Through the chain behavior analysis, the slow fog security team can know that the attacker first created and activated the attacker's first “attacker account” (rN5Gm1FijbTVeYFfpTRfGKfNZQY7hc9TbN) through the CoinPayments at 05/29/2019 12:14 UTC time. At 05/30/2019 12:23 UTC time, attack the first account of GateHub (control the relevant permissions of this account), and create and activate the second "attacker account" (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) through the attacked account. After the second "attacker account" also created and activated the third "attacker account" (rpBDxqWArAQTEfPeWwkUvBh1cbc885nirX), then the attacker attacked GateHub at least 103 accounts, the last attack time is 06/01/2019 18:40 UTC time, and through these three "attacker accounts" to complete the money-washing operation. The slow fog security team speculated that the attacker at least controlled some of the account API permissions in the GateHub database, but the user private key is secure. The attack lasts for more than three days and is blocked. Users of the platform should immediately transfer assets and update account-related permissions.