Address belonging to exchange or just personal wallet

Hello guys,
Can you please tell me if this address is belonging to an exchange or just a personal wallet
(unfortunately someone I know took my seed and transferred my coin to their own (wallet or exchange account), and I try to understand which of two person is it). If anyone knows how to identify if its an exchange, cause at least I can reach out to the exchange.

addr1q9x3v5r7twtkkv0t6gsgjlw3eqjfxnz2a2xxl4ec49w5ljkt4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrstnkmdq

addr1q9x3v5r7twtkkv0t6gsgjlw3eqjfxnz2a2xxl4ec49w5ljkt4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrstnkmdq

addr1q8r0jxfe599kjqtu9tfjwth7afww9puy99gnp6ep99ah7z0y2fyhlhuy56tyd07tu8xdja74ckfry9meuqcv2cre3krqj5pjuw

Thanks for your help guys.

1 Like

Thanks for your message @Flynn83 . I’ll check also telegram. I try to understand if its an exchange or just a wallet. In case its an exchange, then I can file against, and give the details of the transaction etc… to the exchange. Otherwise, I want to know how to track if the coin have been converted to USDT or any other COIN. If someone has some info, or even some youtube video to understand the tracking of the transaction and addresses for ADA/cardano. The more I can track the better to launch a legal investigation. Thanks everyone.

1 Like

Please ignore the message above. This was a scam attempt.

3 Likes

This address addr1q9x3v5r7twtkkv0t6gsgjlw3eqjfxnz2a2xxl4ec49w5ljkt4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrstnkmdq is your address, isn’t it?

It does look like a personal wallet. It belongs to the stake stake1u896cg3uc9ztk0lvnn90r20kqefsfgl546n926whv9euhpc5gn089 which was created June 2021, was inactive since November 2022, and only briefly active again End of March, Beginning of April this year for exactly three transactions:

  1. 2024-03-27 18:10:56 ee5808997a11074f498e2c9c826ed984115774822511f12d285f5aeee1783b50: Withdraw rewards and deregister stake key to get 2 ADA deposit back.
  2. 2024-03-27 18:19:35 33d2a05619a3df5de6bf2b33c86049638f8177fe91826550eda7c64c25a11fad: Send 3 300 ADA to addr1q8r0jxfe599kjqtu9tfjwth7afww9puy99gnp6ep99ah7z0y2fyhlhuy56tyd07tu8xdja74ckfry9meuqcv2cre3krqj5pjuw.
  3. 2024-04-01 06:53:33 a44177f5241458db4ed992435d46ceffaae799843590ea173215ac3cf40861c2: Send 42 346 ADA to addr1qxezh74z284xnfn8d57f4dje455gv5gyttnju0vlrhnx2qceaqyaxtzfmv36mmzsztlf5pq0xxj2789k3qeq369geypsjru8v6, leaving only some tokens and 3.68 ADA in the stake.

What is interesting is that it looks like 1 and 2 were done with a different wallet app than 3.
1 and 2 put their change on the same already used address addr1…tnkmdq. It’s pretty surely a wallet app operating in single address mode as all modern ones do.
3 puts its change on a new previously unused address addr1…686k03. That’s the usual behaviour of wallet apps in multi-address mode – Daedalus, Yoroi, … (Eternl and Typhon can be set to behave like that, but it’s not the default. I think Ledger Live also does it.)

So, did you already notice something was going on on 1st April and secured the remaining 42 kADA yourself? And this is “only” about the 3.3 kADA sent on 27th March? But why then wait so long until asking?

That’s the address addr1q8r0jxfe599kjqtu9tfjwth7afww9puy99gnp6ep99ah7z0y2fyhlhuy56tyd07tu8xdja74ckfry9meuqcv2cre3krqj5pjuw that the 3.3 kADA above went to. Only two transactions, one in, one out, no other addresses on the same stake. Could be anything, but likely just an intermediate account/wallet to (not really professionally) make it harder to track?

3 299 ADA went further to addr1q9ckg7pgp4ck9uh34tyz0nrc693qxg2y065zaw5ej0q0qrgeaqyaxtzfmv36mmzsztlf5pq0xxj2789k3qeq369geypszxy89y, which belongs to the stake stake1uyv7szwn93yakgada3gp9l56qs8nrf90rjmgsvsgaz5vjqcekgprc.

This is interesting: The address were the other 42 kADA went above also belongs to this stake/wallet. So, either my theory above is wrong and this is the wallet of your attacker (definitely also looks like a personal wallet, very few transactions, only active for those few days from 27th March until 1st April) or it is another one of your wallets and … there was no attack, just something you did, but forgot?

Anyway, now all of your ADA were on this stake.

There is a strange intermezzo where it sent 500 ADA to DdzFFzCqrhsx5arY9Mx3dhC6D22s9bWH4hRf48LHV38N3nKfWYchHop8cbKdpjbutQ7eyXJ9nRZAZm7Mrhetb4saLEX9DokPhsY6V6NY, just to receive 499 ADA back from DdzFFzCqrht1UoGSm1Xznt4cTbiR2P1EwXsUjxNQy49ydVscRBay8zKGwMwd8fwVsNiL8wTRQPMUq2GwZo1fggiWKarMa5B5iot1HQUN not even half an hour later on 31st March (before the 42 kADA arrived).

I honestly can’t tell if that is an exchange. They do often use the old Byron Ddz… addresses as deposit addresses. But then, it would immediately be moved further to one of the huge main addresses of the exchange (typically not a Byron address anymore) with lots of back and forth transactions. This doesn’t happen here. It is mixed with a lot of other Ddz… addresses further and further. It could be an exchange still operating completely with Byron addresses. But I couldn’t tell which it is. Never seen that.

Finally, still on 1st April, this stake was emptied completely:

Unfortunately, it’s not really easy to identify which exchange something went to. To this day, I haven’t found a definitive list of known exchange wallets.

So, assuming this was an attacker, they played around a lot on the way. First starting with 3.3 kADA just to come back four days later to get the rest, using an intermediate address for the first, but not caring anymore for the second and just transferring it directly, using different wallet apps and filtering part of it through deals with AGIX, but cashing out part of it just directly.

Don’t know if anything of this helps at all. After all, it was also seven months ago.

4 Likes

Thank you very much for your analysis.

In fact, I move my coin from the exchange to staking in June 2021, let it be there and I probably check in November 2022 to see how it was going. It was a long term investment.

The 26 march 2024, I had to reinstall my Daedalus wallet on my new computer and use my seed phrase which I had on a paper. (The same day a friend/colleague, which is also in crypto came by and had a coffee/snacks at my place. So he is the only one who was able to take a picture of my seed etc…, he came when I finished installing.)
I forgot I had my paper on my table next to my computer, I went few time to the kitchen etc…to get things to eat and drink for him. So he had several occasion. I know this person for many years, and never expected that he will do such a thing. I knew he had some work issue at some point etc., but I have always helped him and other people when I can.

Note: He is often using wallet app, so it also match your comment on the wallet app.

Here what happened to clarify:

(The day after he came to my place) The 27th march 2024 : He tested probably the seed phrase, and he tested with 3k ADA, and he also knew that I’m very busy and not often on the PC, as I’m taking care of my mum cause she is handicapped and then I had to travel for something urgent the 30th April, so from the 1st April I won’t be online so much during few weeks with my mum. So he choose perfectly the time to do the big transfer of 42k ADA on the 1st April 2024 in the middle of our travel.

I didn’t go on my wallet cause it was a long term investment, and I had no need to check, as everything was secured in my mind. (50% of my time I have to help my mum cause she can’t move and I also work.)

Unfortunately, he looked around when I went to the kitchen and took a picture of my seed next to my computer.

So overall do you how much did he cash out ? Its only part of the 3k ADA and kept the 42K in his wallet ?

Which one of the transaction went through potentially an exchange ?

Here all the details, so it will be more clear to connect the dot.

Amount: 42346,265777

Amount: 3300,174697

-Transaction ID(s) for the transaction(s) in question:

a44177f5241458db4ed992435d46ceffaae799843590ea173215ac3cf40861c2

33d2a05619a3df5de6bf2b33c86049638f8177fe91826550eda7c64c25a11fad

-Input address (source address)

addr1q9x3v5r7twtkkv0t6gsgjlw3eqjfxnz2a2xxl4ec49w5ljkt4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrstnkmdq

addr1q9x3v5r7twtkkv0t6gsgjlw3eqjfxnz2a2xxl4ec49w5ljkt4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrstnkmdq

-Receiving address

For the following transaction : 33d2a05619a3df5de6bf2b33c86049638f8177fe91826550eda7c64c25a11fad

addr1q8r0jxfe599kjqtu9tfjwth7afww9puy99gnp6ep99ah7z0y2fyhlhuy56tyd07tu8xdja74ckfry9meuqcv2cre3krqj5pjuw

addr1q9x3v5r7twtkkv0t6gsgjlw3eqjfxnz2a2xxl4ec49w5ljkt4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrstnkmdq

addr1q9x3v5r7twtkkv0t6gsgjlw3eqjfxnz2a2xxl4ec49w5ljkt4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrstnkmdq

For the following transaction : a44177f5241458db4ed992435d46ceffaae799843590ea173215ac3cf40861c2

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

addr1q9x3v5r7twtkkv0t6gsgjlw3eqjfxnz2a2xxl4ec49w5ljkt4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrstnkmdq

addr1q9x3v5r7twtkkv0t6gsgjlw3eqjfxnz2a2xxl4ec49w5ljkt4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrstnkmdq

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

addr1qy4j3tnvsfycmdtd36e02058t5t6g23u6skxzxlfaue0367t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrspm2du9

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

addr1q9x3v5r7twtkkv0t6gsgjlw3eqjfxnz2a2xxl4ec49w5ljkt4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrstnkmdq

addr1q8yn2kkl9ndcpux06z0e9z5qq9r08gzrmayy49lx8z6gua7t4s3res2yhvl7e8x27x5lvpjnqj3lft4x245awctnewrsvn6crc

Thanks again for your analysis, much appreciated.

1 Like

As far as I can see, everything was cashed out in the end.

Yep, those two:

You know that the blue ones are links that you can click on to see the details?

I’d say these go potentially to exchanges:

2 Likes

Thanks a lot for your help.

Yes I know that I can click, but I’m not an expert on how addresses work. I have basic knowledge of input output etc. (Sending, receiving )

So if I understood well, part of the coin have been sold to cash out in FIAT potentially or USDT/USDC or whatever the coin or currency via an exchange.
Other coin (potentially) have been split into several exchange (5000 ADA, 9000 ADA, 7000 ADA, 9000 ADA, 7844 ADA), probably to make it more difficult to track back to one single exchange.

I guess if I share those link below, to the major exchange they will be able to confirm if they own my coins ? (As I can prove the initially ownership etc…).

Is there a way to send you a private message. I didn’t find the option on the forum.

1 Like