The Shadow Brokers Cryptocurrency Conversion
Thanks
I have received assistance for the information below from a third party who does not wish to be publicly identified. We have noticed that amounts substantially corresponding to withdrawals from The Shadow Brokers’ BTC wallet have been withdrawn from a Zcash wallet through the ShapeShift exchange. The retrieval intervals are coherent as well. This input allowed to access the raw transactions.
ShapeShift.io Cryptocurrencies Exchange History
ShapeShift is a cryptocurrency exchange headquartered in the city of Zug, in Switzerland. It lists more than 60 cryptocurrencies and allows to convert them at competitive rates. No registration is required to do so.
On 2017-08-03, ShapeShift and Changelly (another cryptocurrency exchange) were used for converting cryptocurrencies associated with the WannaCry malware. ShapeShift issued a statement:
Source: https://www.cyberscoop.com/wannacry-monero-bitcoin/
BTC Conversion (STEP 1)
The BTCs were transferred by successive divisions to land in BTC wallkets identified as belonging to an exchange named ShapeShift:
ZEC Convert (STEP 2)
These collectors wallets then redirected the BTCs into the ShapeShift exchange. We were able to trace these transactions to one of ShapeShift’s ZEC wallet and saw some very interesting outputs transactions taking place in the same time frame:.
ShapeShift’ ZEC account: t1dMofJF2chVUa92okz4empBKhngRTjcck2 Link: https://explorer.zcha.in/accounts/t1dMofJF2chVUa92okz4empBKhngRTjcck2
| Transaction ID | Amount | DATE / TIME (CEST) | Block ID |
|---|---|---|---|
| 2161ed19dd1836f8eee3b7096f6eb0c0f5feff3cc6ef878cf3ac4e3e8aff7d14 | 13.12034779 ZEC | 2017-05-29 06:37:20 | 122361 |
| 3b6ec629340ceca9c8b7f22a134c2093ed9a44f40995a55c9b9f933a0f016647 | 13.11997417 ZEC | 2017-05-29 07:09:11 | 122375 |
| 143930e29bb47cd0c667f53b86255c401c8e8137e61a7c7aa27f00b9c585d86a | 13.09395776 ZEC | 2017-05-29 07:37:50 | 122383 |
| 12c35797a201eb1b572215e7d2d3f633d29487baab8d7e91d56d537cf1290441 | 12.9237798 ZEC | 2017-05-29 23:28:09 | 122764 |
| ec174766cdb522fb4a997786cdf1421dbf63f79661881e4802a583ec26ac56e3 | 12.2450923 ZEC | 2017-05-30 00:21:09 | 122784 |
| 2462f039a62d927de6e3e2244533528d1ba14c067c8e1acf4c4018f256a4a003 | 12.09906129 ZEC | 2017-05-30 00:52:33 | 122794 |
| 0817c1b40f56158e8abdbf4b4cfc3c3829144cf1898b9a7b1fdc58b4a23f7ae1 | 12.36935019 ZEC | 2017-05-30 01:33:41 | 122817 |
| fab257bf1dca30de950309149e05202e8e152395d562802d893b908b3a697a1a | 12.34939723 ZEC | 2017-05-30 02:26:37 | 122839 |
| 0d71c2b3aa236b55453f738238cc704849e24e70a046f5719e0f3901ef328238 | 11.73643239 ZEC | 2017-05-30 02:49:59 | 122849 |
We were able to access to the raw transactions which are available in raw format in Archive. With these information, we were able to discover 6 new ZEC privvate wallets:
- zc9rwvf2egFuPeKeZVEsuytxtg9tLpmwuaDc6uCGeBmicj3Q9oYh9WihfETsaMsVUYVUaELyZ8VZHcqJE4UCxaWKJz5nNtY
- zc9VeAqxkwPnSLPuGaW3s4iNSt62LMuY928nEXLt19Up2asQypDCTB4TvoxmHPznDxAUKmjNKnWVkFEVhEDFbZ21DVVyLdY
- zcDnVEDiZtE9xwzvAR3ZfGUk4QiZxBiMk9y5Z9dfXiopLfkEHEU4s7pJNJRzEBaqYuJMTJ9ZyJcfr8pv2qfjh4XV2tQqbbv
- zcELapVFzN4JSaE1RVqbAEUadPkodg3Hgh2du17HxjvqJRm7VXyYgL9R1Lw8e4Cpdn4KFYHnRiKYj5WLqZ8VKR9XK1kj2Hy
- zcG7mKeNJa9yCtNi3gVgx8MBsFm8DnKmfu5SrGrYQNDA4bQ8F2L8b3sfPU5q5gT4MS8HQARKSRmUbfLrAUJPLWJDSv9gNvm
- zcH3ob35xEESa64mvzcj2m2Ti3emdue3uvmBDmC2DR8SaVCRjXtsn2UWDfanrPkVUnS9Dma6kVwVN9YvHBRGdZheCx6taSA
Links:
https://explorer.zcha.in/transactions/2161ed19dd1836f8eee3b7096f6eb0c0f5feff3cc6ef878cf3ac4e3e8aff7d14 https://explorer.zcha.in/transactions/3b6ec629340ceca9c8b7f22a134c2093ed9a44f40995a55c9b9f933a0f016647 https://explorer.zcha.in/transactions/143930e29bb47cd0c667f53b86255c401c8e8137e61a7c7aa27f00b9c585d86a https://explorer.zcha.in/transactions/12c35797a201eb1b572215e7d2d3f633d29487baab8d7e91d56d537cf1290441 https://explorer.zcha.in/transactions/ec174766cdb522fb4a997786cdf1421dbf63f79661881e4802a583ec26ac56e3 https://explorer.zcha.in/transactions/2462f039a62d927de6e3e2244533528d1ba14c067c8e1acf4c4018f256a4a003 https://explorer.zcha.in/transactions/0817c1b40f56158e8abdbf4b4cfc3c3829144cf1898b9a7b1fdc58b4a23f7ae1 https://explorer.zcha.in/transactions/fab257bf1dca30de950309149e05202e8e152395d562802d893b908b3a697a1a https://explorer.zcha.in/transactions/0d71c2b3aa236b55453f738238cc704849e24e70a046f5719e0f3901ef328238
Results (STEP 3)
As of 2017-05-30, this cryptocurrency was being exchanged, based on the rate used by the ShapeShift exchange, at ~$2,243 / 1 BTC.
In May 2017, during these operations, the ZEC had, on the ShapeShift exchange, a value of ~$181 / 1 ZEC. That is, if we add all the transactions above, an amount of ~113,05739292 ZEC or using the transfer rate mentioned above ~$20,576.44551144.
This represents an exchange rate and expense loss for The Shadow Brokers of $2,685.
(23,261.70323364 - 20,576.44551144) = $2,685.2577222
In summary, The Shadow Brokers’ cash out graph would therefore be:
