Ronin hackers transferred stolen funds from ETH to BTC and used sanctioned mixers

Published at: Aug. 22, 2022

The hackers behind the $625 million Ronin bridge attack in March have since transferred most of their funds from ETH into BTC using renBTC and Bitcoin privacy tools Blender and ChipMixer. 

The hacker’s activity has been tracked by on-chain investigator ‘₿liteZero’, who works for SlowMist and contributed to the company’s 2022 Mid-Year Blockchain Security report. They outlined the transaction pathway of the stolen funds since the Mar. 23 attack.

The majority of the stolen funds were originally converted into ETH and sent to now sanctioned Ethereum crypto mixer Tornado Cash before being bridged over to the Bitcoin network and converted into BTC via the Ren protocol.

I've been tracking the stolen funds on Ronin Bridge.I've noticed that Ronin hackers have transferred all of their funds to the bitcoin network. Most of the funds have been deposited to mixers(ChipMixer, Blender).This thread will illustrate the tracking analysis procedures. pic.twitter.com/yrazcJ22xF

— ₿liteZero (@blitezero) August 20, 2022

According to the report, the hackers, who are believed to be North Korean cybercrime organization Lazarus Group, initially transferred  just a portion of the fund (6,249 ETH) to centralized exchanges including Huobi (5,028 ETH) and FTX (1,219 ETH) on Mar. 28.

From the centralized exchanges, the 6249 ETH appeared to have been converted into BTC. The hackers then transferred 439 BTC ($20.5 million) to Bitcoin privacy tool Blender, which was also sanctioned by the U.S. Treasury on May. 6. The analyst wrote:

“I've found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender's deposit addresses used by Ronin hackers. They have deposited all their withdrawal funds to Blender after withdrawing from the exchanges.”

However the overwhelming majority of stolen funds — 175,000 ETH — was transferred Tornado Cash incrementally between April 4 and May 19.

The hackers subsequently used decentralized exchanges Uniswap and 1inch to convert around 113,000 ETH to renBTC (a wrapped version of BTC), and used Ren’s decentralized cross-chain bridge to transfer the assets from Ethereum to the Bitcoin network and unwrap the renBTC into BTC.

From there, approximately 6,631 BTC was distributed to a variety of centralized exchanges and decentralized protocols:

The report also stated that the Ronin hackers withdrew 2,871 BTC (of the 3,460 BTC) ($61.6 million as of Aug. 22) via Bitcoin privacy tool ChipMixer.

₿liteZero concluded the Twitter thread by stating that the Ronin hack remains a “mystery to be investigated” and that more progress is to be made.

Tags
Related Posts
Making sense of the Bitfinex Bitcoin billions
It’s the Netflix script that wrote itself. A story so outlandish, it’s stunned the crypto community; an industry accustomed to apparent suicides in Spanish jail cells and nonfungible token auctions for dead rappers. The plot involves the United States Department of Justice (DoJ), a crypto exchange with a checkered history, a rapper-cum-Forbes magazine writer, a voucher to buy a new PlayStation, an occasional magician and $4 billion worth of Bitcoin (BTC). The alleged Bitfinex hack money launderers have kept the internet enraptured since the larger-than-life story emerged last week. It’s no wonder that Netflix has actually announced that they will …
Adoption / Feb. 16, 2022
Truth or fiction? Popular former hacker claims to have $7B in BTC
A former blackhat hacker who goes by the name Gummo online claims to have amassed around $7 billion worth of Bitcoin (BTC). Despite a flood of positive comments and posts relating to his interviews with the Soft White Underbelly YouTube channel — which has 3.18 million subscribers — information about Gummo is scarce elsewhere, which could either be by design or suggest that a large pinch of salt may be required when listening to his extravagant claims. He said that he has been working in the field for more than 30 years, and while he started hacking for illicit reasons …
Blockchain / March 16, 2022
‘Nobody is holding them back’ — North Korean cyber-attack threat rises
North Korea-backed cyberattacks on cryptocurrency and tech firms will only become more sophisticated over time as the country battles prolonged economic sanctions and resource shortages. Former CIA analyst Soo Kim told CNN on Sunday that the process of generating overseas crypto income for the regime has now become a “way of life” for the North Koreans: “In light of the challenges that the regime is facing — food shortages, fewer countries willing to engage with North Korea [...] this is just going to be something that they will continue to use because nobody is holding them back, essentially.” She also …
Blockchain / July 12, 2022
Cross chains, beware! deBridge flags attempted phishing attack, suspects Lazarus Group
Cross-chain protocols and Web3 firms continue to be targeted by hacking groups as deBridge Finance unpacks a failed attack that bears the hallmarks of North Korea’s Lazarus Group hackers. deBridge Finance employees received what looked like another ordinary email from co-founder Alex Smirnov on a Friday afternoon. An attachment labeled ‘New Salary Adjustments’ was bound to pique interest, with various cryptocurrency firms instituting staff layoffs and pay cuts during the ongoing cryptocurrency winter. A handful of employees flagged the email and its attachment as suspicious, but one staff member took the bait and downloaded the PDF file. This would prove …
Blockchain / Aug. 8, 2022
North Korea’s Lazarus behind years of crypto hacks in Japan: Police
Japan’s national police have pinned North Korean hacking group, Lazarus, as the organization behind several years of crypto-related cyber attacks. In the public advisory statement sent out on Oct. 14, Japan’s National Police Agency (NPA) and Financial Services Agency (FSA) sent a warning to the country's crypto-asset businesses, asking them to stay vigilant of “phishing” attacks by the hacking groupaimed at stealing crypto assets. The advisory statement is known as “public attribution,” and according to local reports, is the fifth time in history that the government has issued such a warning. The statement warns that the hacking group uses social …
Blockchain / Oct. 17, 2022