in different networks, currently the most traced virtual currency is TRC20- USDT, commonly used browsers are: https://tronscan.org
  • To understand the operation logic of professional platforms involving virtual currency exchange or currency mixing and washing, here is a platform to introduce to you today. https://changenow.io .It supports the mutual exchange of nearly 100 virtual currencies. Users can transfer any A currency to the temporary wallet address of the changenow TYhosq1uFWvsuCzGvyePTLVDyHhAr8Qrga,and fill in the address of the B currency you want to exchange and transfer out (anonymous unknown address) After changenow receives the A currency, it transfers the B currency of its own platform to the anonymous address of the user to complete the anonymous exchange of any currency.

0x03 Event description

On November 22, 2021, the Lunaray security team received a call for help. The user’s TRC20-USDT worth more than 160000usd was transferred from the wallet, and asked us to track and retrieve it. After communicating with this user, we knew that the user’s own wallet private key was stolen, the asset transfer time was one week ago, and the attacker’s wallet address was:

TVtmSR5vwrBmxoRDfdGFM6szJBP26AprbZ

It is very likely that the attacker has completed the coin laundering process, which is a typical coin loss event and asset transfer process.

0x04 Traceback process

After learning the relevant information, we use the official browser of TRC20-USDT for transaction tracking:https://tronscan.org

  1. After the attacker transferred the user’s asset 161746USDT to his wallet TVtmSR5vwrBmxoRDfdGFM6szJBP26AprbZ, he transferred it in four times at different times.

2. After the transfer, transfer out to address as soon as possible(below) TWS1onJnNTg8tJHomceqxBxTsUB1DHh7PV such as the first transfer here.

3. By checking the other transfers, all of them are the same transfer out to the same address of TWS1onJnNTg8tJHomceqxBxTsUB1DHh7PV as soon as possible.

4. Through the analysis of the TWS1onJnNTg8tJHomceqxBxTsUB1DHh7PV address, it is found that there are tens of thousands of transactions at this address, and the transactions are very frequent, and through the analysis of a large number of transactions at this address, it is found that there are a large number of transfer-in and transfer-out transactions from this address that are related to huobi, okex , Binance and other trading platforms have direct transactions with the core hot wallet, so it is judged that this place is a non-independent user address, and it should be an address similar to a trading platform. so here is the thing : When tracking down here, most users are basically helpless, because their assets have been transferred to a platform by the attacker, and there is a large pool of funds, so they cannot find the transfer transaction of their assets, nor can they query the address. , so I can’t keep track of it.

5. Later, when analyzing the associated address of the transaction related to this address, the Lunaray security team inquired from the virtual currency traceability platform and found that the transfer-in address TDtxYsNdTVKrmLFm37ssz5NZCHXhBN7Yo9 of one of the transactions was marked as the changenow platform address.

6. Since TWS1onJnNTg8tJHomceqxBxTsUB1DHh7PV is judged as the platform address, and the changenow platform transfers money to it, it is concluded that the TWS1onJnNTg8tJHomceqxBxTsUB1DHh7PV address may also be the changenow address. Later, through communication with the changenow platform, we confirmed that our inference is correct, and it is indeed the hot wallet address of the internal platform.To sum up, after stealing the user’s private key, the attacker transfers the assets to the TVtmSR5vwrBmxoRDfdGFM6szJBP26AprbZ address, and then conducts anonymous exchange through the changenow platform, and transfers the exchanged assets to an unknown anonymous address (see the above-mentioned exchange process on the changenow platform for details). After the first phase of tracking is over, it is necessary to further communicate with changenow to obtain the anonymous address of the user after the exchange.

0x05 event follow-up

At present, the tracking process and wallet address marking report have been submitted to the user. The most important issue is how to obtain the virtual currency acceptance address converted by the attacker from the changenow platform, so as to further track the assets.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store