On the 25th of September the cryptocurrency exchange KuCoin was hacked for over $200M worth of Bitcoin, Ethereum, and ERC-20 tokens. By gaining access to the private key of KuCoin's hot wallet, the wallet used for day-to-day withdrawals and transactions, the hacker was able to completely drain the funds into addresses they controlled. In this post I explain how noticing a pattern in the hacker's behaviour and a quick python script allowed me to earn some sweet satoshis from this unfortunate event.
Note: It appears the has been found since the time of writing this. BUT, stolen funds are still on the move and potential for this strategy remains.
Just one day after stealing the funds, the hacker began selling the >$100m stolen Ethereum ERC-20 tokens, starting with Ocean and Sythetix Network Token. Selling patterns emerged early on:
Here we see the first instance of selling, the hacker withdraws a portion of the tokens from the main address (0xeab...) to another address where they then do a test sell of 100 OCEAN on the Uniswap contract. Once they have confirmed the test sell was successful they continue to sell the rest of tokens. These test sells happened for a majority of the tokens the hacker sold and it gave me a few minutes edge on the market, foreseeing that a sale was about to occur.
Uniswap is a fully decentralised protocol for liquidity provision, i.e. facilitates trading/switching between Ethereum tokens, in this case the hacker was selling their tokens for ETH. As Uniswap is truly decentralised, censoring the hacker's trades is impossible. However, for some of the more centralised shitcoins, developers manually called functions within the Ethereum smart contracts in order to recover/freeze the tokens.
The hacker had huge quantities of tokens, often controlling 1-3% of a token's entire supply. In an attempt to not crash token prices by dumping huge quantities on thin orderbooks, the hacker would sell the stolen tokens in small batches after completing the test sell. This appeared to be the work of one person, selling semiregular batches of a token every 1-2 minutes; but sometimes with short breaks. Later on, you could actually observe the hacker getting less precise through their typos in transaction amounts, and they became increasingly distracted as the time gaps between sells grew.
Despite the small batch size of each sell (few thousand USD at a time), the price of the tokens dumped, and dumped hard. Below we see a price chart for DIA, where the hacker's batch selling caused a 16% crash.
The red lines mark the period for which the hacker was selling DIA, note how the absence of the hacker selling also marks the exact bottom!
Like DIA, many of the sold tokens had small market caps (~$10m) with tiny daily volumes (~$5,000) and the hacker was attempting to sell MILLIONS of dollars worth quickly. Naturally, the thin orderbooks for these tokens could not support this immense selling pressure and these tokens were now on a firesale or deservedly rekt depending on your opinion of their value.
Quickly noticing the selling and token dumping patterns, I wrote a basic python script to monitor the hacker's main token address (0xeab...) for the initial withdrawals to other addresses, from which the selling on Uniswap would then begin.
<source src="/assets/images/kucoin/ally.mp3" type="audio/mpeg">
<source src="/assets/images/kucoin/gold_please.mp3" type="audio/mpeg">
When I heard the alarm sounds (aoe2 taunt) I would run the script again on the selling address and listen to the selling begin.
In order to profit from this price action, I needed a way to short the tokens. Short-selling, where you borrow an asset to sell now and later rebuy lower for a profit (hopefully), is only offered on a few exchanges and with varying limitations. Initially, I attempted to short these tokens on Binance, but the leverage was often low (lots of margin collateral required ~30%) and position limits were small. For example, on Binance I could only borrow 240 DIA, roughly $300 USD, which only returned ~$50 on a 16% crash.
FTX.com on the otherhand, offers short selling on margin with up to 101x leverage and a position limit of $25,000 on these small tokens. That means with less than a $250 deposit I could short $25,000 USD worth of tokens!! Only a handful of the tokens the hacker had stolen were listed on FTX, but I did manage to catch a couple of dumps with epic returns
Red arrows == ape in, blue arrows == ape out. Candles are 1 minute.
My strategy became:
Sometimes the price would start dumping only a matter of seconds after I had opened my positions. Thus it was integral that I opened my position as soon as possible, regardless of small deviations in entry price. For two weeks I carried my laptop everywhere (not far due to COVID lockdown), even to the beach at one stage, connected to my mobile hotspot the script would alert me at any time of day. Me aping in & aping out is why you can see noticable slippage and a huge spike in volume, I'm the market now.
FTX is an awesome exchange with some great derivatives (elections, oil, gold!) and I would highly recommend trying it out if you haven't already.
The hacker seems to have stopped selling for now, but this script and strategy will likely work in future hacks and in similar scenarios. This strategy had a 100% success rate and my stop-losses never even came close to being hit. I speculate that by using Uniswap, the hacker crashed these coins more than they would have on other exchanges. This is because Uniswap is an automatic market maker where slippage is inherent to every trade. When the hacker dumped tokens, arbitrage bots would have bought the cheaper tokens on uniswap and sold on other exchanges (FTX) in order to make a profit on the difference, perhaps increasing the severity of of the crashes given this happened over and over again.
While in some sense this is profiting from the exchange heist, all this information is openly accessible on the Ethereum blockchain, therefore it does not meet the definition for front-running nor insider trading. The people on the other side of my trade were likely either:
Despite claims from KuCoin CEO of the suspects being found, the funds are still being actively mixed and sold. Coins I am watching out for on the (0xeab...) address:
These are all listed on FTX. Also there is still $0.5M USD of DMM in another address 0x2b9fd....
I don't trade very often, but this was a very fortunate low-risk way to stack a little more bitcoin. If you found this useful or perhaps even profitable, please consider supporting me:
Sign up for FTX.com if you haven't already.
Don't forget to share with your degenerate crypto trading friends :)
<!-- Initially routine, but started to switch it up and get lazy/distracted. Selling at an impossibly slow speed. # Liquid Knives check the Prize * How long until they started selling * Single indivual selling shedule * What they sold, some tokens were frozen * How they sold, test sells PLOT IDEAS : sell times, tokens sold, withdrawals # Token Dumping * Uniswap slippage and subsequent dumping * Arbitrage mechanism dumping prices * Why they sold for ether # Token Dumping -->