The receiving address, after mixing is this: bc1qx65xcxz6dfsge2g4eaerercslh83y66wrpm79r
Seems an exchange
The hacker obviously used a mixer to hide his trace but I am curious how would you know that the quoted address was the output address of the mixer?
I do not have much analytical knowledge to understand a move unless there are any easy open tool.
If the hacker used a mixer, there is no way what his receiving address is. That's the point of a mixer...
The only thing i see is this transaction: 89abc9415125c304773b68bad4dd37456b2f459d035a73c19eea722ab78acc0b
It uses 3 unspent outputs to fund address:18Y8B6CJFEMS93zgSPycySNkBNbFwhvE2S
https://www.kycp.org/#/89abc9415125c304773b68bad4dd37456b2f459d035a73c19eea722ab78acc0bAfterwards, the unspent output funding address 18Y8B6CJFEMS93zgSPycySNkBNbFwhvE2S is spent funding 2 addresses:
bc1ql72syjwvm4m9lwajpaylaxvj9lxc2tzn706ruj (value 0.1)
1KgiSi5wrVYumSskG3GPaaE2MSRdFKyzj7 (value 0.81399400)
the first address is funded with a round amount... This might be because of a self transfer, or a transfer to an exchange...
bc1ql72syjwvm4m9lwajpaylaxvj9lxc2tzn706ruj belongs to a huge wallet:
https://www.walletexplorer.com/wallet/000003e028959c0bSo it's probably some sort of active service or exchange...
If the thief's first transaction went to a mixer's deposit address (18Y8B6CJFEMS93zgSPycySNkBNbFwhvE2S), the rest of the trace might belong to somebody completely different... That's how mixers work.