By analyzing the on-chain transfer records of the Nexus Mutual, EasyFi, and FinNexus hackers, we discovered some revealing clues.
Written by: Pastebin user CRDT
As is widely known, on December 14, 2020, an unknown hacker stole 370,000 NXM tokens from the wallet of Nexus Mutual DeFi’s CEO. On April 20, 2021, another hack occurred, this time targeting a project called EasyFi DeFi. In this attack, the hacker stole nearly three million EASY tokens.
On May 17, 2021, the FinNexus DeFi project’s system was hacked, allowing the attacker to mint 323 million FNX tokens and sell them on the open market. All three hacks share a similar characteristic: the hacker aimed to gain access to wallets or private keys to obtain funds. Furthermore, all three attacks were executed within the same hour of the day.
All findings published in this article are based on our own independent investigation and may differ from official findings.
From media reports, we identified the ETH wallet addresses belonging to the hackers who attacked Nexus Mutual, EasyFi, and FinNexus. Let us now examine each of these hacker addresses individually.
The Nexus Mutual Hack
Starting in chronological order, the first hack we discuss targeted Nexus Mutual in December 2020. The Etherscan block explorer shows multiple addresses belonging to this hacker. We will focus on one address that Etherscan labeled as Fake_Phishing4636.
This hacker’s address is:
0x0adab45946372c2be1b94eead4b385210a8ebf0b.
This ETH address conducted a direct transaction with address 0x31499E03303dd75851a1738E88972CD998337403 (remember this address — it will be important).
The EasyFi Hack
The second address we examined belongs to the EasyFi attacker. This address has no label in Etherscan, but according to media reports, we identified it as:
0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37.
This hacker’s wallet was found to have received a deposit from the known address 0x31499E03303dd75851a1738E88972CD998337403.
Additionally, the EasyFi hacker’s address had a direct transaction with 0x31499E03303dd75851a1738E88972CD998337403 — specifically the last outgoing transaction made by the EasyFi hacker.
Furthermore, the EasyFi hacker executed multiple direct transactions from address 0x77BEB16e4DB0686e36dbf01142685275785775Ed:
And these additional transactions:
Transaction 3
Transaction 4
Transaction 5
Address 0x77BEB16e4DB0686e36dbf01142685275785775Ed was also funded by address 0x31499E03303dd75851a1738E88972CD998337403 via this transaction.
As far as we know, unlike the Nexus Mutual hacker’s address, the EasyFi hacker’s address had not just one but multiple transactions with 0x31499E03303dd75851a1738E88972CD998337403. Remember this address, as we will encounter it many more times.
The FinNexus Hack
Now let us look at the FinNexus hacker’s address. According to media reports, the address is 0x5EbC7d1Ff1687A75f76c3EdFAbCdE89D1C09Cd5F, which is labeled in the Etherscan block explorer. We did not observe any direct interaction between address 0x5EbC7d1Ff1687A75f76c3EdFAbCdE89D1C09Cd5F and address 0x31499E03303dd75851a1738E88972CD998337403.
However, an indirect interaction exists through address 0x2Da3a8738c34fFB35182670bcb76Ad722240bcC0. Despite the hacker’s deliberate attempt to conceal the connection to address 0x31499E03303dd75851a1738E88972CD998337403, we were still able to uncover this link. The FinNexus hacker’s primary address had a direct transaction with address 0x2Da3a8738c34fFB35182670bcb76Ad722240bcC0.
This address had two outgoing FNX token transfer transactions with address 0x1cE5f1fe7d8543A0046E521302C3A21734309302:
Next, address 0x1cE5f1fe7d8543A0046E521302C3A21734309302 had multiple transactions with address 0x67fe5B5343f963C7043cE551FADBa84a3aD6473A:
Transaction 1 |
Transaction 2 |
Transaction 3 |
Transaction 4 |
Transaction 5
There were a total of 12 transactions between these two addresses.
Additionally, address 0x67fe5B5343f963C7043cE551FADBa84a3aD6473A received a Tornado Cash deposit.
It was address 0xA29bD5815AEA7ac88E9F3AaDd8F477675EDAD404 that made the transfer from address 0x67fe5B5343f963C7043cE551FADBa84a3aD6473A, in an amount of approximately 1 ETH.
Address 0xA29bD5815AEA7ac88E9F3AaDd8F477675EDAD404 deposited into Tornado Cash in this transaction.
Subsequently, address 0xA29bD5815AEA7ac88E9F3AaDd8F477675EDAD404 conducted a transaction based on address 0x31499E03303dd75851a1738E88972CD998337403.
You can also see many direct token transactions (a total of 28 transactions).
Address 0x67fe5B5343f963C7043cE551FADBa84a3aD6473A had a 124,977.5383 USDT token transfer to address 0x860Dc1b24f96F59F4ec25ca439bcB9cDD6c1a7B0.
Address 0x860Dc1b24f96F59F4ec25ca439bcB9cDD6c1a7B0 is linked to the known address 0x31499E03303dd75851a1738E88972CD998337403. Similarly, address 0x860Dc1b24f96F59F4ec25ca439bcB9cDD6c1a7B0 was also connected to address 0x31499E03303dd75851a1738E88972CD998337403 through the same intermediary wallet 0x67fe5B5343f963C7043cE551FADBa84a3aD6473A.
Strange Characteristics of the FinNexus Hacker Address
I would like to point out some peculiar characteristics of address 0x5EbC7d1Ff1687A75f76c3EdFAbCdE89D1C09Cd5F, which belongs to the FinNexus attacker. While this address appears as a normal wallet in Etherscan, block explorers such as Bloxy and Bitquery reveal that the contract 0x5EbC7d1Ff1687A75f76c3EdFAbCdE89D1C09Cd5F was created by address 0x78d147015a9ef3ed9f9011fa394561670dc787cb through this transaction.
The Common Thread: Address 0x31499E
Therefore, the hacks against Nexus Mutual, EasyFi, and FinNexus are not only related in the nature of the attacks but are also connected to the same address: 0x31499E03303dd75851a1738E88972CD998337403. This suggests that all of these hacks were carried out by the same hacker (or the same group of hackers).
Tracing the Identity Behind the Known Address
Let us attempt to dig deeper into the known address 0x31499E03303dd75851a1738E88972CD998337403 and identify the person behind it.
Address 0x31499E03303dd75851a1738E88972CD998337403 had numerous interaction transactions with address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912, including 9 direct token transactions visible here.
The total number of direct interaction transactions between these two addresses was 18 transactions.
Next, address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 received its first deposit from address 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B.
Address 0x834e6bedc304c4c610557e9ffaf0d4ec310b881b was created by address 0x0AAf72DA643570Da1bF76E8b3063C3f378b3D3D4 in this transaction.
The total number of interaction transactions between addresses 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B and 0x0AAf72DA643570Da1bF76E8b3063C3f378b3D3D4 reached 35 transactions.
Identifying the Address Owner
Address 0x0AAf72DA643570Da1bF76E8b3063C3f378b3D3D4 belongs to Anton Dziatkovskii. Anton Dziatkovskii publicly stated on the following social media channels that he owns address 0x0AAf72DA643570Da1bF76E8b3063C3f378b3D3D4:
Regarding Anton Dziatkovskii, we know he is a DeFi project platform developer, a smart contract developer and security specialist, a computer expert, a self-proclaimed white hat hacker, a cryptocurrency trader, and a manager of bug bounty programs for numerous projects.
Anton Dziatkovskii is also the co-founder of the MicroMoney project and the Director of Education at UBAI. One of the products developed by UBAI is the BTCNext exchange. Anton Dziatkovskii is also the co-founder of the QDAO DeFi project and a team member of the NoahCity project. He is the founder of Platinum Fund, which develops DeFi projects and blockchain solution platforms. Anton Dziatkovskii has a direct connection to the development of the SpaceSwap DeFi project and is possibly its co-founder. He managed the bounty program for SpaceSwap under the BitcoinTalk username Cubus.
Anton Dziatkovskii’s public profiles include:
Further On-Chain Links
Address 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B had direct transactions with address 0x4664db097caC5E006AC94705D3C778f2aC896AA8 — a total of 28 direct transactions. Additionally, several related transactions used the intermediary address 0xDaEB3B152bE7ac786E79122C4655594e7808587D.
Address 0x4664db097caC5E006AC94705D3C778f2aC896AA8 is linked to Anton Dziatkovskii’s address 0x0aaf72da643570da1bf76e8b3063c3f378b3d3d4 through multiple transactions.
Address 0x4664db097caC5E006AC94705D3C778f2aC896AA8 is also connected to address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912, which conducted many transactions with address 0x31499E03303dd75851a1738E88972CD998337403.
All of this means that the hacker’s address 0x31499E03303dd75851a1738E88972CD998337403 had numerous interaction transactions with address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912. Thus, two chains of transactions converge at address 0x0aaf72da643570da1bf76e8b3063c3f378b3d3d4, which belongs to Anton Dziatkovskii:
First chain: Through intermediary address 0x834e6BEdC304C4C610557e9fFAf0D4Ec310b881B (which funded address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912).
Second chain: Through intermediary address 0x4664db097caC5E006AC94705D3C778f2aC896AA8.
Smart Contract Connections
Address 0x4664db097caC5E006AC94705D3C778f2aC896AA8 was linked to address 0x5a6a52a7bf22813882e988135a7d2be805bb0649 through 69 transactions in total.
Address 0x5a6a52a7bf22813882e988135a7d2be805bb0649 was the foundation that built address 0x71e0d074bb70fdc5345f986e3435117f52afcebb.
This address is the creator of the QDAO token smart contract (contract address) for the QDAO DeFi project, of which Anton Dziatkovskii is a co-founder.
Address 0x71e0d074bb70fdc5345f986e3435117f52afcebb is also the creator of the BNX token smart contract, belonging to the BTCNext exchange under the UBAI project, of which Anton Dziatkovskii is also a co-founder.
Address 0x5a6a52a7bf22813882e988135a7d2be805bb0649 also had direct transactions with address 0x81cfe8efdb6c7b7218ddd5f6bda3aa4cd1554fd2, as well as multiple transactions using intermediary address 0x3c586d0e07f312a180ec46d4c27d831731c41d23.
Address 0x81cfe8efdb6c7b7218ddd5f6bda3aa4cd1554fd2 is the creator of the MILK2 token and SHAKE token smart contracts belonging to the SpaceSwap project, with which Anton Dziatkovskii has a direct connection.
Address 0x81cfe8efdb6c7b7218ddd5f6bda3aa4cd1554fd2 is also the creator of the CNYQ token and JPYQ token smart contracts belonging to the QDAO DeFi project, of which Anton Dziatkovskii is also a co-founder.
Address 0x81cfe8efdb6c7b7218ddd5f6bda3aa4cd1554fd is the creator of the NOAH ARK token smart contract and the NOAHP token belonging to the NoahCity project, where Anton Dziatkovskii is a development team member.
Token Correlations Across Hacker Wallets
It is worth noting that many wallet addresses associated with the EasyFi hacker address 0x83a2EB63B6Cc296529468Afa85DbDe4A469d8B37 (including some intermediary addresses) hold MILK, MILK2, SHAKE, NOAH, and QDAO tokens in their balances.
Even address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 (which had many mutual transactions with the known hacker address 0x31499E03303dd75851a1738E88972CD998337403) contained these tokens.
Incidentally, address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 held BABYMILK tokens (SpaceSwap v2 BabyMilk test tokens). Furthermore, this address ranked 13th among holders of this token. Typically, a holder ranked this high is likely a co-owner or major investor in the project.
Additionally, address 0x1aa6eb6e5752cc57fd32c91c089083f7ac99c912 (which had multiple interaction transactions with the hacker address 0x31499E03303dd75851a1738E88972CD998337403) had a direct link to address 0x72d49544D17e3C98B0f94D97eE851981279f3aa9.
Address 0x72d49544D17e3C98B0f94D97eE851981279f3aa9 also belongs to the SpaceSwap project, as confirmed by its Rarible page.
Where Did the Stolen Funds Go?
Nexus Mutual Hacker’s Fund Movements
By examining block parameters, we determined that the Nexus Mutual hacker sent funds to:
- Converted renBTC to BTC via this transaction. Funds were withdrawn through a BTC transaction and then transferred to BTC address bc1qmyxuldmsec6xm7gm7dnmmth4lz776tr5mtluvp.
- Converted renBTC to BTC via this transaction. Funds were withdrawn through a BTC transaction and then transferred to BTC address bc1q6qsnqt98g3aggqy6adlpxkgngughwc66f93dve.
- Converted renBTC to BTC via this transaction. Funds were withdrawn through a BTC transaction and then transferred to BTC address bc1qun448hv5cudqlwrmghju58jnprkguy48emtj8a.
EasyFi Hacker’s Fund Movements
By examining block parameters, we determined that the EasyFi hacker sent funds to:
- Converted renBTC to BTC via this transaction. Funds were withdrawn through a BTC transaction and then transferred to BTC address bc1qfl085d0fxy8s6grja5qf8cgqvx8w94ufaygg9y.
- Converted renBTC to BTC via this transaction. Funds were withdrawn through a BTC transaction and then transferred to BTC address 17WFZENdcgkCvVjENQWJnqwXyiCkgTdGbi.
- Converted renBTC to BTC via this transaction. Funds were withdrawn through a BTC transaction and then transferred to BTC address 1395hgVUB2P7yv145sRbt6Ykbi3qargnoD.
- Converted renBTC to BTC via this transaction. Funds were withdrawn through a BTC transaction and then transferred to BTC address 1DzGYwnUKu9ukGBKm8kTvoezjfCQ2qLwYr.
FinNexus Hacker’s Fund Movements
By examining block parameters, we determined that at the time of writing, the FinNexus hacker had only made one Tornado Cash deposit.
We observed that the hacker withdrew funds through a Tornado Cash transaction, meaning ETH address 0x996f5CcbF2856137744603b382dE559b78a096fC was the recipient of 10 ETH sent by the FinNexus hacker via Tornado Cash.
Conclusion
Our on-chain investigation reveals compelling evidence that the attacks against Nexus Mutual, EasyFi, and FinNexus were orchestrated by the same individual or group. All three hacker addresses share connections to the common address 0x31499E03303dd75851a1738E88972CD998337403, and multiple transaction chains lead back to wallets associated with addresses that created smart contracts for projects co-founded by the same individual. The attackers employed similar methodologies — targeting private keys and wallets rather than exploiting smart contract vulnerabilities — and used common money laundering techniques including renBTC-to-BTC conversions and Tornado Cash deposits to obscure the trail of stolen funds.
Source: pastebin.com
内容搜集自网络,整理者:BTCover,如若侵权请联系站长,会尽快删除。
