In brief

  • The KuCoin hacker continues to launder the stolen crypto.
  • To do so, the hacker is sending the money through decentralized exchanges.
  • But it's still possible to trace the funds before and after they've been sold on DEXs. Here's where it's gone so far.

One of the biggest hacks against a cryptocurrency exchange in recent memory took place last week. Just how big was it, and where is all that crypto now going? Blockchain investigation software Elliptic has crunched the numbers

Using publicly available on-chain data and its tracking software, the British company found that a hacker on Friday stole $281,455,300 from cryptocurrency exchange KuCoin, and has so far sold $13.2 million on decentralized exchanges.

KuCoin said that the hacker accessed the exchange’s accounts through a private key that somehow got leaked. Then they stole $281.5 million worth of a variety of cryptocurrencies; about $152 million of the haul was in Ethereum-based (ERC-20) coins.

To deal with the hack, crypto projects froze about $130 million worth of the hacker’s money. They did this by issuing an update to the blockchain that invalidated all of the stolen coins. In traditional finance, this would be akin to a bank invalidating a large transaction or freezing an account. But that didn't invalidate all of it. And this week, the hacker has started to launder some of what’s left. 

The hacker has seemingly chosen decentralized exchanges to wash the stolen loot, since these sorts of trading platforms are unregulated and it’s difficult to freeze funds on them. Centralized exchanges such as Coinbase or Binance, by comparison, are run by companies who can control the flow of funds on their exchanges.

“With their huge volumes and lack of KYC checks, DEXs have become an obvious choice for money laundering in crypto,” wrote Dr. Tom Robinson, Elliptic’s chief scientist and cofounder.

DEXs have been around for years, but they increased in popularity this year after billions poured into the DeFi sector of the crypto industry this summer. That means that there’s more than enough cryptocurrency now running through decentralized exchanges for this hacker, and potentially future bad actors, to make use of DEXs to swap out stolen tokens.

This is how the KuCoin hacker has so far sold off the stolen crypto, according to Elliptic, whose software tracks the flow of cryptocurrency across blockchains:

The hacker has sent about $7.9 million to decentralized exchange Uniswap. Uniswap is the most popular decentralized exchange; in the past 24 hours, people have traded $235 million worth of cryptocurrency on the exchange. The hacker mostly sent SNX (of decentralized synthetic assets protocol, Synethetix) and the decentralized stablecoin, DAI.

To Kyber, the hacker sent $4.095 million, much of it in decentralized lending protocol Compound’s COMP token, and LINK, the coin that powers Chainlink, a decentralized oracle network. 

Then $756,860 worth of Enjin (ENJ) to DEX.AG, and $499,133 of KNC (Kyber Network Token) to TokenIon. 

Dr. Robinson said that Elliptic’s technology is capable of tracing transactions after it’s left decentralized exchanges. “Unlike centralized exchanges, which are dead-ends when it comes to tracing the flow of funds, with DEXs everything is recorded and visible on the blockchain.”

Elliptic, however, did not disclose where the money has gone since then. Though presumably this is something that KuCoin and its clients would very much like to know.