Blockchain Tracking

Blockchain & Tracking

Two years ago, my wallet was drained, resulting in the loss of my NFTs and Tokens. The assets were transferred to the following addresses (some were swapped then sent to CEX):

NFTs: 0x5de68a6095965a105f2588b40c5492d03d1b3516

Tokens: 0xda6ebf3c2df79239331d0f485ca405ad738c7367

TLDR:

Below is me wasting time tracking someone. As this drain consisted of 80% of what I had at the time, might as well right?

Can’t fully track the hacker as they transferred to multiple CEXs such as Binance and others. The final statement, we can’t do anything without access or information. Please protect yourselves and take the proper procedures and steps if you are connecting your wallet to sites, clicking on links and interacting with anything you believe is sketchy.

Tracking (Short Ver + Not fully up to date)

These funds were funnelled into 0x6c189c440f31ff891533c1b5526e9e4f8af89a0e and then into a Binance wallet: 0x28c6c06298d514db089934071355e5743bf21d60. Despite removing everything related to this wallet from my device on March 23, 2022, the wallet remains active as of October 13, 2023, suggesting they still have access.

To track the hacker, I used blockchain scanners like Etherscan. I found that the wallets used to transfer my funds were likely involved in similar activities in the past. However, tracking the funds became difficult once they reached the exchange Binance.

Timeline of Events:

March 19, 2022:

11:42:02: The first transaction occurred, transferring my NFTs to 0x5dE68a6095965a105F2588B40c5492d03d1B3516, where they remain.

12:32:04: Tokens were transferred to 0x6c189c440f31ff891533c1b5526e9e4f8af89a0e.

12:36:07 & 15:13:13: I managed to move some tokens to two other wallets (0x56ea07305d3e4b4321bca7f8ab3586f3c0dd428a and 0x296647c1e6f393fc91939acf7bec0a0a44732e17) before more could be stolen.

May 24, 2022:

21:58:55: The hacker sent Evmos from my wallet to 0xcc1f304503a4d6bb5cffce0ead55fad733cfe1e6.

(More transactions have happened since then, but I was too busy to keep up)

Since then, while receiving a minimum amount of ETH for transactions, my wallet has continuously sent tokens. (MATIC, ETH, and xBTRFLY)

Tracking (In-depth & Not Updated fully)

If you’d like to follow along, here is the Debank link https://debank.com/profile/0xe0ca4b9abc29cd5d57a2c5bbf0411f59a23603c4/history

Scroll to March 19, 2022, 11:42:02 (2022/03/19), where we see the first transaction of the drain Txn Hash: 0xb4f1fdff158614734f4b329ee142442616dc08dc715cb3813f580153b6434609

All my NFTs in this wallet are then transferred to this wallet 0x5dE68a6095965a105F2588b40c5492d03d1B3516 and are currently still there. After the NFTs, they moved on to the tokens in my wallet, on March 19, 2022, at 12:32:04. Txn Hash: 0xE64ad42e9Ed6135B504f4c29fFE9D3A187bC14E2

To Wallet: 0x6c189c440f31ff891533c1b5526e9e4f8af89a0eThankfully I saw this early and started moving my tokens to another wallet (The txn at 12:36:07 & 15:13:13)                                                                                                                                                  My wallet: 0x56ea07305d3e4b4321bca7f8ab3586f3c0dd428a & 0x296647c1e6f393fc91939acf7bec0a0a44732e17.

This continued until the 23rd of March, when I removed the wallet from my device after I had saved everything I could.

Fast forward to May 24, 2022, at 21:58:55 the hacker decided to send Evmos from my wallet to another. Txn Hash: 0xaf9e13d8849d4f96ea11b09011338c62eed4fa9f3a0975e000a76676fee834fa

To Wallet: 0xcc1f304503a4d6bb5cffce0ead55fad733cfe1e6

EVMOS blockexplorer:  https://escan.live/address/0xcc1f304503a4d6bb5cffce0ead55fad733cfe1e6

To make this part shorter (Am also brain ded looking at this and to save you time) My wallet is still being used and is still sending tokens out of the wallet.

Date: On and after 2022/07/30

Sent MATIC - 0x781a5f7ab393c2007cb08578efc4a9a541cdd73a

Sent ETH - 0xe64ad42e9ed6135b504f4c29ffe9d3a187bc14e2

Sent xBTRFLY - 0x1160fe6493e8a558144b79d3b51c5d720bb94f44

Received ETH - 0x1160fe6493e8a558144b79d3b51c5d720bb94f44

Sent ETH - 0x010aff8813a00440eb1e10c37206417f438afeda

Sent AETH - 0x50063e893e1bc42cea3537d7f2c8f935409d0841

Sent EVMOS - 0x501e5f0dbe5c3aeeec682dcc66387211e58f3cdd

Sent xDAI - 0x501e5f0dbe5c3aeeec682dcc66387211e58f3cdd

These transactions on and after 2022/07/30 are interesting to look into because these wallets have not interacted with my wallet, and I believe that they have no connection to 0xda6 and other wallets prior. (I also didn’t go too deep into the new wallets as it is very mind-boggling)

My brain hurts writing this, however, going back to the first drain, they funnelled my tokens to 0xda6ebf3c2df79239331d0f485ca405ad738c7367. Thankfully, rechecking this address a year later, 0xda6 sent funds to a Binance deposit, meaning there is a link to the hacker.

0xda6ebf3c2df79239331d0f485ca405ad738c7367 → 0x01dc097fa7e0e35185b5f194c8e46fd96102bf00 → 0x356a08c0e83963bdb277b3b48b78f3a2dc71d023 → 0xed400f3a901c30b01c87789dc052ec537889de17 (Binance Deposit)

Tips For Tracking Funds

• Write things down

• Map out the addresses

• Use tools like Etherscan and Debank to your advantage

• If tracking becomes overwhelming, take breaks (Important because it does get overwhelming)

Final Question / Statement

• Should we be left in the dark if a hacker uses a CEX that requires ID verification?

• Should we be able to request information if we have the required proof and escalate with authorities?

  FailSafe is useful and will protect your assets. More details will be provided in my next article.

If you have any questions or statements, you can let me know in my X (Formerly Twitter) DMS

Thank you so much for reading <3