FTX&3commas API theft on-chain traceability AND Bittrex attack warning
0x302a
October 24th, 2022

This article is jointly published by X-explore and WuBlockchain.

X-explore found that the attackers in the FTX&3commas API theft also attacked Binance US and Bittrex exchanges, stealing 1053ETH and 301ETH respectively. At present, the attack on Bittrex is still in progress, and it is suspected of using the NXT/BTC trading pair to attack.

1. Background

In order to help users and marketmakers to conduct high-frequency & quantitative transactions, exchanges provide API interfaces for transaction, asset query and withdraw. Also, the DEX platforms such as DYDX also provide API interface.

Therefore, many trading robot services can conduct quantitative trading, grid trading and historical data simulation test via API interfaces in the market. The well-known platforms are: 3Commas, Cryptohopper, Quadency. Meanwhile, these APIs can implement tax calculation functions and generate annual tax reports for users. The well-known platforms are: TokenTax and CoinTracker.

On October 21st, a Twitter user claimed that his FTX account was stolen on October 19, and he lost $160W through API interface in the DMG/USD trading pair.

On October 24th, FTX founder SBF tweeted that FTX will provide about $6 million in compensation to account holders affected by the phishing incident and posted 3 attacker addresses.

a) 0x6D3e6Ba1b510287141b27F763A86E04c72a001D1
b) 0xaB8bd0D4Eda57cd9EE5A058e498A791dF13dFA65
c) 0x87c828593984381E50D55F755B8462e074047Cf7

X-explore do an in-depth analysis on chain.

2. On-chain traceability analysis

2.1 FTX ATTACKER ADDRESS IOCs

The attacker used multiple addresses and interacted with multiple exchanges, which we describe one by one:

ATTACK WITHDRAW ADDRESSES FROM FTX:

In SBF twitter, the attacker gains 600W. In fact, the 3 addresses provided by SBF have a total of about 2000 ETH. Through on-chain mining, we added 2 related attackaddresses which withdraw ETH from FTX.

0x6D3e6Ba1b510287141b27F763A86E04c72a001D1 (890 ETH)
0xaB8bd0D4Eda57cd9EE5A058e498A791dF13dFA65 (824 ETH)
0x87c828593984381E50D55F755B8462e074047Cf7 (1112 ETH)
0xeEc49F195096389E725ade6aAb49Db779EF3b881 (972 ETH)
0xcA92077aCD49b523045754C1fE3Ccc1D7710b119 (170 ETH)

ATTACK PERSONAL ADDRESSES:
The attacker uses many addresses to transfer ETH. We provide some of them.

0xdd7D5f5eCE60b859430C7a56e3d5942238141560
0x948d5194E37F022cBD7b26B6c0560fE804bA7F6f
0xaeECB7860Eb6D7929Be5Bb34Ce94F21Befc6ead3
0x929c271d123041A142bF1575ea0026F1D8Fa7C49
0xf261F3c80d1226583EaeCbdA62DDefFD676E237a
0x1321af1a1b26374807e8cc31838A2c914031DA86

ATTACK DEPOSIT ADDRESSES IN CEX:

Attacker deposits ETH to CEX. We provide CEX deposit addresses. All deposits to FTX are a small amount of ETH, which is used as the starting capital for the attack. All deposits to BINANCE and FIXFLOAT is a method for attackers to use CEX for money laundering.

0x133824f213778Ac5193a2bC8b2e987E9dDd739B1 (FTX Deposit 19.9 ETH)
0xcE7aB58A1CDBA37c17E7d8C4569ec6803b8126eF (FTX Deposit 20.09 ETH)
0xC3Bb6dA4182175f9316f3a705D22Ee382Fb825bB (FTX Deposit 66.41 ETH)
0x2B390759EE8b5222AE59BBAa92d2c904ec09FdB2 (FTX Deposit 20 ETH)
0x0Ee325A15FC9257166089335C98d344E8dBfa5fc (BINANCE Deposit 500 ETH)
0x6108c4D519CEAF61022DC57512Df5c9D1059bB44 (FixedFloat Deposit 45 ETH)
0x44a4718064E383ad30b56349fC5F1845C721D056 (FixedFloat Deposit 45 ETH)
(Other FixedFloat 40+ Addresses with Deposit 45 ETH Each)

2.2 Other CEX attack analysis

2.2.1 Binance US

Based on the second address (0xaeECB7860Eb6D7929Be5Bb34Ce94F21Befc6ead3) published by twitter, we found an API theft attack against Binance US. The attack occurred between October 13th and October 17th, and a total of 1053 ETH was stolen. Associated attacker address 0xaeECB7860Eb6D7929Be5Bb34Ce94F21Befc6ead3. According to the flow of funds, we can see that most of the stolen funds are collected to various exchanges through one or more transfer jumps.

Furthermore, we found that the attackers were suspected of using SYS/USD trading pair for asset transfers. It generates a large number of transactions in a short period of time, and the attacker's on-chain withdrawal time all occurs within a short period of time after the transaction ends.

2.2.2 Bittrex

Based on the first address (0x6D3e6Ba1b510287141b27F763A86E04c72a001D1) published by twitter, we found an API theft attack against Bittrex. The attack occurred between October 23 and October 24, and a total of 301ETH were stolen. The associated attacker addresses are as follows.

0xD72ca629b850D3BB0bb07BfE160dEB9D83aCd66E
0xcAdc25c58d1106587235B0e0F5Df58F7B2480391
0xdD7BBF14960fFaBE66911A689c27ff095b9393b7
0x81866E125A6a750EE7BCB891e924e549768D28B0
0x2a03C993d5d448dCBB5284d58920Ca48E9D366E4
0x7dDB99087304D9A5E029ddeC1771E95df7b07002

In the spot trading volume ranking currently displayed on BITTREX, NXT Token ranks second. This currency is only listed on BITTREX and Poloniex, and there is basically little trading volume before October 23. It is very likely that the attacker use the NXT/BTC trading pair to attack.

3. X-explore Comment

This incident revealed a new way of theft, in which attackers complete the transfer of assets between different accounts by controlling transactions. It can bring a lot of reflection to the exchange.

  1. Basic security: From a security perspective, the least credible is human nature. Therefore, exchanges need to design more secure product logic to ensure that users are not damaged by phishing attacks without affecting the user experience.

  2. Spot token security: In order to provide users with more trading options, the top exchanges have launched a large number of tokens. After the market popularity of some tokens passed, the trading volume dropped sharply, but the exchanges did not delist them. According to CoinMarketCap data, Gateio exchange and MEXC exchange both support 1000+ trading spot pairs.

  3. Transaction security: Based on FTX's DMG/USD trading pair transaction volume line, when the attack occurs, the transaction volume increases by a thousand times, and the currency price fluctuates by 2-3 times, which is a significant abnormal transaction event.

For more info, please subscribe:
Mirror: https://mirror.xyz/x-explore.eth
Twitter: https://twitter.com/x_explore_eth

Subscribe to X-explore
Receive new entries directly to your inbox.
Collectors
View
#1
#2
#3
View collectors
This entry has been permanently stored on-chain and signed by its creator.