1/ Throughout this year I have been monitoring someone who has withdrawn 11,200+ ETH ($25M) from Tornado Cash and spent the majority of it on Magic The Gathering (MTG) trading cards.
Here’s my analysis of where the funds went and what the potential source of funds could be.
2/ This person has withdrawn 110 X 100 ETH from Tornado to 11 addresses.
After they would: 1) Wrap the ETH 2) Transfer WETH to new address 3) Unwrap the WETH 4) Transfer USDC to MTG broker
(this is a strategy used to trick KYT at exchanges)
3/ After USDC was sent to a MTG US based broker that accepts crypto
How did I find the broker used?
1) Instagram username was same as on OpenSea
2) Directly contacted a few MTG sellers the broker interacted w/ on-chain
Using timing and multi denomination reveal heuristics I arrived at the thesis that the funds potentially originated from the $50M Uranium Finance hack that occurred in April 2021.
Anubis had previously potentially been solved however and Casino did not deposit enough ETH earlier in the year to match the withdrawals of this person.
7/ Here’s some of my rationale behind it being the Uranium hacker:
Oct 4, 2022 the Uranium hacker deposited 5.01 ETH total to Aztec (privacy tool) at 22:03 UTC
8/ In March 2023 the Uranium hacker deposited 52 X 100 ETH to Tornado & this person received 52 X 100 ETH
March 6 & 14: Uranium Hacker deposits 52 X 100 ETH to Tornado
March 7 & 15: Our person withdrew huge volumes from Tornado
After they finished the Uranium hacker deposits more in May
9/ While my analysis could be incorrect I find it very suspicious that this person:
-spends 8 figures on MTG
-is overpaying for MTG
-shields identity through broker who likely does not know what Tornado is
-receives $13.2M from Tornado post OFAC while in the US
-uses WETH method to obfuscate source
• • •
Missing some Tweet in this thread? You can try to
force a refresh
3/ At first the attacker communicated with the Prisma deployer the attack was whitehat.
Later that day all of the funds were deposited to Tornado Cash contradicting that statement.
The exploiter began making outrageous demands and asked for a $3.8M (34%) whitehat bounty
This amount is significantly higher than the industry standard 10% essentially extorting the team as the treasury does not have sufficient assets to reimburse users.
1/ An investigation into the French dev Jolan Lacroix who recently stole $900K from the TICKER presale on Base before spending the funds on meme coins and Milady NFTs.
2/ TICKER launched a presale on March 16 raising a total of 877 ETH ($3.19M) via Party App on Base.
The token distribution was supposed to be: 24% LP, 71% presale/airdrops, 1% early contributors, 4% reserved for errors.
The team was fully anon.
3/ Immediately after TGE was where things went bad.
15% of the TICKER supply was sent to a dev (Jolan) assisting with the project to distribute the airdrop.
Instead of doing this Jolan sold 13% of the supply for $900K rugging everyone supporting the project.
1/ An investigation into the phishing scammer Ultra (Nicolas) who has stolen millions through Discord compromises such as MetaKey and X/Twitter spam just to spend it all gambling on Stake, rare usernames, and Roblox items.
2/ In Feb 2023 the Dead Army Skeleton Discord was compromised
after an admin was phished.
The attacker spammed phishing links in the announcements channel with funds ending up at offtherip.eth and Monkey Drainer.
1/ An investigation into how the influencer Crypto Rover ghosted a project he was paid to promote, mislead followers about his trading positions, and also his shills for pump and dump meme coins.
2/ In May 2023 Rover was connected with a project was connected to help promote it.
During negotiations Rover said he can “pump projects from 1/2m to 10m easy”
They agreed on $10K + 1% of the supply for payment