[Bounty Hunting 2.0] – Tracking a $200M + Protocol Hacker

Cryptocurrency News and Public Mining Pools

[Bounty Hunting 2.0] – Tracking a $200M + Protocol Hacker

[Bounty Hunting 2.0] - Tracking a $200M + Protocol Hacker

Hello!

Last week I was challenged with the task to find out who this wallet belongs to – 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth

I immediately noticed this particular wallet had hundreds of millions of dollars worth of transactions.

My first thought was WHALE!

However, after digging a bit deeper, I came up with a different conclusion.

This wallet was posted as a public bounty and the research is all my own. If I'm completely off base in my analysis feel free to rip this apart!

I removed all social info acquired in my research per moderators request and guidelines. Maybe at some point I'll post full details on my Twitter or a newsletter.

Thesis

It's my belief that 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth is actually the Pancake Bunny Flash Loan Exploiter. The exploit took place on 5/19/21.

We know that this wallet – 0xa0ACC61547f6bd066f7c9663C17A312b6Ad7E187 executed the exploit. This wallet is marked in the image below [the white suspect icon in the middle] and numerous media outlets also reported on this wallet.

Above is a look inside 0xa0ACC61547f6bd066f7c9663C17A312b6Ad7E187 – The Bunny Finance Exploiter wallet. This wallet was created on 5/19/21 to launder the funds across the 4 intermediary wallets to the right. This wallet identified with the image in the middle.

I looked inside 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth to sort by the highest transactions for this wallet. I noticed that the top 3 highest txns all were for the BUNNY token taking place on 5/19/21.

Above is the highest transactions of all time for 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth taking place on 5/19/21, the day of the Bunny Finance Flash Loan Exploit.

I wanted to see ALL the BUNNY token txns for 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth. All of these txns took place on or minutes after the exploit on 5/19 or 5/20/21. Above is a view of the txns.

Lastly, I wanted to check the Pancake BUNNY token for the highest transactions of all time. Again, all the highest amount in txns took place on the day of the exploit.

Above is an image of the Pancake BUNNY token sorted by highest valued transactions of all time. The two wallets at the bottom is our wallet of interest 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth and 0xfeb8E0445ca452E8cc5039eE23e685c0e849D837, who I believe is also part of the Bunny Finance Flashloan attack.

QKLPJ.ETH Main Wallet

Above is a visual of 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth. I marked off additional wallets owned by qklpj.eth. I’ll include all of the ones confirmed in my research below. The deposit addresses are on the right, with a couple missing for whatever reason in this visual. Lastly, I found an interesting wallet that Arkham has marked off as the BZX Private key exploiter. Could this wallet also be linked to that exploit as well?

QKLPJ.ETH Deposit Addresses

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance [most txns]

0x3ded0973E2e259a7760E231B63Ad2C5989f851BA – Binance

0xc9F1Fb88150176e594a5a98F302808f11F51D1f7 – Binance

0xF573cE9f5777782C801Bf6de5139b122A4CdC436 – Binance

0x89CeB171Cd88FF252E361408EE3fcC3f3C9463C6 – MEXC

0x554013Ea0bBefEa3a474Ac24A01AF097A9d65916 – OKX

0x64bF3d9F227c0F37346b9a2466529b32778fD6c7 – Huobi

0x7cfb933076406B00a1522D34522B18F994327C48 – Peatio

Wallets of Interest

qklpj 2 – 0x83d3CA86149AF8D904a4Fd46311472C0f82b0C2C

Above is inside 0x83d3CA86149AF8D904a4Fd46311472C0f82b0C2C – qklpj 2. Many of the same deposit addresses are shared with 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth. I did notice a 6 MILLION dollar incoming txn of XUSDT with a BZX wallet. Here’s the txn.

The Connection

0x83d3CA86149AF8D904a4Fd46311472C0f82b0C2C – qklpj 2 shares the below deposit address with 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth

0xF573cE9f5777782C801Bf6de5139b122A4CdC436 – Binance

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

Additionally there’s 44 txn’s totaling 194 MILLION between the two wallets.

Deposit Addresses

0xF573cE9f5777782C801Bf6de5139b122A4CdC436 – Binance

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0x45E6BaC5bdD63877Ef936EE119fd424EB62C8445 – MEXC

0x9d215613eaBd91280e0fD4254d6f32e1FE29bE1A – FTX

qklpj 3 – 0x1729f93e3c3C74B503B8130516984CED70bF47D9

Above is 0x1729f93e3c3C74B503B8130516984CED70bF47D9 – qklpj 3. To the left is 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth. There’s numeros interactions between the two wallets as well as some shared deposit addresses. I noted the MEV bot in the bottom right corner.

The Connection

0x1729f93e3c3C74B503B8130516984CED70bF47D9 – qklpj 3 shares the below deposit address with 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0x554013Ea0bBefEa3a474Ac24A01AF097A9d65916 – OKX

Additionally there’s 132 txn’s totaling 42.6 MILLION between the two wallets.

Deposit Addresses

0x730d77C8362dDC0aBbB80242CCdbe3693d20b3FC – Coinbase

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0x6C0Ba846A572a207f3ED7ed243574B9DB7879669 – Binance

0x554013Ea0bBefEa3a474Ac24A01AF097A9d65916 – OKX

qklpj 4 – 0x52433FDA99704bb08f553C8dEf3C6883F5FBbe8C

Above is 0x52433FDA99704bb08f553C8dEf3C6883F5FBbe8C – qklpj 4. To the left is 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth and additional qklpj.eth wallets. Qklpj 4 funded many of the additional wallets listed below.

The Connection

0x52433FDA99704bb08f553C8dEf3C6883F5FBbe8C – qklpj 4 shares the below deposit address with 0x99854BA0A00012336fb508c082e5Bd974333dBD3 – qklpj.eth

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0x3ded0973E2e259a7760E231B63Ad2C5989f851BA – Binance

0x64bF3d9F227c0F37346b9a2466529b32778fD6c7 – Huobi

27 txns totaling 1.6 MILLION with qklpj.eth.

29 txns totaling 1.8 MILLION with qklpj 3.

Deposit Addresses

0x3ded0973E2e259a7760E231B63Ad2C5989f851BA – Binance

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0x82CD862b962EEDf0F4c81230Cf608131B6b4a928 – Binance

0x44d2Ffd354E93Af942C1Da188d43279d1538eF26 – Huobi

0x64bF3d9F227c0F37346b9a2466529b32778fD6c7 – Huobi

Additional Wallets

Below are the additional wallets owned by qklpj.eth. Many share the same deposit addresses or were funded directly by the Wallets of Interest above.

0x98c851a65785c340985cd5873ac809e2e1E83cf5 – qklpj 5

0xc9F1Fb88150176e594a5a98F302808f11F51D1f7 – Binance

0x015Fd5b0E791BbCBE65CeC906bfbB2940cbbb456 – qklpj 6

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0xb46595490ECA2Ca6a77C280896C7Ca35589589A8 – Binance

0x6C0Ba846A572a207f3ED7ed243574B9DB7879669 – Binance

0xA866b1b0c8ba7794a1FCB05Bf87961e4D7f43F29 – Binance

0x59Ee1832ce085ef5eAf8Bfb233f236141D6B6418 – FTX

0x6fF0fd821eAF8DF042972490618762e4a0bc3b43 – qklpj 7

0x4d46D06a3886ad3560477f6bF8fAB19ad9De2dc0 – Binance

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0xa862b63eE9ee12De213Fd3A42345783a0AA1F9fc – Binance

0x93f336a9E5e2f24D924455Bf70Cc450e5DF57AeC – qklpj 8

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0xF573cE9f5777782C801Bf6de5139b122A4CdC436 – Binance

0x618c3a9a403Aea2b2Be4E353312C9ab1aEabdF55 – qklpj 9

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0x45cbB7365cd027077c5d78bA2077b0a7B2fFC6F7 – qklpj 10

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0x2061fEbb50Cc60BFa1Ec13c444AA6ac7F25485B4 – qklpj 11

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0x723799b5361D800BeB633721b82E573C190100d7 – qklpj 12

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0xFaa653930260719e4b635a70c33394aCcA1E8595 – qklpj 13

0xb4176b3a385bE6D620b3333B10573c2611Eff8B5 – Binance

0x038294a85dd0ad3b357EF4bbA048d6D4b5f0f302 – qklpj 14

0xf80E7bA56C7e48c25Ee5f6D01F530781A0f4C850 – qklpj 15 [Contract?]

0xC1b22C206d69e1bD0A14c10f24FBD09457ecb8fE – qklpj 16

0x02349c5BF9f066076A61436c589A3f3A4F867BfF – qklpj 17 [Contract?]

0x9481DEaE9563F5C27291188d3AFEA7a5e410C742 – qklpj 18 [Contract?]

0x013eBEa6d8e3Eb0b637Af544Db0d9C6785217cA5 – qklpj 19 [Contract?]

In Conclusion

Above is a look inside Binance Deposit Address – 0xb4176b3a385bE6D620b3333B10573c2611Eff8B5. This deposit address wallet has over 1.02 BILLION in funds sent through it! I noted the two Persons of Interest at the top. The wallets at the bottom are most likely qklpj.eth wallets but I’m unable to 100% confirm.

The blockchain is forever!

There's a number of "Persons of Interest" here that warrants further investigation. The Pancake Bunny Flash Loan exploit took place back in May of 2021. I believe this same group is responsible for a number of other exploits similar to this one.

While not technically a hack, the result is still the same. A number of retail investors, developers, and exchanges lost millions.

TLDR

In Pancake Bunny Finance's words here's what happened

https://preview.redd.it/rkeax3i549pb1.png?width=1120&format=png&auto=webp&s=49dd51cdf0554e288ce5ce3861ad7269c3e6e78f

submitted by /u/jbtravel84
[link] [comments]