Hey guys… It’s gonna be a long post with a lot of links.
This was posted on the Official Bezant Announcement Channel on Telegram.
When I was pointing out the inconsistencies of the team’s claim right after the hack on the main Bezant Telegram chat, I was banned.
Out of curiosity I asked admin what was the reason of the ban.
Here is the transcript of the first convo with Adam the Admin:
After that, I’ve started digging into the Etherium blockchain to concrete that I’m not imagining things…
Here is what I’ve dug up:
Here is their swap wallet: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x96dcbc8481b7f7b1871d3b6bef62417aad40d48d
They set it up on Jan-29-2020 04:38:32 PM +UTC and beef it up with funds:
Here is the initial TX going to that wallet: https://etherscan.io/tx/0xb4cd7c69819e777e413f2747b372049e30b122a93f12050b92356d85e43eef64
They likely test their services on Jan-29-2020 04:41:27 PM +UTC as there are two outgoing TXs involving BZNT: https://etherscan.io/tx/0xa73fdf275dafca3d4fb0b4e8eab8d4362fbc767c96af5c617b40ee816b068932 and https://etherscan.io/tx/0xd355c5b215be812052b37cc27724a6819248be5c6ec0f0d7d832098713e24894
On Jan-30-2020 01:35:43 AM +UTC this TX happen: https://etherscan.io/tx/0x683dfea24b2cdb3b26c3822aac22d2f78d8d96ead1367c8341671a00efb39d36 (which goes to Bithumb’s user wallet and then Bithumb 6)
This is strange. Because two other testing TXs were directed to the regular wallets and not Bithumb’s.
Plus this wallet has a very strange activity to it: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x1296b263f130612b910e84a393f845e9157815b7 and https://etherscan.io/address/0x1296b263f130612b910e84a393f845e9157815b7
Previous BZNT transfer was on Oct-08-2019 02:07:23 PM +UTC (more than 120 days ago)
And that’s it! NO OUTGOING TXs until the token swap occurs and service opens!
So from Jan-30 to Feb-02 the wallet was NOT tested. But the incoming TXs are still there beefing up the wallet.
This is not good. They were testing the wallet 3 times only (one is likely malicious). Given the circumstances and the possibility of the team not being very big, there is no security expert to check the code for malicious activity and/or injected services.
Then on Feb-02-2020 04:10:11 PM +UTC, the day before the main event this TX occurs: https://etherscan.io/tx/0x829a264ebeddb00ee92f2255be369c9d0bd494831761e6afcf6553e124681a28
It goes to the regular wallet (likely the final testing TX before the swap opens up).
Now watch the hands:
As soon as the swap service opens we see 3 TXs going to Bithumb’s User wallet: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x120f8edf3d6c360e725691e2d992ca871f62d331
All of them are here:
Feb-03-2020 10:08:01 AM +UTC - https://etherscan.io/tx/0xe0446f142758630328d88579c751e550bee3d1909169889e4ddc8ff080e22f39
Feb-03-2020 10:19:15 AM +UTC - https://etherscan.io/tx/0x35ed1f813ec3ba82a2e1961bb6c0414d0cd2f135d673e097d1fa2c28686a9d4b
Feb-03-2020 10:34:59 AM +UTC - https://etherscan.io/tx/0x42a7b42137caccb03d6dda9076089cca695f5b05cd80d4153aae670603ab1744
They are all within the limit of 100,000 Bezant tokens per submission
Then this TX interrupts our 0x120f…331 wallet: https://etherscan.io/tx/0xc25b6f95aedf9530440334b49241f34d048c48051756730fa445914ed898a538
Funds go to this wallet (likely the exchange, given the pattern of TXs): https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0xadd60c0888194986c2dad79a0ca178299002b573
Then 0x120f…331 is at it again, making 3 TXs:
Feb-03-2020 10:50:28 AM +UTC - https://etherscan.io/tx/0x0658e68e0377cbc9cf0fe3d3f7ad8b6c11907adeeb2d59bbd12eccc6ff2527a6
Feb-03-2020 10:58:48 AM +UTC - https://etherscan.io/tx/0xc8bd238c3f390dad8fbc255ab217a186425b2dd5d32c3c926250a88ad60eaa23
Feb-03-2020 11:08:29 AM +UTC - https://etherscan.io/tx/0x6c085ffdb081131ee378274a2cda7f3e177f9d5943773c6311f9eb1f18e8e694
Then this TX: https://etherscan.io/tx/0xa475bccead3b6daa462ee995a8ee10082ae3406e8b9ddc0438cf8e57bb560266
It goes to another Bithumb’s wallet: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x05c1c8ba251930c373729b31d9d0b29d76cb1c0b
Then this TX: https://etherscan.io/tx/0x8f1afc08a6e84730936905fbbffdf48413cee731b265197b653301162a2626a3
It goes to this wallet (once again, likely the exchange): https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0xadd60c0888194986c2dad79a0ca178299002b573
Now look at the next 2 TXs from 0x33a…e77: https://etherscan.io/tx/0x87493da1adfd504b8b1b8cd39ebe5a620ce9fff10b3a392b4cdd676e93e9a6b4 and https://etherscan.io/tx/0x54c664168937df66d4f454eb8d6907423e89ae4e93e441ef90fbf4c6c95a3dea
The wallet was another Bithumb’s user: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x33a12b4945eba2bb59f61953cb4c00c9325e7e77
Then after this TX occur, the “hack” happens.
TX of the hack: https://etherscan.io/tx/0xc362fb3c1974ccabbbf65dd7aaf31867d8d96d684a14047316ef3bbbb5b29ab0
Timestamp: Feb-03-2020 03:20:32 PM +UTC
According to very limited official info, “35,488,558 BZNT of the customers’ assets in the Wallet were transferred to a specific address” and “Bezant dev team locked the address the tokens were transferred to in order to prevent further movement”.
You can’t lock the specific address on ETH blockchain. It’s permissionless and censorship-resistant, so once the transfer is there, you can’t do anything to stop it. You can’t just lock the specific address because of the hack. Unless you (or the person/system) holding the private key does not sign the outgoing TXs.
After the “hack” there are still money in the wallet which is indicated by another 4 TXs:
Feb-03-2020 03:21:01 PM +UTC - https://etherscan.io/tx/0x98006ed53b61aa80ca9fa3397ee1fb5db14f73f4d1a53c8a2755fda52dcc3390
Feb-03-2020 03:24:19 PM +UTC - https://etherscan.io/tx/0x689ce365f553717234bc48db1e675cc46bea0164de9487a2cd4d0b8cdc00937a
Feb-03-2020 03:27:35 PM +UTC - https://etherscan.io/tx/0x27a92775451af08b082ef69ce69d079b8243f78473712fb8a558fd5fded9a37b
Feb-03-2020 04:58:10 PM +UTC - https://etherscan.io/tx/0x9b62ddf314352d3c904b590aea1e4c6fd3e665715b57642e182e4c01c055f43d
Every hack on the blockchain involves the private key. Once the attacker has the key, he usually sweeps the wallet containing victim’s funds (sweeping means transferring ALL of the remaining funds on the victim’s wallet to the wallet under the control of the attacker to which the latter has its own private key). The victim’s wallet becomes empty until the incoming TX comes. Then the attacker can sweep the victim’s wallet again.
The last TX looks weird.
It transfers the remaining funds to another wallet: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x7a7bc01a2c0784139e3af1b329b7adcf95a74425 (likely the second “unhacked” swap wallet)
Then they test this wallet by making two TXs:
Feb-03-2020 06:00:13 PM +UTC - https://etherscan.io/tx/0xea19554c8ff5c450524b41d74321cc760ea0989dd9a16ad7d9a77b502d42aa9b
Feb-03-2020 05:30:09 PM +UTC - https://etherscan.io/tx/0x7dc7e38c34eddc29126a5478b486de86ca21cdfd1ff25efe00f309cbb2d7fdba
The wallet to which the funds are credited is the same testing wallet who made the first two test TXs: https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x67eed7125ca2b9d1859c4d824a675bd1fa45256d
Then 0x33a…e77 makes the last 4 TXs before the halt of the swap service:
Feb-04-2020 03:32:03 AM +UTC - https://etherscan.io/tx/0xa4d92e792a0fcebcf2e1061a0476806ccfc727cc57b8c60c2e5a4ddf542f4cdb
Feb-04-2020 03:37:22 AM +UTC - https://etherscan.io/tx/0x5104cda7b53ebfd09851c70d0e7955f40f52861d741877974bc29a015f760239
Feb-04-2020 03:47:19 AM +UTC - https://etherscan.io/token/0xe1aee98495365fc179699c1bb3e761fa716bee62?a=0x7a7bc01a2c0784139e3af1b329b7adcf95a74425
Feb-04-2020 03:56:41 AM +UTC - https://etherscan.io/tx/0x98aca1b33d8b34ad73df9e05eee4944d0c1eda1b9e96497f6ecbc2bac7fddc4a
The hack occurred on Feb-03-2020 03:20:32 PM +UTC. They’ve “locked the funds” and set up the second swap wallet to let the 0x33a…e77 finish their transfers and then halt the service. AND ONLY 0x33a…e77
All these inconsistencies made me doubt the nature of the hack. I’ve made another Telegram Account and presented all this evidence openly and publicly waiting for answers.
The admin replied that he would consult the team and summarised my complaints in the wrong way.
I’ve made a little TL;DR:
TL;DR for the easy analysis:
According to the official claims we have this:
- Hacking attack occurred on the ERC-20 wallet being used by the Bezant team to operate the swap service
- 35,488,558 BZNT of the customers’ assets in the Wallet were transferred to a specific address
- Hacking Attack Time: 2020-02-03 15:20:32 (UTC)
- Actions taken: Bezant dev team locked the address the tokens were transferred to in order to prevent further movement
I’ve presented the view from the blockchain standpoint which contrandicts some of these claims:
- There is no evidence on the blockchain that this was a hack. The private key was NOT compromised as there is no sweep transaction and the wallet is still functional even after the “hacking” transaction occured.
- The claim that the hacker has trasferred 35,488,558 BZNT to the specific wallet is false. The team transferred this amount as indicated by the timestamp of the “hacking” TX being the same as the “locking” TX.
- The team’s claim of the locking the hacker out is also false. You can’t lock somebody else’s ETH wallet.
After this TL;DR I was banned again with all my messages being deleted from the chat.
Here is the transcript of convo with Iris (another admin of the Bezant team):
So it’s very clear that the admins are instructed to ban those who openly doubt the nature of the hack….
I’d like to point out that I’ve presented enough evidence on this case that contradics the team’s statement. The nature of the hack is still very inconsistent. The admins are instructed to ban people who point it out with facts instead of presenting counterargumens. The team never shows up to clarify anything.
Just getting my word out there and wanted to share my experience.
What do you guys think about all this?