As part of Coinfirm’s investigative and analytic efforts, we continually improve our understanding of the complex workings of blockchain transactions, especially those related to high-profile hacking events. Today, we present a deep dive into the Parity hack, one of the most notorious events in blockchain history.
6 Years ago, on the 18th of July 2017, the Parity multisig library was compromised, resulting in the theft of 153,037 ETH from three wallets. Thanks to the swift response of white-hat hackers, who secured funds from a total of 596 vulnerable wallets, the damage could be somewhat mitigated. Nonetheless, the breach represented a significant event in the blockchain world and highlighted the importance of robust security mechanisms.
After the initial breach, the hackers began moving their illicit gains. Our team at Coinfirm traced seven transactions totaling 70,000 ETH moving out of the hackers’ wallet, leaving behind an unspent amount of 83,037 ETH.
Further tracking led us to a series of transactions involving Tornado.Cash, a renowned Ethereum mixing service. Our analysis showed that a total of 10,290 ETH was deposited into Tornado.cash, complicating the tracking process as this service is designed to obscure the origins of its transactions.
Despite this obstacle, we identified 13 addresses that received the withdrawals from the Tornado.Cash 100 ETH and 10 ETH pool, corresponding to the previously deposited 10,290 ETH (minus the network and mixer fees). The analysis of these transactions can be found in the table below:
| Withdrawal Addresses | First Tornado.cash Withdrawal (UTC) | Last Tornado.cash Withdrawal (UTC) | Number of Withdrawals | Tornado.cash Pool | Amount Received (in ETH) |
| Address 1 | 2022-05-06 | 2022-05-06 | 9 | 100 | 896 |
| Address 2 | 2022-05-07 | 2022-05-07 | 9 | 100 | 896 |
| Address 3 | 2022-05-07 | 2022-05-07 | 9 | 100 | 896 |
| Address 4 | 2022-05-09 | 2022-05-10 | 9 | 100 | 896 |
| Address 5 | 2022-05-10 | 2022-05-10 | 9 | 100 | 896 |
| Address 6 | 2022-05-11 | 2022-05-11 | 9 | 100 | 896 |
| Address 7 | 2022-05-12 | 2022-04-12 | 9 | 100 | 895 |
| Address 8 | 2022-05-12 | 2022-05-13 | 9 | 100 | 896 |
| Address 9 | 2022-05-14 | 2022-05-14 | 9 | 100 | 896 |
| Address 10 | 2022-05-17 | 2022-05-17 | 9 | 100 | 896 |
| Address 11 | 2022-05-17 | 2022-05-18 | 9 | 100 | 895 |
| Address 12 | 2022-05-09 | 2022-05-10 | 3 | 100 | 298 |
| Address 13 | 2022-06-15 | 2022-06-15 | 9 | 10 | 89 |
| Total | 10,241[1] | ||||
Identified Tornado.cash withdrawals
Upon further analysis, we observed that the withdrawn ETH was then converted into RenBTC, a wrapped Bitcoin token on the Ethereum blockchain, across two different decentralized exchanges.
Subsequently, these RenBTC tokens were transferred via the RenBridge, a decentralized application enabling the conversion and transfer of digital assets between blockchains.
| Deposit Addresses | Date of Deposit to RenBridge (UTC) | Deposited Amount (in RenBTC) | Withdrawn Amount (in BTC) | Date of Withdrawal from RenBridge (UTC) | Withdrawal Addresses |
| Address 1 | 2022-06-29 | 50 | 50 | 2022-06-29 | Address 1 |
| Address 2 | 2022-06-30 | 49 | 49 | 2022-06-30 | Address 2 |
| Address 3 | 2022-07-01 | 49 | 49 | 2022-07-01 | Address 3 |
| Address 4 | 2022-07-14 | 49 | 49 | 2022-07-14 | Address 4 |
| Address 5 | 2022-07-15 | 52 | 52 | 2022-07-15 | Address 5 |
| Address 6 | 2022-07-28 | 63 | 63 | 2022-07-28 | Address 6 |
| Address 7 | 2022-07-29 | 63 | 63 | 2022-07-29 | Address 7 |
| Address 8 | 2022-08-01 | 64 | 64 | 2022-08-01 | Address 8 |
| Address 9 | 2022-08-10 | 65 | 65 | 2022-08-10 | Address 9 |
| Address 10 | 2022-08-17 | 71 | 71 | 2022-08-17 | Address 10 |
| Address 11 | 2022-08-18 | 70 | 70 | 2022-08-18 | Address 11 |
| Address 12 | 2022-07-14 | 16 | 16 | 2022-07-14 | Address 12 |
| Address 13 | 2022-09-02 | 7 | 7 | 2022-09-02 | Address 13 |
| Total | 668 | 668 |
RenBridge cross-chain transfers
At this point, the cryptocurrency had been swapped back into its original form – Bitcoin, and a total of 668 BTC were withdrawn. The remaining 31 BTC was moved to an unidentified wallet, making further tracking challenging. The summary of these transactions can be seen in the table below:
In conclusion, our investigation into the Parity hack provides crucial insights into the techniques employed by hackers to launder stolen funds. Our findings underscore the importance of blockchain analytics in tracing illicit funds and reinforcing the security mechanisms of the blockchain ecosystem.
Coinfirm is committed to providing robust blockchain analytics and pioneering investigative efforts, enabling a safer and more transparent blockchain ecosystem.
