The Background**
incident report obtained by CoinDesk.
The first hack of BTC 315 ($130,000) was carried out on 14 March 2016 by an employee who later allegedly sold key security data to an outside hacker, including access details for the exchange’s admin interface. Voorhees disclosed this in a memo to ShapeShift users on 13 April.
By all accounts the funds were never recovered. But the movement of stolen funds continued for a further three years.
Mixing The Funds**
We used this article (written by Voorhees himself) as a starting point. It provides the address to which the stolen BTC 315 was first sent: **Immediately, we see a peeling chain - a series of transfers in which small portions of funds are systematically siphoned off into newly created addresses.
The most notable feature of these first transfers is that the hacker used Helix, a Bitcoin mixing service which operated from 2014 until 2017, as the primary destination of peeled funds. As shown below, this began with BTC 1 to Helix on 30 June 2016.
Destination of funds from 1LchK_
On 13 February 2020, the US Department of Justice (“DoJ”) announced that it had charged the operator of Helix, US national Larry Harmon, with conspiracy to launder illicit proceeds, operating an unlicensed money transmitting business and conducting money transmission without a District of Columbia license. The DoJ alleged a link between Harmon and darknet search engine Grams, on which Harmon supposedly marketed Helix. It was estimated that Helix had mixed over 350,000 Bitcoin on behalf of customers, the majority of which originated from dark web marketplaces.
This continued until 8 November 2020 when the final deposit in the chain was made to Wasabi. In all, it took the hacker three and a half years to eventually dispose of the stolen funds through mixers.
Identifying Other Services**
In May 2019 hacker sent funds to Changelly, an exchange aggregator. Changelly differs from other exchanges by operating as a non-custodial market participant, meaning that it does not hold users’ funds on the platform. Rather, it acts as an intermediary between crypto exchanges and users. Currently, users are only required to undergo identity verification if their transactions are flagged as suspicious by the exchange.
Deposits to Changelly_
What does this show? The hacker is clearly seeking ways to off-ramp their funds using exchange services that do no require KYC.
**Two days after depositing to MorphToken, funds stolen from ShapeShift were sent to Huobi. In total, the hacker deposited almost BTC 7 to the Huobi deposit address over a two day period.
The same Huobi address has received a significant amount of Bitcoin from MorphToken - over BTC 4,400 between April and December 2020.
In total the Huobi wallet received £39.3 million, which includes funds from a series of unknown clusters - all for the same amount, and all during late 2020.
Are these funds part of the second spate of attacks on ShapeShift? It is possible that ETH and LTC were converted into BTC on MorphToken before hitting Huobi.
The answer will lay in who controls the Huobi account.