Blockchain Insights

Bounty King: Investigation Series – The Ionic Hack: $8.8M Heist on the Mode Network

BountyKing

BountyKing

2025.02.06

view190

Bounty King: Investigation Series follows a team of skilled investigators as they navigate the dark world of cybercrime, uncovering hidden digital trails and solving complex mysteries with the power of AI and blockchain technology. Each case takes them deeper into the realm of online fraud, crypto hacks, and digital heists, where bounties fuel the relentless pursuit of truth. With every investigation, they piece together the puzzle—tracing lost assets and exposing the individuals behind the screens. It’s a journey of persistence, intelligence, and teamwork, where every clue brings them one step closer to justice in an ever-evolving digital landscape.


The Ionic Hack: $8.8M Heist on the Mode Network


On February 5, 2025, the Ionic platform, operating on the Mode network, suffered a security breach, leading to an estimated loss of $8.8 million. According to security firm QuillAudits, attackers exploited the platform by using unofficial fake LBTC (Lombard BTC) as collateral to secure loans.


X Post: QuillAudits' Analysis



ionic stated that they are still investigating the incident.

X Post: Ionic’s Update



Analysis of the Hacked Wallet and Fund Movements


First, let's organize the details regarding the hacked wallet and the movement of the associated funds.

According to the incident details, the attacker's address is 0x9E34d89C013Da3BF65fc02b59B6F27D710850430, which was used to exploit the smart contract.


Interestingly, before transferring the funds to Tornado Cash, the attacker moved 1,203.651 ETH to 0x15ED470607601274DF6ED71172614B67001901EB, which was then used to funnel the funds into Tornado Cash.

  • 100 ETH was sent directly from 0x9E34d89C013Da3BF65fc02b59B6F27D710850430 to Tornado Cash.
  • 1,203.651 ETH was first transferred to 0x15ED470607601274DF6ED71172614B67001901EB, which subsequently sent the funds to Tornado Cash.

Notably, this intermediary address (0x15ED470607601274DF6ED71172614B67001901EB) received ETH from multiple sources, not just the attacker's wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430).

Therefore, the attacker’s wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) and the relay wallet (0x15ED470607601274DF6ED71172614B67001901EB) played key roles in moving the stolen assets to Tornado Cash.


Figure 1: Flow of Stolen ETH to Tornado Cash

Source: ChainBounty Track(to be released)


Among them, we identified an interesting characteristic in the wallet used just before depositing the funds into Tornado Cash.

The wallet that sent 1,203.65 ETH received funds not only from the attacker's primary wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) but also from several other wallets.

Let's examine whether these wallets are also connected to the incident.


Figure 2: Source Flow of Relay Wallet to Tornado Cash

Source: ChainBounty Track (to be released)


The key factor here is timing. If there is a connection, the related wallet must have sent funds before the attacker's wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) made its transaction.

In this context, the wallet at the top of the list, 0x9ec235ca191e6d434b7ef70730e7fb726bf50430, appears suspicious. Here's why:

According to UTC timestamps, the attacker's wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) transferred funds to 0x15ED470607601274DF6ED71172614B67001901EB at the following times:

  • February 4, 16:21 UTC
  • The transfer occurred three times within 16 minutes, with a gap of approximately 16 minutes between transactions.

This timing pattern suggests that 0x9ec235ca191e6d434b7ef70730e7fb726bf50430 warrants closer examination.


Figure 3: Three Transactions from Attacker Address to Relay Wallet

Source: ChainBounty Track (to be released)


In the meantime, at 16:32, 0.0001 ETH was sent.

One might question its significance, but it’s worth examining the possible connection.



Figure 4: Single Transaction from Unknown Address to Attacker

Source: ChainBounty Track (to be released)


Actually, when an incident occurs, often receive these kinds of requests.



Figure 5: Donation Request from Community On-Chain

Source: Etherscan


However, an interesting aspect of 0x9ec235ca191e6d434b7ef70730e7fb726bf50430 is the transaction pattern.

  • At 16:21, the first 1 ETH was transferred.
  • At 16:30, an additional 100 ETH was sent.
  • At 16:32, a small amount of 0.0001 ETH was received.
  • Finally, the remaining 1,102.65 ETH was transferred.

The increasing amounts (1 → 100 → 1,102.65 ETH) with time gaps suggest a manual operation.

Now, the question arises—why was a small amount of ETH transferred in between these manual transactions? There’s no accompanying message as mentioned earlier, but the transaction (TX) details can be found below for reference.


Additionally, the gas fee settings appear to be standard (21,000 | 21,000 (100%)), even for transactions made just before entering Tornado Cash. Using standard gas settings alone doesn’t necessarily indicate a direct connection.


However, in most hacking incidents, funds are typically moved along with gas fees to ensure smooth transactions. In this case, the process seems more deliberate and unhurried, which is worth noting.



Figure 6: Transaction Information from Unknown Address to Attacker

Source: Etherscan


Link: https://etherscan.io/tx/0x48e96238a04f4607ec8333c4633d82329708331e351d0dfa558a9503a5ee2781


Tracing Microtransactions: Uncovering Fund Fragmentation


Now, let's trace back the wallet that received the 0.0001 ETH.

Interestingly, there is a record of 0.0002 ETH being received from 0x14cb9b0d268556cc4c056801f88cfc2b1a19ce3d.

0.0002 → 0.0001? It seems like the funds are being fragmented, doesn’t it?

Typically, when such small transactions follow a pattern in terms of amount and timing, it suggests a deliberate intent behind the transfers.


Figure 7: Small Fund Distribution

Source: ChainBounty Track (to be released)


Because both transactions occurred at the same time—16:32 UTC.

0x14cb9b → 0x9ec235 (attacker)

0x9ec235 (attacker) → 0x15ED47 (Tornado Cash deposit address)

Why did this automated transaction occur right when the attacker was transferring funds to Tornado Cash? What was the intent behind it? This address itself is quite interesting. As you can see, it distributes small amounts of funds to multiple wallets.



Figure 8: Suspicious Wallet Distribution

Source: ChainBounty Track (to be released)


What Could This Address Be?


What exactly is its purpose? It appears similar to a gas fee supplier, but so far, no OSINT (Open-Source Intelligence) labels have been identified for it.


However, one thing is certain: after one hop, the small amounts of ETH end up in an exchange deposit address.

To investigate further, I will ask AI to analyze which exchange these funds were deposited into between January 1, 2025, and February 5, 2025

Figure 9: Suspicious Wallet Distribution – AI Investigation

Source: ChainBounty Track (to be released)


The AI explains how it is connected to such a wide variety of transactions. For example, it reveals that Upbit’s user account is linked to these transactions.

Figure 10: Suspicious Wallet Distribution – AI Investigation Findings

Source: ChainBounty Track (to be released)


However, there is still something curious—what exactly is the purpose? Upon closer inspection, the answer becomes clear. By analyzing Upbit’s deposit wallet, we can see that large sums are deposited first, followed by smaller amounts sent to addresses with similar prefixes. This is known as address poisoning, a technique where scammers deposit small amounts into specific addresses after a significant transaction.



Suspicious Transactions Identified During Analysis


The goal of this attack is to trick the wallet owner into mistakenly sending funds to a fake address instead of the intended recipient during a future transaction.Thus, the small amounts received from unidentified addresses confirm that this is part of an address poisoning attack. In this case, at 16:30, after 100 ETH was transferred, the attacker generated a lookalike address (0x9ec235ca191e6d434b7ef70730e7fb726bf50430) within two minutes of the original transaction and then sent a small amount of funds.


Unfortunately, the source of these funds could not be directly linked to the Ionic attacker. However, it has been observed that address poisoning attacks are also targeting stolen funds. A detailed analysis of the identified address poisoning attackers will be provided in a separate series.


Interestingly, most of these attacks are heavily targeting Korean exchange addresses. If attackers are monitoring large ETH movements, it raises the question of why Korean exchange wallets are the primary targets despite the existence of other major exchanges. This trend suggests a deliberate focus on Korean platforms, warranting further investigation.

Additionally, any further findings related to Ionic will be updated accordingly.


Figure 11: Exchange Usage from Arkham Intelligence (Period: 01/02/2025 – 02/01/2025)

Source: Arkham Intelligence

View on Arkham Intelligence

Join the Support! 🚀

400 CBP(≈$0)Donated So Far

post_like9
post_total_comment1

Show Your Support!

You are about to donate to the BountyKing. Supporting great contributions helps strengthen our community.

Your current CBP0
Donation Amount
cbpCBP

Donations are final and cannot be refunded. Thank you for supporting the ChainBounty community!

0/500 bytes
Load more 1 comments
chainbounty-logo

Signing in progress...

Please sign your wallet messages to ensure a secure connection.