Data sourced from Etherscan indicates that the exploiter first swapped 95,360 ETH worth roughly $157 million on DeFi aggregator OpenOcean and then transacted smaller amounts capital through several decentralized finance protocols such as Kyber Network and 1Inch.
The exploiter levered up, borrowing DAI and interacting with several smart contracts on Lido, the top provider for liquid staking derivatives on Ethereum. The exploiter’s address, which begins with 0x629 is now the 3rd largest holder of wrapped stETH, according to data analytics platform Nansen.
Darkfi.eth (not related to DarkFi, the layer 1 blockchain with the Lunarpunk philosophy), one of the hackers who exploited the Nomad bridge in Aug. 2022 in order to rescue its funds from malicious actors, said, “Its possible that they are somehow using this to launder the money. Hard to tell for sure but there are definitely ways they could have extracted value on other wallets from this activity … Could also just be degens tho lmao, all kinda speculation at this point.”
The expoliter’s Lido shenanigans were so massive that they had a material effect on the market for the popular liquid staking derivative. Its 24-hour trading volume is up over 3000%, per CoinGecko. During the chaos of the day, stETH’s price increased relative to ETH, jumping above its 1:1 peg temporarily, before settling at 0.9985, per Dune Analytics.
The sudden activity by the exploiter prompted its victims to respond. In one transaction, an address belonging to Wormhole sent an on-chain message asking the exploiter to return the stolen funds in exchange for a $10 million bounty.
The Wormhole Network exploiter did not return a request comment to CoinDesk via Blockscan.
Here is the walk-through for the exploiter’s shuffle of funds
First, the Wormhole Network exploiter triggered a transaction on OpenOcean that swapped 96,630 ETH for 96,677 stETH, Lido’s derivative token that stands for the total value of a user’s initial staked ETH and its accrued interest.
Second, the Wormhole Network exploiter decided in another transaction to wrap 86,473 stETH.
Third, the exploiter deployed 25,000 wrapped stETH as collateral to borrow $13 million DAI.
Fourth, the exploiter used the $13 million DAI it just borrowed to accumulate almost 8,000 stETH on Kyber Network, an Ethereum-based decentralized exchange.
Fifth, the exploiter executed a transaction to wrap the roughly 8,000 stETH it received moments ago.
Sixth, the exploiter received $1.5 million DAI.
Seventh, the exploiter swapped out the $1.5 million DAI for some 923 stETH through DEX Aggregator 1Inch.
The exploiter has since continued receiving thousands of wrapped staked ether (wstETH) tokens.
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.