In the morning of 03/24 Beijing time, the DragonEX exchange announced that digital assets was stolen from their platform, and asked for help to track and intercept the hackers. In the report, DragonEX mentioned that more than 20 crypto currencies was stolen, including BTC, ETH, EOS, etc. The total value of the stolen tokens was not revealed, but after some initial analysis, we found that this incident ranked among the top blockchain hacking events in terms of total value and token types.

After receiving the DragonEX warning, PeckShield team started immediately to analyze the attack procedure, and retrace the stolen asset movements. Utilizing the PeckShield Digital Asset Protection System, we found that overall there are $6,028,283 digital asset was lost, $929,162 of them have been moved into other exchanges, and tokens worth $5,099,121 still remain in the hacker’s wallet addresses.

After initial analysis, PeckShield researchers found that, most likely the hackers managed to steal the private keys of DragonEX wallets, obtained server API access illegally, then moved the digital assets out from DragonEX platform. The hackers’ stealing and money laundering operations can be divided into two phases:

  1. Token stealing phase: From Beijing time 1AM to 8AM on 03/24, the hackers moved 20+ types of digital assets from DragonEX to their own addresses, including BTC, ETH, EOS, etc.

  2. Money laundering phase: Starting from 03/26 till now, the hackers have move $929,162 worth of tokens into various exchanges, which could have been sold already; There are $5,099,121 worth of tokens still in the hackers addresses, could be moved to exchanges soon, if not intercepted by exchanges or other parties.

The Timeline of this hacking incident

Using blockchain data, PeckShield researchers created the following table to show the timeline of this incident:

Beijing Time Operation Victims Attackers Summary
2019-03-24 01:50:02 Changing EOS private key gm2tqnjygyge    
2019-03-24 01:58:06 TRX transfer TPTwvsifK6E… TJeMF…DGFB Total of 1,453,956 TRX
2019-03-24 01:58:40 EOS transfer dragonexeos1 worldfoxprin Total of 144,903.50 EOS
2019-03-24 02:00:16- 07:22:13 ETH transfers Multiple ETH addresses 0xa7f72b…ebb2 Total of 1524 txs, 2738.12 ETH
2019-03-24 02:00:49 Changing EOS private key gm2tqnjygyge    
2019-03-24 02:09:03 EOS transfer gm2tqnjygyge worldfoxprin Total of 60488.8931 EOS
2019-03-24 02:33:29 BTC transfer 18 BTC addresses 3BorU…Pj45C Total of 135.01 BTC
2019-03-24 02:42:02 LTC transfer Multiple LTC addresses MS2hm59… Total of 4670 LTC
2019-03-24 02:44:04 ETH transfer 0x0b07889… 0xa7f72b…ebb2 Total of 1901.4 ETH
2019-03-24 02:42:54 USDT transfer 1QBaD…   Six USDT addresses, and total of 1,464,319 USDT

The Detailed list of the stolen tokens

Token Name Quantity Value(USD) Destination
USDT 330,031 330,031 CoinBene Exchange(2 addresses)
USDT 245,429 245,429 KuCoin Exchange(1 address)
USDT 135,282 135,282 BitForex Exchange (2 addresses)
USDT 208,127 208,127 Address starting with 1DUb
USDT 140,666 140,666 Address starting with 1J3t
USDT 126,994 126,994 Address starting with 135g
USDT 277,790 277,790 Multiple addresses, being traced
EOS 426,310 1,543,242 whatagoodeos/worldfoxprin/gm2tqnjygyge
ABBC 6,274,251 1,254,850 Being traced
BTC 135.01 529,740 Address starting with 3BorUkW
ETH 2738.12 365,742 Partially moved to Binance and ZB exchanges
LTC 4,760 279,888 Address starting with MS2hm59
QTUM 74,128 179,389 Being traced
NEO 9,907 87,181 Being traced
XRP 247,000 74,100 Being traced
TRX 1,453,956 32,696 Binance Exchange
MEETONE 15,269,673 28,432 whatagoodeos
BCHABC 146.44 22,916 Being traced
ICX 72,684 21,805 Being traced
ETC 3,194 14,821 Being traced
BTM 104,150 11,456 Being traced
XAS 22,516 2,769 Being traced
XEM 64,121 3206 Being traced
Total   6,028,283  

The Detailed Analysis of the hacking procedure

Let’s use USDT and TRON as examples to analyze the procedure of hacker’s coin stealing:

USDT

The following diagram shows the movements of USDT tokens into hackers addresses:




  1. At 2:42:54 of 03/24/2019, Large amount of USDT tokens were moved from DragonEX address 1QBaDdhCTC2k9WWFhCXCJvYHpVSqLSRxaJ to these six addresses:

a. 1P4cdD9kTFGV6wmFxbeoZXosRNUrMrMbmN 273,597 USDTs;

b. 1JBoGBv7GnqN6ncEi9aSU71gobcMG9R1Ca 222,738 USDTs;

c. 114F7vWREusZTRGcEZGoTAuhWvq8T5tzxR 238,652 USDTs;

d. 1HapWDybdWW1H61saGokQ88xVaHvfukgu2 240,971 USDTs;

e. 17gqLwmBxdmKEP8vaBEn2ghHvj4vqCiR6q 240,971 USDTs;

f. 1B6t6RnVMpTQKhbXsr8hNB3DiyXSSkomkU 247,390.31777 USDTs;

  1. After receiving the USDT tokens, these six addresses moved the USDTs into several exchanges by doing multiple layers of transfers. Here is the current status of these USDTs located by PeckShield researchers:



a. After several transfers, finally 330,031 USDTs were moved to CoinBene address 1HCviLYNqHAyeZxGTj9Mtgvj1NJgQuSo91 through these two addresses: 1GirA64XdJjH6HHzgH7Tj5WoBmyH5Z3wjn and 1CdbfukQ1JsJK5csqYGonP1mDp3hVyePc3

b. Also after several transfers, 245,429 USDTs were moved to KuCoin address 17ScKNXo4cL8DyfWfcCWu1uJySQuJm7iKC through this address: 1AEJpcgLUrMyqz3iPAF3ETozwV3PaZkjGo

c. 208,127 USDTs were moved to a unknown exchange address: 1DUb2YYbQA1jjaNYzVXLZ7ZioEhLXtbUru

d. 140,666 USDT stayed in 1J3tVZrmQFiH2R8fCsGab7AfWVKh6wHTQ6

e. After several transfers, 135,282 USDTs were moved to BitForex address 12vCxak5xc1t6T275xbm6AJ4xsZCxkTSc5 through these two addresses: 1CNwEPguYVUhziMEiCe1PKKSHv2Ur5B1KC and 1CNuTqmJcwfyWKdtuqhitUL4pewWcPJuzf

f. After several transfers, 126,994 USDTs were moved to 135gVHBkLUidwpd6va9eZyECGVLCek2z4y

g. The remaining 277,790 USDTs stayed in several accounts.

TRON

The following diagram shows the movements of TRON tokens:




Detailed procedures as follows:

  1. On 03/24/2019, 1,453,956 TRXs were moved from DragonEX address TPTwvsifK6EiQ1mm6b4eEQAcammL5215g6 to address TJeMF6CpEDeG94UAF7d4dzjXkgrwwtDGFB

  2. Between 03/24/2019 to 03/26/2019, No movement for the TRXs tokens in address of TjeM…DGFB

  3. From 9AM-10AM on 03/26/2019, TRX tokens were moved from TJeM…DGFB to six new addresses, then again the TRX tokens were moved from these six addresses to TR8T47ouBgr7V2ssDjDaz9PJ7JaPH3kwrR. PeckShield researchers determined that TR8T…kwrR address belong to Binance;

  4. Till this point all 1,453,956 TRX tokens were moved into Binance

Summary

During this DragonEX hacking incident, the hackers stole almost all of the digital assets on DragonEX platform in a short period of time, and moved some tokens into other exchanges quickly for money laundering purpose. However, most of the stolen tokens are still in the hacker’s addresses, and it’s still possible to freeze these assets if the community and exchanges can work together to stop further token transfers.

Above all, hacking events threaten the safety of users’ digital assets, and we at PeckShield would like to call on exchanges to improve their risk mitigation capability, and ask help from professional blockchain security firms when needed.

About Us

PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.



Published

27 March 2019

Tags