[REP] - EXMO Addresses

[kingschmidty]

What type of Algorand key?

Account (Wallet Address)

Key

3Z5XFNGHOV64UYN4OAZDFZ4ZJXUOXMUQNURYHZOQGR6NRE6FKYEIT5L34I

Details

I believe that 3Z5XFNGHOV64UYN4OAZDFZ4ZJXUOXMUQNURYHZOQGR6NRE6FKYEIT5L34I, UF3IEZZKTPCUHFNXW37AIT7T7Q6KNQC2LFDKL3VVO6OGL4USYAWHPCIZBQ, and NC72UHZZKTB2GNQMJHDNTRIRNQXLY2N6BE5DPRDM4PFKDNGSSYQSJH7KXU belong to the EXMO exchange.

Firstly, there is a txn labeled EXMO, https://allo.info/tx/LCTPYOUWJQYVWOXJWM5KJETPGZILGWW2BCBPZTNTACIBXNHGIGTA. The recipient of this txn closes to 3Z5X. This seems to indicate 3Z5X is EXMO, but it is only one note, so it should be taken with a grain of salt.

In addition to the txn note, the beginning of this account aligns with the EXMO listing announcement. The official EXMO announcement mentions that trading would begin on 4/7/20, https://exmo.com/blog/en/currencies/new-listing-on-exmo-algorand-algo. The 3Z5X address was funded on 4/6/20, and began significant txns on 4/7/20, https://allo.info/account/3Z5XFNGHOV64UYN4OAZDFZ4ZJXUOXMUQNURYHZOQGR6NRE6FKYEIT5L34I/txns?sorting=ROUND_ASC. This helps corroborate 3Z5X as an EXMO address.

However, 3Z5X is no longer active. It transferred its contents on 12/21/20, and has been inactive since, https://allo.info/account/3Z5XFNGHOV64UYN4OAZDFZ4ZJXUOXMUQNURYHZOQGR6NRE6FKYEIT5L34I/txns. This date corresponds to when EXMO was hacked, https://www.coindesk.com/markets/2020/12/21/crypto-exchange-exmo-says-hackers-have-stolen-5-of-total-assets/. This is typical for an exchange during a hack to lock down funds and acts as another link based on account history tying 3Z5X to EXMO.

The 3Z5X address emptied its contents into UF3IEZZKTPCUHFNXW37AIT7T7Q6KNQC2LFDKL3VVO6OGL4USYAWHPCIZBQ on 12/21/20, https://allo.info/account/3Z5XFNGHOV64UYN4OAZDFZ4ZJXUOXMUQNURYHZOQGR6NRE6FKYEIT5L34I/txns. That UF3I address, was funded that same day, receiving the majority of its initial inflows from 3Z5X, https://allo.info/account/UF3IEZZKTPCUHFNXW37AIT7T7Q6KNQC2LFDKL3VVO6OGL4USYAWHPCIZBQ/txns?sorting=ROUND_ASC. Now, the UF3I address has many inflow addresses and primarily has outflows to NC72, https://flow.algo.surf/address/UF3IEZZKTPCUHFNXW37AIT7T7Q6KNQC2LFDKL3VVO6OGL4USYAWHPCIZBQ. And the NC72 address primarily has inflows from https://flow.algo.surf/address/NC72UHZZKTB2GNQMJHDNTRIRNQXLY2N6BE5DPRDM4PFKDNGSSYQSJH7KXU. This seems to indicate that currently, UF3I and NC72 are acting as the exchange addresses for EXMO, where UF3I aggregates deposits, and NC72 handles withdrawals.

Overall, the txn note and the alignment with EXMO's ALGO listing, and EXMO's hack are strong links identifying 3Z5X to EXMO. The following activity which traces funds to UF3I and NC72, and the two addresses behaving similarly to deposit and withdrawals addresses indicate that they are very likely the current addresses for the EXMO exchange.

[kingschmidty]

In addition to the three addresses labeled here as EXMO, I believe that AKOTRD5FWFHN6RRBDZFXE5BKONI5P3ETWDES257V7FN3EEIQWDWB7HNNII should also be considered an EXMO address.

Firstly, the only source of outflows for this address are two known EXMO addresses, UF3I and NC72, https://flow.algo.surf/address/AKOTRD5FWFHN6RRBDZFXE5BKONI5P3ETWDES257V7FN3EEIQWDWB7HNNII. UF3I was the initial funder to this address, https://allo.info/account/AKOTRD5FWFHN6RRBDZFXE5BKONI5P3ETWDES257V7FN3EEIQWDWB7HNNII/txns?sorting=ROUND_ASC, and it was the recipient of its last txn as AKOT emptied its funds. All of this imply a common owner between UF3I and AKOT.

Secondly, some of the deposit addresses which transfer to known EXMO addresses were also used to close to AKOT. These can be seen here: https://flow.algo.surf/address/26RP7IB6LRADOPZBE5QMGWWUYWKALQVXL3Z4WH74OUF4ETDLPUBQJN6OL4, https://flow.algo.surf/address/72TVJM3ATMFBO4NU6UGI6OCGH7XYU3QYRFUXV6OU536ZGSV6HFEZH3HHYI, https://flow.algo.surf/address/JYOZWD3EDGIODS4NUSTL6QVGX2V7Y64YJ53OAABLOLUI7GZWKCQ37MT2CY, https://flow.algo.surf/address/BVQVGMKJIVZ5LOTW7TXTX2QGXVJ2VSYHNQJWE3LBL6CEMAYY66VVTK74E4, https://flow.algo.surf/address/HQLZ7OSPHYP5FBIWZXKWLVKZFWCJXY5MPKDBQXZL4H5NUIF7WNGENZE2BU, https://flow.algo.surf/address/VET5IN5HLSMCMHTZU7WVVZVNVHV6NNFKDQA3GFS6U7IYEFLAKTR2ISFLPQ, https://flow.algo.surf/address/6JUB72TKIXL57VKI5K55EPQ2SKSDFSNXYGOAY64YPVEV3OXDH546SLGV6Y. All of these address flows, seem to indicate that UF3I and AKOT are owned by the same entity.

Overall, the shared deposit addresses and the address flows, indicate that AKOT and UF3I are owned by the same entity, namely the EXMO exchange.