A government-controlled wallet that had been drained of $20 million on Thursday received most of its funds back Friday, adding another layer of mystery to transactions flagged by blockchain analysts as likely being connected to a high-profile theft.
The pseudonymous blockchain sleuth ZachXBT had said in a tweet Thursday that the transfers resembled the playbook of a bad actor. Engaging with several decentralized finance protocols, the wallet had also tapped so-called instant exchanges after funds were moved across a series of transfers that “looked nefarious.”
About $19.3 million worth of funds had been returned to the wallet early Friday, per on-chain data collected by Arkham Intelligence, including Ethereum and the stablecoin USDC. Still, ZachXBT said in his Telegram community that funds transferred to exchanges had not yet been returned.
As of this writing, the government-controlled wallet was still missing around $1.2 million compared to what it had lost, according to Arkham’s analytics platform. Originally, the funds had been seized by the U.S. Department of Justice two years ago as connected to the infamous Bitfinex hack in 2016.
An hour after the government-controlled wallet received funds back, the funds started flowing to a wallet with an address beginning “0x0Ca.” A small amount of Ethereum was followed by a $6.1 million transfer. A small amount of aUSDC, an Aave-based version of the stablecoin that bears interest, was then followed by $11.6 million of aUSDC.
Last but not least, $10 of USDC was sent to “0x0Ca,” followed by $7,180 of the stablecoin. That left the wallet in a condition resembling its drained state Thursday, containing just over $130 of a Trump-themed meme coin after a further $170 in ETH was moved. The TRUMP token had been sent to the wallet by an unknown party earlier this year.
Resembling test transfers, governments have sent small amounts of crypto prior to shifting digital assets in bulk before. The German government, for example, used test transfers when selling millions of dollars worth of Bitcoin in July.
On Thursday, the government-controlled wallet’s use of Aave, a decentralized lending platform, was what initially raised eyebrows on Crypto Twitter. Around $1.1 million worth of the stablecoin Tether and $5.4 million worth of the USDC had been withdrawn.
Global Ledger, a blockchain analytics firm, wrote in a Friday report that the threat actor had swapped stablecoins for Ethereum using the decentralized exchange (DEX) Uniswap and the exchange aggregator 1inch, which sources trades across multiple venues.
What’s more, the Ethereum flowed to a service called n.exchange and nine different deposit addresses for Binance, the leading crypto exchange. As referenced by ZachXBT, these are exchanges that use Binance as a source of liquidity.
In a 2021 blog post, Binance warned that nested exchanges “provide less security and fewer guarantees” than most trading venues, while often being used by cybercriminals. Often, nested exchanges have multiple accounts across different exchanges too.
The blog post stated that Binance has taken action against nested exchanges before, including Suex, an exchange operated out of Russia that was sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) in 2021. The exchange said it proactively shut down several accounts associated with Suex’s services.
Binance did not immediately respond to a request for comment from Decrypt.
Editor’s note: This story was updated after publication with additional detail.
Edited by Andrew Hayward