Investigation Shows XRP Theft from Ripple Chairman Hack Larger than Reported

  thecryptobasic.com 12 h

An investigation from The Crypto Basic shows the XRP theft from the Ripple chairman hack was larger than previously reported, following an analysis from Hacken, a web3 security auditing protocol.

The security auditor was one of the entities to call attention to the hack on Jan. 31 following ZachXBT’s disclosure. Recall that earlier reports suggested that the exploit led to the loss of about 213 million XRP, with the malicious actors leveraging centralized exchanges to launder the funds.

In its latest report, Hacken pointed out that the movement of the stolen funds took over 11 hours. The platform noted that this long duration is unconventional, as exploiters often take out stolen funds as quickly as possible following a hacking incident.

🚨 @Ripple Case: Insights That Went Unnoticed

Driven by peculiar intricacies surrounding a recent XRP event, our team embarked on an in-depth inquiry

The key outcome of our investigation: two wallets, that took a central stage in the incident, are connected to XRP’s authorized… https://t.co/CQDU9ggkTF

— Hacken🇺🇦 (@hackenclub) February 7, 2024

The investigation by Hacken, led by their security expert Dmytro Yasmanovych, revealed that the hackers moved the stolen XRP from Larsen’s wallet to eight different addresses, and then funneled them into centralized exchanges for laundering. ZachXBT noted this earlier.

The XRP Wallet of Focus

Hacken spotlighted a particular address with the initials rU1bPM4q. According to them, this address is worth noting, as it interacted multiple times with Chris Larsen’s wallet even before the hack. These interactions confirm that Larsen knows the address.

The Hacken team then noted that one of the addresses the hackers used to receive the funds was a Kraken address. They discovered that this Kraken address also interacted with address rU1bPM4, the wallet of focus, as far back as 2020. Notably, rU1bPM4 sent 5.7 million XRP to the Kraken address in March 2020.

Based on their investigation, they were basically pointing out that the Kraken address the hackers used to receive the stolen funds has in the past interacted with an address that Larsen is familiar with. This raised questions, with speculation that Larsen might know the individuals behind the incident.

Ripple CTO Clears the Air

Notably, the Ripple CTO David Schwartz clarified the situation in a response to their report. Schwartz highlighted that Kraken only has one XRPL address, which is the address spotlighted by Hacken. All deposits to Kraken enter into this address, but users leverage destination tags to specify who the deposit goes to.

I suspect you don’t understand how the XRP Ledger works. For example, rLHzPsX6oXkzU2qL12kHCH8G8cnZv1rBJh is Kraken’s *only* XRP deposit address. All XRP deposits to Kraken are made to the same Kraken wallet.

— David «JoelKatz» Schwartz (@JoelKatz) February 8, 2024

Hacken erroneously implied that this address specifically belonged to the hackers, not knowing that it is Kraken’s general deposit address. This is basically how the XRP Ledger works. Schwartz pointed out that the Hacken time might not be familiar with how the network works.

In a subsequent update, the Hacken team admitted the error in their research, and corrected their stance. However, some questions remained unanswered, especially regarding the rU1bPM4 address earlier spotlighted in the research.

❗️ Updating our research on the Ripple case. We shared our investigation findings, noting some unusual aspects not raised earlier. Thanks to the community and Ripple representative, we’ve already got answers to a few of them, although one question remains unanswered

🧵… https://t.co/iV8do5DzRO

— Hacken🇺🇦 (@hackenclub) February 8, 2024

The team discovered that, besides interacting with the Kraken deposit address, rU1bPM4 also interacted with another address (rs1S85L) used to receive the stolen assets.

Investigation Shows More XRP Stolen

The Crypto Basic conducted its own separate investigation and found that the interaction rU1bPM4 had with the hackers’ address rs1S85L was not entirely suspicious.

Notably, rU1bPM only interacted with rs1S85L, the hackers’ address, once on the day of the hack. In addition, rs1S85L was activated by European exchange WhiteBIT, which might suggest an affiliation with the exchange. However, this remains unconfirmed.

Moreover, an extensive look at rU1bPM4 shows that the address belongs to Larsen. Interestingly, this address also saw outflows to multiple addresses belonging to the hackers during the hack. These outflows amounted to over 28 million XRP from 11:13 to 22:45 (UTC) on Jan. 30.

This indicates that rU1bPM4 also suffered an attack just like Larsen’s other wallet on Jan. 30. As a result, the interaction with rs1S85L, amounting to a 70,000 XRP, was one of the outflows initiated by the hackers. In fact, it was the last transaction from the hackers.

XRP Outflows from Ripple Chairman Hack | Bithomp

The finding suggests that the stolen funds might be more than earlier reported. Prominent on-chain sleuth Tayvona confirmed this in a reply to Hacken. She shared multiple transaction IDs of the malicious outflows, stressing that the stolen assets actually amounted to 282 million XRP, and not 213 million XRP.

Here’s the theft txns I identified. Should be ~282m xrp

01328A55C375D0DDA7C01994BC9A71D48630679EC4E0A2D9C214B99ECA38C3F9
2C0853B0DABEB6F19D13727FEE97FD056422C605B6CAF43A0869A8EEF14F7473
0EAEAE048F08F75B37521B9D323AC6D4704053D5AD8D7807FD901B3465CB1C90…

— Tay 💖 (@tayvano_) February 8, 2024

Source