Wanna know how MistTrack can "demix" Tornado Cash Withdrawals?
We designed a dashboard on @DuneAnalytics to filter out potential Tornado cash withdrawals addresses, and then used our #MistTrack AML platform to validate our findings.
Here's how it works 🧵👇
We designed a dashboard on @DuneAnalytics to filter out potential Tornado cash withdrawals addresses, and then used our #MistTrack AML platform to validate our findings.
Here's how it works 🧵👇
For our analysis, we will be investigating a hacking incident. One of the addresses is 0x34a17418cEC67B82D08Cf77A987941F99DC87c6b.
According to MistTrack, it has deposited 11500 $ETH to the @TornadoCash 100 ETH contract address.
misttrack.io/s/ZYfOo
According to MistTrack, it has deposited 11500 $ETH to the @TornadoCash 100 ETH contract address.
misttrack.io/s/ZYfOo
To help reduce the size of possible addresses, all you have to do is enter the following parameters into our dashboard.
1⃣ block_number_range
2⃣ contract_address
3⃣ stolen_block_number
4⃣ withdrawl_number
dune.com/awesome/Tornad…
1⃣ block_number_range
2⃣ contract_address
3⃣ stolen_block_number
4⃣ withdrawl_number
dune.com/awesome/Tornad…
We've set the block_number_range to default at 50000 blocks or about 8 days and the withdrawal_number to default at 6.
These parameters can be adjusted based on the scope of the investigation.
To learn more about the description of each parameter, check out the image below.
These parameters can be adjusted based on the scope of the investigation.
To learn more about the description of each parameter, check out the image below.
In order to find the stolen_block_number, we just have to find the block number of the first deposit into Tornado Cash. Which is 11111343 in this case.
As for the contract_address, we will be using the Tornado Cash 100 ETH contract address.
As for the contract_address, we will be using the Tornado Cash 100 ETH contract address.
Here's what happened after we input the parameters.
As you can see from the image, there were 10 potential addresses related to this incident. The count represents the number of withdrawals each address had with the TC 100 $ETH contract address.
Ex: 29 count = 29 X 100 ETH
As you can see from the image, there were 10 potential addresses related to this incident. The count represents the number of withdrawals each address had with the TC 100 $ETH contract address.
Ex: 29 count = 29 X 100 ETH
You may be wondering how are we even sure these addresses are related?
This could be the actions of 10 individuals who just so happened to use 🌪️💸 around the same time.
Before we answer that, let's just go through some of these addresses with #MistTrack.
This could be the actions of 10 individuals who just so happened to use 🌪️💸 around the same time.
Before we answer that, let's just go through some of these addresses with #MistTrack.
To get started, all you have to do is select the type of asset and then enter the address you wish to search.
Let’s start with 0xc6...b2c6(Address 1). It received 29 withdrawals or a total of 2900 $ETH from the CT 100 ETH contract.
Wanna know where the funds were sent next?
Let’s start with 0xc6...b2c6(Address 1). It received 29 withdrawals or a total of 2900 $ETH from the CT 100 ETH contract.
Wanna know where the funds were sent next?
All ~2,900 ETH were first sent to a proxy address, and then sent to different @ChangeNOW_io addresses in increments of ~50 #ETH.
Well that's just for one address, what about the other addresses?
misttrack.io/s/i53kw
Well that's just for one address, what about the other addresses?
misttrack.io/s/i53kw
Address 2: 0xdc....ac09
Total Withdrawals Count: 22
The pattern is almost IDENTICAL to address 1.
1⃣ Sent all funds to another proxy address.
2⃣ Deposit all funds to @ChangeNOW_io in increments of ~50 $ETH.
Once is a chance, twice is coincidence, third time's a pattern!
Total Withdrawals Count: 22
The pattern is almost IDENTICAL to address 1.
1⃣ Sent all funds to another proxy address.
2⃣ Deposit all funds to @ChangeNOW_io in increments of ~50 $ETH.
Once is a chance, twice is coincidence, third time's a pattern!
Address 3: 0xd5....2f88
Total Withdrawals Count: 22
It's not exactly the same, but the majority of funds were still sent to @ChangeNOW_io and other mixer platforms in 50 ETH increments. Some were even sent to @binance.
So what about the rest of the addresses?
Total Withdrawals Count: 22
It's not exactly the same, but the majority of funds were still sent to @ChangeNOW_io and other mixer platforms in 50 ETH increments. Some were even sent to @binance.
So what about the rest of the addresses?
Address 4: 0xa4....922f ➡️ Count: 17
Address 5: 0x4a....3048 ➡️ Count: 14
Address 6: 0x0e....e465 ➡️Count: 11
Almost EXACTLY identical to address 1-3.
The remaining four addresses didn't show any similar traits, but it didn't matter.
Here's why👇
Address 5: 0x4a....3048 ➡️ Count: 14
Address 6: 0x0e....e465 ➡️Count: 11
Almost EXACTLY identical to address 1-3.
The remaining four addresses didn't show any similar traits, but it didn't matter.
Here's why👇
If we combine all the ETH from addresses 1-6, it'll equal the exact amount of ETH deposited into Tornado Cash by the hacker.
Address 1: 2900
Address 2: 2200
Address 3: 2200
Address 4: 1700
Address 5: 1400
Address 6: 1100
Total ETH: 11,500 $ETH
Address 1: 2900
Address 2: 2200
Address 3: 2200
Address 4: 1700
Address 5: 1400
Address 6: 1100
Total ETH: 11,500 $ETH
https://twitter.com/MistTrack_io/status/1574803662899187722
Obviously our dashboard is geared towards larger transactions and you're not gonna find the exact amount every time.
However it does help significantly reduce the scope of the search and the chances of tracking down the stolen fund can be greatly increased with #MistTrack.
However it does help significantly reduce the scope of the search and the chances of tracking down the stolen fund can be greatly increased with #MistTrack.
In case you didn't know, we're having a competition right now to help combat malicious actors in this space.
Sign up today at MistTrack.io and receive the first month on us. You don’t even need an email to get started. Simply login via Metamask or Wallet Connect.
Sign up today at MistTrack.io and receive the first month on us. You don’t even need an email to get started. Simply login via Metamask or Wallet Connect.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
