1/ An investigation into how I identified one of suspects tied to the $28M Bittensor hack from 2024 by identifying anime NFT wash trades linked to a former employee and earned a whitehat bounty for my efforts.

2/ 32 $TAO holders experienced unauthorized transfers in excess of $28M from May to July 2024 and the Bittensor network was temporarily halted on July 2, 2024. A post-mortem published by the team revealed the thefts were the result of a supply chain attack after a malicious PyPi package was uploaded in late May 2024 Victims who downloaded the package and performed specific operations accidentally compromised private keys.

3/ I began tracing the stolen funds from two initial theft addresses, TAO was bridged to Ethereum via Bittensor native bridge, and then transferred to instant exchanges where the attackers swapped to XMR. Victims: $400K: 5ENiTXL63DRMKytjaDRBLnorwd6qURKcCVgsgpu8UQxgptQN $13M: 5DnXm2tBGAD57ySJv5SfpTfLcsQbSKKp6xZKFWABw3cYUgqg

4/ Theft consolidation 0x09f deposited ~$4.94M to Railgun, a privacy protocol in June 2024. 548.934 ETH total was deposited via 0x601 from June 8-9. 701.066 ETH, 277.2K USDC, 22.35 WETH total was deposited via 0xf5ff on June 11 & 15. 0x09f76d4fc3bce5bf28543f45c4cee9999e0a0aaf

5/ I deanonymized the Railgun withdrawals to three addresses (0x1d7, 0x87d8, 0x1fbc) by applying timing / amount heuristics. Total deposits: 1249.68 ETH, 277.2K USDC, 22.35 WETH Total withdrawals: 1246.16 ETH, 276.4K USDC, 19.83 WETH The unique denominations and short deposit time makes the demix high confidence. Withdrawal addresses: 0x87d82c5401764f87856a31746f603ff766c72c7d 0x1d7ac347943c2143587978141a9415f2138adc2a 0x1fbc554caff6c1b4c00a692c9849de62de97e29c

6/ The stolen funds flowed to more instant exchanges from 0x87d8 on June 9 and the rest was consolidated to 0x1d7 on June 10. 0x1d7 bridged 1054 ETH to Avalanche and back again to Ethereum via Synapse on June 14. 0x4fbc6c00fa1ef99561e1d977ee6c678a54cfb06f

7/ 0x1d7 purchased 4 X Killer GF NFTs for 18.644 ETH on June 12 at 6:29 pm UTC from 0x0bc7 a newly funded wallet via instant exchange 2 that purchased 30 KGF NFTs for 1.279 ETH total on June 12 at 5:58 pm UTC. The floor price averaged ~0.045 ETH per NFT meaning 0x1d7 suspiciously overpaid from 0x0bc7 by many multiples.

8/ 0x5e9c purchased 30 X Killer GF NFTs for 3.23 ETH total on June 12 at 6:35 pm UTC. 0x5e9c sold 27 NFTs to 0x0bc7 for ~19.3 ETH using funds washed from theft address 0x1d7. The diagram below highlights how all three addresses involved interact with each other.

9/ 0x5e9c was funded with 14 ETH by 0xcf0c on June 12 at 5:11 pm UTC prior to the wash trades taking place. 0xcf0c has frequent interactions with 0xd512 which is a Bittensor user and deployed the ‘Hot Wheels Presale’ contract for a project ‘Skrtt racing’ Further investigation revealed the Skrtt project was created by a person who uses the alias Rusty.

10/ Rusty uses the X account ‘otc_rusty’ and his bio states he was previously an Opentensor Engineer. For those unaware OT is the foundation that stewards Bittensor.

11/ Earlier this year a civil lawsuit was filed against multiple suspects based on these findings. An interesting bit taken from the defendants statements is highlighted below where Rusty (Ayden B) admits ownership of several wallets I identified though denies involvement. 0xJones (Jon L) another alleged suspect previously applied for a role at OTF as friends with Rusty and deleted messages from the Bittensor Discord and deactivated his X account after the incident.

12/ It's extremely rare to see exploits/hacks involve NFT wash trading and I think the relationship between each address is just too coincidental given how they were funded prior to NFT purchases and traded multiple above the floor price for the collection. Hopefully law enforcement eventually moves forward with a criminal case in the future. Another piece of evidence is the overlap in instant exchanges used by the attacker and also tied to the suspects which I did not dive into as much since this post was getting quite long.