Liquid Hack: The Second Time Around
Latest update (Aug 26, 6am ET): The Liquid hackers have continued to move expeditiously to convert assets to ETH and launder those ETH through Tornado.cash. From information TRM has been able to acquire, it appears the hacker's ultimate goal is to convert their ETH to BTC using DeFi protocols. Where that BTC will go next is anyone's guess, but the speed and systematic strategy employed by the Liquid hackers stands in stark contrast to the Poly Network hacker's desultory efforts. Whoever hacked Liquid seems to have had a thorough plan in place prior to acting, and is executing that plan with ruthless efficiency.
What happened
Cryptocurrency exchange Liquid announced late on August 18, 2021, that it fell victim to a hack worth over $90 million. This is the third largest cryptocurrency exchange hack to take place in Japan, behind Mt. Gox and Coincheck, and the second hack to successfully target Liquid. In late 2020, Liquid was the victim of a DNS hijack attack when attackers utilized social engineering tactics to convince Godaddy employees to transfer Liquid's domain. This is at least the second time a major exchange was breached due to a DNS hijack attack.
According to Liquid, the attacker was able to sweep 107 Bitcoin, 9,000,000 TRON, 11,000,000 Ripple and close to $60,000,000 worth of ERC-20 tokens. TRM analysis shows the attacker moved quickly and immediately swapped stolen USDT-on-TRON to TRON within a matter of minutes using a decentralized exchange. The quick swaps may be a result of lessons learned from the Poly.Network attack, in which stolen USDT was frozen almost immediately by Tether.
The hacker also converted ERC-20 tokens into native Ether at a rapid pace. Once converted, the hacker appears content to sit on the haul, pooling almost 15,000 ETH, worth roughly $45 million, in a single address:(0x5578840aae68682a9779623fa9e8714802b59946).
The hacker(s) will presumably attempt to cash out these funds in the coming days, weeks, or months.
The USDT converted to TRON was quickly transferred to a global exchange. Similarly, the large haul of Ripple stolen in the hack, worth nearly $13 million, was minimally laundered before being deposited at global and US-based exchanges. These cash-outs should provide government and industry investigators with valuable leads.
With TRM's multi-asset coverage across ETH, TRON, and Ripple, our clients can trace the flow of attacker funds in one central location as swaps are executed. TRM has notified our clients of the attack and how it may impact their networks. For further information on how these updates may affect your platform as a TRM partner, or for more information about TRM, please contact us directly via contact@trmlabs.com.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.