MistTrack Profile picture
Sep 27 15 tweets 8 min read
Wanna know how MistTrack can "demix" Tornado Cash Withdrawals?

We designed a dashboard on @DuneAnalytics to filter out potential Tornado cash withdrawals addresses, and then used our #MistTrack AML platform to validate our findings.

Here's how it works 🧵👇
For our analysis, we will be investigating a hacking incident. One of the addresses is 0x34a17418cEC67B82D08Cf77A987941F99DC87c6b.

According to MistTrack, it has deposited 11500 $ETH to the @TornadoCash 100 ETH contract address.

misttrack.io/s/ZYfOo
To help reduce the size of possible addresses, all you have to do is enter the following parameters into our dashboard.

1⃣ block_number_range
2⃣ contract_address
3⃣ stolen_block_number
4⃣ withdrawl_number

dune.com/awesome/Tornad…
We've set the block_number_range to default at 50000 blocks or about 8 days and the withdrawal_number to default at 6.

These parameters can be adjusted based on the scope of the investigation.

To learn more about the description of each parameter, check out the image below.
In order to find the stolen_block_number, we just have to find the block number of the first deposit into Tornado Cash. Which is 11111343 in this case.

As for the contract_address, we will be using the Tornado Cash 100 ETH contract address.
Here's what happened after we input the parameters.

As you can see from the image, there were 10 potential addresses related to this incident. The count represents the number of withdrawals each address had with the TC 100 $ETH contract address.
Ex: 29 count = 29 X 100 ETH
You may be wondering how are we even sure these addresses are related?

This could be the actions of 10 individuals who just so happened to use 🌪️💸 around the same time.

Before we answer that, let's just go through some of these addresses with #MistTrack.
To get started, all you have to do is select the type of asset and then enter the address you wish to search.

Let’s start with 0xc6...b2c6(Address 1). It received 29 withdrawals or a total of 2900 $ETH from the CT 100 ETH contract.

Wanna know where the funds were sent next?
All ~2,900 ETH were first sent to a proxy address, and then sent to different @ChangeNOW_io addresses in increments of ~50 #ETH.
Well that's just for one address, what about the other addresses?

misttrack.io/s/i53kw
Address 2: 0xdc....ac09
Total Withdrawals Count: 22

The pattern is almost IDENTICAL to address 1.
1⃣ Sent all funds to another proxy address.
2⃣ Deposit all funds to @ChangeNOW_io in increments of ~50 $ETH.

Once is a chance, twice is coincidence, third time's a pattern!
Address 3: 0xd5....2f88
Total Withdrawals Count: 22

It's not exactly the same, but the majority of funds were still sent to @ChangeNOW_io and other mixer platforms in 50 ETH increments. Some were even sent to @binance.

So what about the rest of the addresses?
Address 4: 0xa4....922f ➡️ Count: 17
Address 5: 0x4a....3048 ➡️ Count: 14
Address 6: 0x0e....e465 ➡️Count: 11

Almost EXACTLY identical to address 1-3.

The remaining four addresses didn't show any similar traits, but it didn't matter.

Here's why👇
If we combine all the ETH from addresses 1-6, it'll equal the exact amount of ETH deposited into Tornado Cash by the hacker.

Address 1: 2900
Address 2: 2200
Address 3: 2200
Address 4: 1700
Address 5: 1400
Address 6: 1100

Total ETH: 11,500 $ETH
Obviously our dashboard is geared towards larger transactions and you're not gonna find the exact amount every time.

However it does help significantly reduce the scope of the search and the chances of tracking down the stolen fund can be greatly increased with #MistTrack.
In case you didn't know, we're having a competition right now to help combat malicious actors in this space.

Sign up today at MistTrack.io and receive the first month on us. You don’t even need an email to get started. Simply login via Metamask or Wallet Connect.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with MistTrack

MistTrack Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(