Wormhole hacker moves $155M in biggest shift of stolen funds in months

Published at: Jan. 24, 2023

The hacker behind the $321 million Wormhole bridge attack has shifted a large chunk of stolen funds, with transaction data showing that $155 million worth of Ether (ETH) was transferred to a decentralized exchange (DEX) on Jan 23.

The Wormhole hack was the third largest crypto hack in 2022, after the protocol’s token bridge suffered an exploit on Feb. 2, 2022, that resulted in the loss of 120,000 Wrapped ETH (wETH) around worth $321 million.

According to the transaction history of the hacker’s alleged wallet address, the latest activity shows that 95,630 ETH was sent to the OpenOcean DEX and then subsequently converted into ETH-pegged assets such as Lido Finance’s staked ETH (stETH) and wrapped staked (wstETH).

#CertiKSkynetAlert We are seeing address ​​0x629e… Wormhole Network Exploiter swap 95,630 Ether (~$155M) to stETH Stay safe! pic.twitter.com/ZR6zxlRuKX

— CertiK Alert (@CertiKAlert) January 23, 2023

Digging into the transaction history further, crypto community members such as @spreekaway also highlighted that the hacker went on to conduct a slew of odd looking transactions.

For example, the hacker used their stETH holdings as collateral to borrow 13 million worth of the DAI stablecoin, before swapping it out for more stETH, wrapping into stETH again and then borrowing some more DAI.

Wormhole exploiter has converted his ETH to wstETH and is going to borrow DAI against it it seems. pic.twitter.com/9rhERSMG5u

— Spreek (@spreekaway) January 23, 2023

Notably, the Wormhole team has taken the opportunity to once again offer the hacker a bounty of $10 million if they return all the funds, after it left an embedded message conveying such in a transaction via the Wormhole: Deployer.

The hacker’s hefty ETH transaction appears to have had a direct impact on the price of stETH according to data from Dune Analytics. The asset’s price went from slightly under peg of 0.9962 ETH on Jan. 23, to as high as 1.0002 ETH the following day, before dropping back to 0.9981 at the time of writing.

Related: North Korea's Lazarus Group masterminded $100M Harmony hack: FBI confirms

With the Wormhole hack likely to catch more attention in light of the latest incident, blockchain security firms such as Ancilia, Inc. warned on Jan. 19 that searching the keywords “Wormhole Bridge” in Google is currently showing promoted ad websites that are actually phishing operations.

The community has been warned to be diligent on what they are clicking on relating to this term.

#phishing alert When you search "wormhole bridge" in Google, many of the "ad" entries are actually phishing site. E.g.hxxps://wormholebridge-multichain.com/hxxps://portaltoken-wormholebridge.com. Be careful about what you click and stay safe! pic.twitter.com/C6JW2xeaUh

— Ancilia, Inc. (@AnciliaInc) January 19, 2023
Tags
Related Posts
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022
Rari Fuze hacker offered $10M bounty by Fei Protocol to return $80M loot
Decentralized finance (DeFi) platform Fei Protocol offered a $10 million bounty to hackers in an attempt to negotiate and retrieve a major chunk of the stolen funds from various Rari Fuse pools worth $79,348,385.61 — nearly $80 million. On Saturday, Fei Protocol informed its investors about an exploit across numerous Rari Capital Fuse pools while requesting the hackers to return the stolen funds against a $10 million bounty and a “no questions asked” commitment. We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage. To …
Blockchain / May 1, 2022
DeFi exploits and access control hacks cost crypto investors billions in 2022: Report
Cyber criminals used a variety of novel ways to carry out hacks and exploits in 2022, with over $2.8 billion of cryptocurrency stolen last year. According to a report from CoinGecko using data sourced from DeFiYield’s REKT Database, nearly half of the total crypto stolen in 2022 was fleeced using diverse methods. This includes bypassing verification processes, market manipulation, ‘crowd looting’ as well as smart contract and bridge exploits. The biggest hack of 2022 was carried out through an access control hack. Sky Mavis, the developer behind popular game Axie Infinity, saw its Ronin bridge hacked in March 2022, leading …
Blockchain / Feb. 13, 2023
Hope Finance exploit results in $2M stolen from users' funds
Prospective users of an Arbitrum-based decentralized finance (DeFi) project have been left out of pocket following a $2 million exploit. Web3 security firm CertiK flagged the incident on Feb. 21, following an announcement from the Hope Finance Twitter account notifying users that they had been scammed. #CommunityAlert @hope_fin have announced the community has been scammed for ~$2m making this the largest #exitscam on Arbitrum in 2023. $1.86m was transferred to @TornadoCash. Hope_fin have posted steps for user's to withdraw their staked LPhttps://t.co/hJbFXiKujt — CertiK Alert (@CertiKAlert) February 21, 2023 Details of the project are difficult to come by. The platform’s …
Blockchain / Feb. 21, 2023