[REP] - BingX Addresses

[kingschmidty]

What type of Algorand key?

Account (Wallet Address)

Key

RRPHQTWHANKSKT3LMJHEJBRVLQ43PIRYYI3TON6O6WFOR5O6C65C3N43UQ

Details

I believe that RRPHQTWHANKSKT3LMJHEJBRVLQ43PIRYYI3TON6O6WFOR5O6C65C3N43UQ and 3FRCCRN37PJKJLDYIJZFA2L57VJHLYY22KXHJFE77H254TFFQFGVQVQMTQ are addresses belonging to BingX exchange.

Firstly, the exchange recently encountered a security vulnerability on 9/20/24, https://cointelegraph.com/news/bingx-minor-loss-hack-climbs. As you can see, the RRPH address stopped processing inflows and outflows on 9/20, https://allo.info/account/RRPHQTWHANKSKT3LMJHEJBRVLQ43PIRYYI3TON6O6WFOR5O6C65C3N43UQ/txns. It also transferred over a million Algo to 3FRC, over a couple of txns (https://allo.info/tx/GNHX22ZQZOKZHTIFALS545ATT7WY56VUVYTIDATJWR7F44Z26BPA, https://allo.info/tx/PUHV2GM4M2QI3BDMCBG223ZJLJMZ4A5URFQKHQ7JWQXTMD6H3SYA, etc.). The 3FRC account has received inflows only from RRPH, https://flow.algo.surf/address/3FRCCRN37PJKJLDYIJZFA2L57VJHLYY22KXHJFE77H254TFFQFGVQVQMTQ. It has done so consistently going back to its first txn on 10/24/23, https://allo.info/account/3FRCCRN37PJKJLDYIJZFA2L57VJHLYY22KXHJFE77H254TFFQFGVQVQMTQ/txns?sorting=ROUND_ASC. RRPH was even its first inflows. Since there are consistent inflows, dating from before the security incident, it should be understood that 3FRC is a related address, not a new hacker-controlled address.

Secondly, there are multiple txn notes, indicating RRPH to be a BingX address. Some examples are listed here: https://allo.info/tx/QSVR725ZWXVFQ76BLC6NHIPQZECRS2UAURLH5T3NU6PGCTQYWPDQ, https://allo.info/tx/AFNZF6CIOPGRPG6DMW2G62JKKOOWQLL5BB6OD4J4JVKGTLUS7UZQ, https://allo.info/tx/MHXL4U472U2PY5WNP7C2ALMQCMYYOORTBMQSVQZSUFIDKTRTVVOQ. Each of these deposit addresses close to RRPH. This suggests that RRPH is a BingX address.
Fuller list of txn notes:
RRPH_deposit_Bingx_notes.csv

Overall, between the transaction notes indicating a BingX destination, and the transaction history indicating a deposit/withdrawal lockdown aligned with the known security incident on BingX, it is reasonable to conclude that RRPH and 3FRC are accounts related to BingX.

[kingschmidty]

In addition to the two addresses listed here, I would like to add three more addresses as belonging to BingX. These addresses, VLB2Q6JSJKRUPCVREDQCYUNX7ZI3NRLFNFH5JMILWZ5OVGZAGAIK4M4ZOI, 5NRU5N7XJM3V2KK3ENCWO5IG7VYA25UBWYJVNOX2EWSSDIOSGZ6QBMAAQ4, and TYAFMZB7F2PITLEM5HYIGGDGD75RP4SBWVF6QRFQVMA53SI2BLELZIV5VI, can also be linked to BingX.

Firstly, there are deposit addresses which close to RRPH which also close to these addresses. Some examples can be seen here: https://flow.algo.surf/address/GH6A3BWMTKW4M2JN24RJQXABTLJW6ZYRU45FSWDIYF3TMPJFTG2ODNWFPQ, https://flow.algo.surf/address/V2WUAGK6R7LV43KUP3AF3FXG2JVWMGCIPLYW34OQY2ZGGHVBBVHIRFERRI, https://flow.algo.surf/address/22AUYSOQBYY3WJACJGXC7RENKRQ6CEI4NNKS3C7OVVKFNFROLAHCZRMSRI, https://flow.algo.surf/address/P54W6P67KOJTPM43OSHITOU7SSLFW545CRCIJVMKAXUPFRUYKV2NFJ37FE, https://flow.algo.surf/address/NYI5CFW3ECBAJF4STECA4ZRJ52GJYDGQ53LKYWO2QUL4VMO7XJMI35CAKQ, https://flow.algo.surf/address/DTXO5NAHY2MG2NEVSFYTIHSO7BWLW4KNARFTFHU7QWPR2EXGFLHEV2MR24, https://flow.algo.surf/address/YYONKHZ6ZQWENHIF7PYIDMDJLACCOBFWO3YNH6DQ3YGH6PQMIZYNIPVOFE, https://flow.algo.surf/address/JSYK6BWJ2WHVTE7ML2M3GUYYM6O6LHBE62G46NNKHVK4SMD2VDMJDOVWEQ, https://flow.algo.surf/address/N6YLINM4XRU6SYQRC6C7LFXI2OGBS3HTZ3H774MH7MAGXFMJVINRB5AYMU, https://flow.algo.surf/address/LAMGPP64QE6ZIQKDW7BG63TNGPIDBBUTOIPGAKJTBSKJPUQJZJR5UKWNB4. Deposit addresses are only supposed to close to addresses owned by the same entity, so all of these addresses help indicate that RRPH is the same entity as TYAF, 5NRU, and VLB2.

In addition to the common deposit addresses, some of these addresses also had txn notes indicating that BingX is the owner. For the 5NRU address, there is a txn with the label "binx" which is very likely a typo of bingx, https://allo.info/tx/LLXL2NQQBLESFQHQYVL6TVQQTJ2AA4MYWDTCK5EWOM76RSB2WINQ.

For the TYAF address, there are many txn notes which label it as a BingX address. Some examples can be seen here, https://allo.info/tx/US5DLN6HZIA5FM6JCO5JPKFL37MNDQHBSPYCQCHGZSDD4NB7X62Q, https://allo.info/tx/RWBF57CXCZYGW2KCRSBJPDMYJ6KHZ5TBWXCDPWD55PV2C44C4LFA, and https://allo.info/tx/Z4QFKOR2EGDJJEHLSJ6L6KSE65MNJRZIAJB6SRZKFVMXE2JGYAFQ. Each of the recipients transfer to TYAF shortly after receiving, indicating that TYAF should be considered the object of the labels, and that TYAF is also a BingX address.
Full list of TYAF BingX notes:
TYAF_deposit_BingX_notes.csv

Overall, the common deposit addresses used to deposit to all of these addresses, indicates that these addresses should be identified as owned by a single entity. RRPH had already been identified with BingX, And now, both 5NRU and TYAF have txn notes which also label them as BingX addresses. Thus, it seems reasonable to identify these three additional addresses as BingX. Also, it should be noted that BingX seems to rotate their addresses roughly annually, so additional addresses should be identified periodically.