In this KIR project, we have proposed an analysis framework for tracking the money flows on the Klaytn network. We have achieved our goals by providing public web services named S2-EYEZ for Klaytn to inspect Klaytn transactions including token transfers to anyone who is interested in analyzing money flows on the Klaytn network. For this, we have built an on-chain monitoring system and graph-based analysis engine during the last few months.
For the first milestone, we have implemented an infrastructure to construct and analyze token transfer graphs and given the full explanation of how we construct the graphs and its performance evaluation results with fundamental analysis applications. For the second milestone, we have successfully launched our official web services, S2-EYEZ for Klaytn.
As the last milestone of the project, we have conducted in-depth analysis on abnormalities of transactions on Klaytn blockchain. These technical reports give the example of how we address abnormal transactions on blockchain with the analysis results of three popular real incidents on Klaytn network.
Now, the project is closed but we plan to improve our system continuously. If you have any questions or concerns or even recommendations, please feel free to contact us, you guys are always welcome(email: email@example.com). Thanks for your support and please keep close attention to ours.
To discover malicious transactions(e.g., flash-loan attack) in Klaytn, we have carefully inspected all the transactions and token transfers on Klaytn blockchain. As you know, the Klaytn is one of the most wholesome blockchain networks in the world. With the purity of Klaytn blockchain, we could not find any of the malicious transactional patterns we have except several negligible transactions such as faulty token transfers to token contracts. However, this does not mean that there is no incident in Klaytn.
In this report, we analyze the actual abnormal cases on Klaytn with the S2-EYEZ system, especially focused on it’s money flow. We have three of the selected incidents for analysis as belows. The cases are listed up according to the order of occurrence date.
On November 2, 2020, the adversary conducted attacks on domain name service of KLAYSTATION service. The root account to manage DNS for KLAYSTATION was compromised and the attacker has redirected the domain to her own scam pages. The scam site leads users to put their private key for their Klaytn wallets and then, the attacker stole the money via the private keys.
< Figure 1. Overview of the money flow of stolen money >
The estimated amount of damage is about 452K Klay($ 200K) in total. With the S2-EYEZ for Klaytn, we have conducted further analysis of the money flow of the stolen money and overall abnormal transactional patterns. The attacker has divided stolen money into several pieces and has transferred them to a number of different wallets. Finally, the attacker withdraws the money through cryptocurrency exchanges.
< Figure 2. Money stealing from victims >
< Figure 3. Modification of victim’s private key by attacker >
The attacker stole about 452K Klays in total from five victims via leaked private keys. These steals have greater planning and coordination than before. To extort the money, the attacker changes the private key of the victim’s account first(see figure 3). Also, she does not leave with the current balance of klay. The attacker has unstoke the staked money on KLAYSTATION and stolen them also.
- Attacker’s account: 0x84f46c95740adc0820432502d09534f3ebf5fa3a
- Period of damage: 42629563 ~ 44752112 block (Nov 02, 2020 09:01:08 ~ Nov 26, 2020 23:32:26 / UTC+9)
- Number of estimated victims: 5 wallets
- Estimated stolen money in total: 452,597 Klay ($ 200K)
< Figure 4. Transfer stolen money to exchange directly >
The attacker has directly transferred some of the stolen money to the exchange’s wallet(i.e., gate.io) For this, they do not put on a mask and withdraw the black money with no laundering.
- Exchange’s account(gate.io): 0x0d0707963952f2fba59dd06f2b425ace40b492fe
- Transferred money to exchange in total: 101,231 Klay (around 22% of total stolen money)
- Transaction hash
< Figure 5. Money gathering in intermediary wallet >
To spend the stolen money, the attacker has transferred most of the stolen money to another wallet. In this case, we could not exactly know why she moved the money to another account. However, in general, thieves on blockchain used to transfer stolen money to other wallets to make it tough to track down or to launder the money. Also, we could not rule out the possibility of the presence of an accomplice.
- Attacker’s another account(estimated): 0x26ca0d88decdcc2a23a1ed10579488f0d4113ae9
- Transferred money in total: 351,366 Klay (around 78% of total stolen money)
< Figure 6. Transfer gathered money to exchanges(conclusive or estimated) >
Finally, we have discovered the last piece of the attacker’s work. She has transferred the stolen money divided into a number of small pieces to two destinations, one for the exchange and the other for unknown. Some transactions(i.e., 0xa76be116… and 0x457ef07d…) were made with funds irrelevant to this case and the actual transferred amount of the stolen money is only about 40K and 100K Klay respectively. To identify who got the unknown wallet, we have carefully inspected all the transactions the unknown wallet made and then, we presume that the wallet has similar transactional patterns to the exchange’s wallet(especially, gate.io).
- Exchange’s account(gate.io): 0x0d0707963952f2fba59dd06f2b425ace40b492fe
- Transferred money to exchange in total: 301,972 Klay (around 86% of gathered money)
- Unknown account(estimated as an exchange’s wallet): 0x9dd35021d77c1de5ed50b9d788a2f68903a96b96
- Transferred money to unknown in total: 50,000 Klay (around 14% of gathered money)
The attacker has stolen $200K worth of digital assets from KLAYSTATION users via scam web pages. From our analysis on money flow of such assets, most of the stolen money has been encashed through cryptocurrency exchanges. To redress the afflicted, it is necessary for blockchain communities such as cryptocurrency exchanges to address security issues in compliance with the anti-money laundering.
On January 27, 2022, the KLEVA team was updating smart contracts for the launch of leveraged yield farming service. However, an unexpected error has occurred in the update and testing procedure and then, an excessive amount of interest was withdrawn to assets deposited after Jan 27th, 2022 19:28 / UTC+9. A few minutes later, the KLEVA team recognized the issue in ibKUSDT vault and then, they closed all deposits and withdrawals of KLEVA to minimize damages. From the official reports from the KLEVA team, during the 38 minutes in between the start and end of the error, approximately 52M KUSDT was excessively withdrawn. The KLEVA team tried to recover damages immediately with the help of related organizations and then, the return of 99.41% of the assets have been confirmed.
- Official from KLEVA team: Post-Mortem : ibKUSDT Vault Incident | by KLEVA | Medium
< Figure 7. Overview of the suspicious money flow of unearned income >
During the analysis of money flow of unearned revenue, we discovered that someone used the earnings in an improper way. In other words, she has withdrawn unintended income via crypto exchanges and even laundered the revenue. Despite the exception, we believe that the reason how the assets could be retrieved is by virtue of purity and transparency of the Klaytn blockchain and if this case occurs on the other blockchain then, it is hard to retrieve all losses with no exception.
< Figure 8. Unintended withdrawal of excessive amount of interest >
On Jan 27th, 2022 19:55 / UTC+9, One of the KLEVA users(we call this guy as the ‘lucky guy’) deposited 1 ibKUSDT but an excessive amount of interest was withdrawn, about 16.66M KUSDT. As the official announcement from the KLEVA team, this is because of the logical bugs on interest bearing models in smart contracts. During the update of the source code of smart contract for ibKUSDT vault, there is an unexpected effect on logic to figure out interest. Thus, there are a few transactions that brought unintended loss or gain except it(Note that, we address the case of greatest earnings due to the incident and analyze it’s suspicious money flows.).
- Gained account: 0x6ffa44b61b8b4b4f662e68f316a8e2fd162dcfe4
- Excessively withdrawn money in total: 16,665,132 KUSDT
- Issued transaction: 0xfb9ae24cf2dd420dada333738fc4fd5aae88fc5d9016da523d79f2ada4de4079
< Figure 9. Transfer tokens to secondary wallet >
Simply, the lucky guy moved the unexpected earnings to another account to realize profits. The most meaningful financial activities on the profits start at the account.
- Another(main) account: 0x7e466ec44eda5b1edf758b1a81ee28345feb8db9
- Transferred money in total: 16,660,100 KUSDT (99.97% of total gains)
< Figure 10. Return of funds >
In the hours that followed the incident, the return of most of the funds was confirmed. And two weeks later, all of the funds are retrieved by sending to ibKUSDT token contract.
- Retrieved funds from the lucky guy: 14,440,000 KUSDT (86.67% of total gains)
< Figure 11. Token swaps and withdraw via Binance >
To fulfill the earnings, the lucky guy firstly swaps the KUSDT to Klay via KLAYswap protocol and the swaps are conducted four times in total. Finally, Klay from the first three swaps all get together and she withdraws the swapped Klay via the Binance exchange at once. The total amount transferred to Binance is about 1.38M Klay and this procedure took only two hours.
- Swapped tokens to Klay: 1,918,956 KUSDT (11.5% of total gains)
- Withdrawal funds via Binance: 1,382,361 Klay ($1.8M with 1 Klay = $1.30)
< Figure 12. Interchain swap with Orbit Bridge protocol >
< Figure 13. Interchain swap with Orbit Bridge protocol(collected from Orbit Bridge Explorer) >
It can be the case for anyone to withdraw unearned revenue through one of the biggest crypto exchanges. However, this lucky guy didn’t stop realizing unearned income via exchanges and tried her luck again. She moved some KUSDT tokens to Ethereum wallets through Orbit Bridge.
- Interchain swapped tokens to Eth: 300,000 KUSDT (2% of total gains)
< Figure 14. Transfer USDT tokens to Ethereum wallet(collected from etherscan.io) >
< Figure 15. Money Laundering with Tornado Cash(collected from etherscan.io) >
After the bridge’s work was done, she got 299,700 USDT in her wallet on Ethereum blockchain. Then, she swapped them to Ether with Uniswap again. Most of all, she has laundered Ether via Tornado cash which is one of the most famous money laundering services on Ethereum blockchain. As a result, 111 Ether could no longer be traced.
- Laundered money: 111 Eth ($ 300K)
As the result of unexpected errors, an excessive amount of interest was withdrawn from the KLEVA. While some users tried to encash unearned income, immediate reactions by the KLEVA team lead to the return of the overwhelming majority of withdrawn assets.
On February 3, 2022, a significant amount of assets of KLAYswap users was unintentionally transferred to a suspicious wallet and a smart contract. According to the official incident report from the KLAYswap team, the malicious code download and execution disguised as a Kakao SDK file by an external network attack was the cause of the accident. The attack was conducted with the BGP hijacking technique and by manipulating the network flow, the attacker leads KLAYswap users to connect to download malicious code from the attacker’s server instead of a normal SDK file. The polluted SDK file leads KLAYswap users to transfer their assets to the attacker’s account.
To minimize the damage from the attack, the KLAYswap team has blocked all functions of KLAYswap and conducted emergency inspections. Some operations of Orbit Bridge protocol were also restricted to prevent transfer of stolen money to other networks. Nevertheless, about $1.91 millions worth of assets were snatched by an attacker during a few hours the attack launched.
- Official incident report from KLAYswap team: KLAYswap Incident Report (Feb 03, 2022) | by KLAYswap | KLAYswap | Medium
< Figure 16. Overview of the money flow of stolen money >
During the analysis of money flow of stolen money, we found that the most of stolen money is transferred to other blockchain networks(i.e., Ethereum, BSC and Ripple) through the Orbit Bridge protocol. As you must realize, the Klaytn is one of the most clean-fingered blockchain in the world and this makes it hard for criminals to encash black money within the network. Conclusive, we assumed that the attacker has accomplished money laundering for the stolen assets on other platforms.
< Figure 17. Overview of transactional patterns of asset theft >
< Figure 18. Part of token transfers of attacker’s wallet >
< Figure 19. Amount of stolen Klay by the attacker >
With the BGP hijacking attack, the adversary leads users to download and execute attaker’s code instead of normal SDK to change all transaction requests of users for the purpose of transferring or approving assets to the attacker. For example, if users request to swap their assets then, the request makes a transaction to execute the attacker’s function for sending the assets to the attacker’s account. During the stealing process, the tokens are directly transferred to the attacker’s account from victims whereas Klay is sent via the attacker’s contract.
- Attacker’s account: 0xdfcb0861d3cb75bb09975dce98c4e152823c1a0b
- Attacker’s contract: 0x3f315f2bfa8452febbc08a9e3a7fdf8872f9527c
- Period of damage: 82005468 ~ 82028787 block (Feb 03, 2020 11:30:24 ~ Feb 03, 2022 18:01:07 / UTC+9)
- Stolen money in total: $1.91M worth of Klay and dozens of tokens
< Figure 20. Part of token swaps conducted by the attacker(PUNK to KXRP) >
< Figure 21. Part of token swaps conducted by the attacker(PUNK to KXRP) >
The attacker obtained various types of tokens as the result of the attack. To encash stolen money, the attacker has to swap such tokens to other types of tokens such as KXRP, KUSDT, KETH via KLAYswap to make it easy to withdraw. For instance, the attacker requests a transaction(0xf8d1aa7c…) to swap PUNK tokens to KXRP. She has sent 966,167 PUNK to KLAYswap pool and then obtained 2,515 XKRP. Overall, the attacker has made such transaction requests dozens of times to swap stolen tokens.
< Figure 22. Interchain swaps via Orbit Bridge >
< Table 1. List of requested interchain swaps via Orbit Bridge protocol >
The interchain swaps are the next procedure of the distribution of stolen money. Note that the Klaytn is one of the most incorruptible blockchain networks in the world as we know. In other words, it is hard to hide or launder black money in Klaytn. Thus, there is no wonder we assume that the attacker moves the black money out of the Klaytn blockchain to encash. For this, the attacker has requested 13 times of interchain swaps to Orbit Bridge protocol in total.
- Swap requested money in total: $ 1.4M
< Figure 23. Rejected attacker’s requests by Orbit Bridge >
< Table 2. Amount of swapped and saved assets >
When the KLAYswap team recognized the attack, they restricted some operations of Orbit Bridge to prevent transfer of stolen assets to other platforms. The courtesy of such immediate steps, the withdrawal of significant amounts of assets are prevented. The saved money was deposited to Orbit Bridge but not withdrawn to the attacker’s wallet.
Saved money in total: $ 0.5M (35% of total amount of swap requested)
Finally, the attacker withdrew swapped tokens via an exchange, FixedFloat. The FixedFloat is a crypto exchange that supports swaps between different blockchain networks including privacy coins such as ZCash and Monero. This means that we could assume that the attacker has conducted money laundering for stolen assets through FixedFloat protocol and further steps.
- Transferred amount to FixedFloat: $ 0.9M
- Attacker’s Ethereum account: 0x41E83eb962085b9212839447FF4e26ddd5284055
- Attacker’s BSC account: 0x41E83eb962085b9212839447FF4e26ddd5284055
- Attacker’s Ripple account: rw5ei3vpasG7tirE4ZnfH1CXts94JCHJcx
< Figure 24. Transfer to unknown wallet(estimated as an exchange) >
After the attacker’s requests to Orbit Bridge for interchain swaps are rejected, she tries to take a detour to encash stolen money. That is to say, the attacker has sent all the remaining Klay to a huge wallet which is assumed to be an exchange’s account.
- Transferred money to unknown wallet(estimated as an exchange): 43,603 Klay ($52K with 1 Klay = $1.20)
The adversary prepares the attack methodically so as to launder the stolen money swiftly. However, the Orbit Bridge is the only way to move digital assets from Klaytn to other platforms. The immediacy of responses from related organizations including KLAYswap team were influential in preventing transfer and use of stolen money. Further, considering that the attack is conducted with BGP hijacking technique, there is no wonder that the similar attacks on DeFi could be repeated anywhere in the future. Thus, blockchain communities, ISP, and others involved need to try to measure to prevent a repeat of such an incident.