Date:: August 18, 2021
Amount Stolen:: $91,000,000 (107 BTC, 9M TRON, 11M XRP, $60M in ERC-20s)
Tags:: "Inside Job"
Unauthorized access to some of the wallets it managed 67 different ERC-20 tokens, along with large quantities of ETH and BTC, had been moved from these wallets to addresses controlled by a party working on behalf of DPRK
The attacker then used decentralized protocols to swap the various ERC-20 tokens for ETH From there, they mixed the ETH, swapped the mixed ETH for BTC, mixed the BTC, consolidated the mixed BTC into new wallets, and then deposited the funds into crypto-to-fiat exchanges based in Asia
As a result, approximately $91.35M in cryptoassets was laundered At the end of this process, the attackers move the Bitcoin to centralized, primarily Asia-based exchanges, where it’s likely swapped for a fiat currency like China’s Renminbi, allowing them to finally access the cash gained from the hack.
They immediately swapped stolen USDT-on-TRON to TRON within a matter of minutes using a DEX The quick swaps may be a result of lessons learned from the Poly.Network attack, in which stolen USDT was frozen almost immediately by Tether. The hacker also converted ERC-20 tokens into native ETH at a rapid pace
Whoever hacked Liquid seems to have had a thorough plan in place prior to acting, and is executing that plan with ruthless efficiency.
- 0x11cf04ee89c9ef56d9ef6126e914286770b8571f
- 0x262feb0550F3b6927ee5CBaa2fcfF77c1D270dbe
- 0x5578840aae68682a9779623fa9e8714802b59946
- 0x5D2C9f717Da427a9c8Cc20c44EA57BA61d5bc457
- 0x5d8ecef85058b33cc7130b975cfe07b548fee50a
- 0x8813f1fa585467531008581028d8af618384b1a7
- 0xaf9bdc92c920415cbcb8572a2dcb8aade778312b
- 0xb551160e088709076bb1c25a33028c040e790f61
- 0xc4af9d67850ed5523b876b2276656170689162ce
- 0xC4C6E460D0F659e99802208813A2Cc80a0F8B7Fe
- 0xD66D9EC7f0D89E0E6698953a7f44158552fbaf8f
- 0xe88243506fcc79052d85ad449ef6a02ace51c3c6
- 0xec06a00df7fe291c9f872449385bd593e38d8133
- 0xefb33ccafc98d5fdb27a6f5ff17350ca76bf3b53
- 0xF87694E29C55D8B971c851ed5936eaC65BAbFbC1
- 0xff0f573bdf4c23e41ea3ecd82efa66828706b711
- 12PKkwoFkXp6JtN7roWRA2gSitE6nVDds4
- 13Vsw6YXm6e4zpj48y3orV1rHtd3A42Xzg
- 14Gm6XdWuRPetSsgktkiBWFMfaMqxrKfGn
- 158khNHxJksxCmWKitms8sATHJpmpzFRtS
- 1BuEFBns18qmG73ZAA9Pz3f2cWB6UiihuB
- 1Fx1bhbCwp5LU2gHxfRNiSHi1QSHwZLf7q
- 1JW1tcBXp1vZ6KGEirFNSXb5RgZSaL63Av
- 1KNkqryYzeCX36qGhREAsCenowSQqZaKuf
- rfapBqj7rUkGju7oHTwBwhEyXgwkEM4yby
- TSpcue3bDfZNTP1CutrRrDxRPeEvWhuXbp
- 17nKZr1QcJ8XnVyBFKdFnug1eqPWTuPKYV
- 15hGxz64gCPfUiLKbH7CTgGbk7wNKQw89G
- 15vp5bKz2HEyXozaj1Qj5bvErGmEHDJRnj
- 16EjYD8gUJLAUvgzRhU9uwFh9zq1efLpzm
- 14NXJVqJbZg1Li2eruq8CdT38QenUeX13H
- 0xd8ce2fe2ba0092eb40c58b9e6b2e6e74a2542a1d
- 0x3171a131559ab3916334e352579cebf8357126d3
- 0xda5ea55dd97f4a597d45e4bd8d40dba444a6504f
- 0x35a14c27e53542462bd433c844b8b9db465073ae
- 0x2656d1bde8ac7a0bcb075428599116ec949b44c4
- 0xb26ae32194e22e561d5b4dd90be16045519298d0
- 0x6eae871cf77b9b892780c51cf7259d8d65833b70
- 0x7b4ce5c6d2af0a6656b6698d0ee3bf436e4ba271
- 0x4c8385d477b17bf35f736217c91e6b7588dcc8c9
- 0xab24a1990b94a4a01314f774bc55c747e6167805
- 0x24d97e138afb957ed2d752b93e48a6e00b4a6723
- 0x6ec415c5ac76393594384f24bc870bb1ce571b54
- https://trmlabs.com/post/liquid-hack-the-second-time-around
- https://quadrigainitiative.com/casestudy/liquidwarmwalletliquidated.php
- https://coindesk.com/business/2021/08/21/liquid-exchange-hacker-covers-tracks-by-sending-20m-to-eth-mixer/
- https://medium.com/sentinel-protocol/tracking-the-stolen-assets-from-the-liquid-exchange-hacking-acd94e01c762
- https://web3rekt.com/hacksandscams/liquid-265
- https://twitter.com/Liquid_Global/status/1428208832463794179
- https://blog.liquid.com/warm-wallet-incident
- https://coindesk.com/business/2022/03/29/ex-employee-claims-liquid-global-exchange-scapegoated-her-for-90m-hack/
- attribution: https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf