Unraveling the Parity Hack: A Deep Dive into Cryptocurrency Investigations

As part of Coinfirm’s investigative and analytic efforts, we continually improve our understanding of the complex workings of blockchain transactions, especially those related to high-profile hacking events. Today, we present a deep dive into the Parity hack, one of the most notorious events in blockchain history.

6 Years ago, on the 18th of July 2017, the Parity multisig library was compromised, resulting in the theft of 153,037 ETH from three wallets. Thanks to the swift response of white-hat hackers, who secured funds from a total of 596 vulnerable wallets, the damage could be somewhat mitigated. Nonetheless, the breach represented a significant event in the blockchain world and highlighted the importance of robust security mechanisms.

Parity hack and further dissipation of funds
Parity hack and further dissipation of funds

After the initial breach, the hackers began moving their illicit gains. Our team at Coinfirm traced seven transactions totaling 70,000 ETH moving out of the hackers’ wallet, leaving behind an unspent amount of 83,037 ETH.

Further tracking led us to a series of transactions involving Tornado.Cash, a renowned Ethereum mixing service. Our analysis showed that a total of 10,290 ETH was deposited into Tornado.cash, complicating the tracking process as this service is designed to obscure the origins of its transactions.

Deposits to Tornado.cash
Deposits to Tornado.cash

Despite this obstacle, we identified 13 addresses that received the withdrawals from the Tornado.Cash 100 ETH and 10 ETH pool, corresponding to the previously deposited 10,290 ETH (minus the network and mixer fees). The analysis of these transactions can be found in the table below:

Withdrawal AddressesFirst Tornado.cash Withdrawal (UTC)Last Tornado.cash Withdrawal (UTC)Number of WithdrawalsTornado.cash
Pool
Amount Received
(in ETH)
Address 12022-05-062022-05-069100896
Address 22022-05-072022-05-079100896
Address 32022-05-072022-05-079100896
Address 42022-05-092022-05-109100896
Address 52022-05-102022-05-109100896
Address 62022-05-112022-05-119100896
Address 72022-05-122022-04-129100895
Address 82022-05-122022-05-139100896
Address 92022-05-142022-05-149100896
Address 102022-05-172022-05-179100896
Address 112022-05-172022-05-189100895
Address 122022-05-092022-05-103100298
Address 132022-06-152022-06-1591089
Total10,241[1]

Identified Tornado.cash withdrawals

Upon further analysis, we observed that the withdrawn ETH was then converted into RenBTC, a wrapped Bitcoin token on the Ethereum blockchain, across two different decentralized exchanges. 

Withdrawals from Tornado.cash, Swap and deposit to RenBridge
Withdrawals from Tornado.cash, Swap and deposit to RenBridge

Subsequently, these RenBTC tokens were transferred via the RenBridge, a decentralized application enabling the conversion and transfer of digital assets between blockchains.

Deposit AddressesDate of Deposit to RenBridge (UTC)Deposited Amount
(in RenBTC)
Withdrawn Amount
(in BTC)
Date of Withdrawal from RenBridge (UTC)Withdrawal Addresses
Address 12022-06-2950502022-06-29Address 1
Address 22022-06-3049492022-06-30Address 2
Address 32022-07-0149492022-07-01Address 3
Address 42022-07-1449492022-07-14Address 4
Address 52022-07-1552522022-07-15Address 5
Address 62022-07-2863632022-07-28Address 6
Address 72022-07-2963632022-07-29Address 7
Address 82022-08-0164642022-08-01Address 8
Address 92022-08-1065652022-08-10Address 9
Address 102022-08-1771712022-08-17Address 10
Address 112022-08-1870702022-08-18Address 11
Address 122022-07-1416162022-07-14Address 12
Address 132022-09-02772022-09-02Address 13
 Total668668  

RenBridge cross-chain transfers

At this point, the cryptocurrency had been swapped back into its original form – Bitcoin, and a total of 668 BTC were withdrawn. The remaining 31 BTC was moved to an unidentified wallet, making further tracking challenging. The summary of these transactions can be seen in the table below:

Withdrawals from RenBridge
Withdrawals from RenBridge

In conclusion, our investigation into the Parity hack provides crucial insights into the techniques employed by hackers to launder stolen funds. Our findings underscore the importance of blockchain analytics in tracing illicit funds and reinforcing the security mechanisms of the blockchain ecosystem.

Coinfirm is committed to providing robust blockchain analytics and pioneering investigative efforts, enabling a safer and more transparent blockchain ecosystem.