Swapping More Than $157M of ETH for stETH and Levering Up, the Wormhole Network Exploiter Is a DeFi Degen

The address that hacked one of the most popular cross-blockchain bridges Wormhole started moving capital in the DeFi ecosystem.

AccessTimeIconJan 24, 2023 at 8:57 a.m. UTC
Updated May 9, 2023 at 4:06 a.m. UTC

The wallet that stole 80,000 ether (ETH) from the Wormhole Portal Token Bridge last year sprung back to life on Monday after 355 dormant days, trading on leverage like a true Crypto Twitter "degen" as it moved a massive amount of capital throughout the decentralized finance (DeFi) ecosystem.

Data sourced from Etherscan indicates that the exploiter first swapped 95,360 ETH worth roughly $157 million on DeFi aggregator OpenOcean and then transacted smaller amounts capital through several decentralized finance protocols such as Kyber Network and 1Inch.

  • Over $67M in Crypto Lost to Hacks and Exploits in February: Immunefi Report
    Over $67M in Crypto Lost to Hacks and Exploits in February: Immunefi Report
  • Hacks Involving North Korea Are 'Even Greater Problem': Legal Experts
    Hacks Involving North Korea Are 'Even Greater Problem': Legal Experts
  • Why Injective's INJ Has Surged 3,000% in 2023
    Why Injective's INJ Has Surged 3,000% in 2023
  • DeFi Market Rebounds to $50B as Speculators Hunt for Yield
    DeFi Market Rebounds to $50B as Speculators Hunt for Yield
  • The exploiter levered up, borrowing DAI and interacting with several smart contracts on Lido, the top provider for liquid staking derivatives on Ethereum. The exploiter’s address, which begins with 0x629 is now the 3rd largest holder of wrapped stETH, according to data analytics platform Nansen.

    Darkfi.eth (not related to DarkFi, the layer 1 blockchain with the Lunarpunk philosophy), one of the hackers who exploited the Nomad bridge in Aug. 2022 in order to rescue its funds from malicious actors, said, “Its possible that they are somehow using this to launder the money. Hard to tell for sure but there are definitely ways they could have extracted value on other wallets from this activity … Could also just be degens tho lmao, all kinda speculation at this point.”

    The expoliter’s Lido shenanigans were so massive that they had a material effect on the market for the popular liquid staking derivative. Its 24-hour trading volume is up over 3000%, per CoinGecko. During the chaos of the day, stETH’s price increased relative to ETH, jumping above its 1:1 peg temporarily, before settling at 0.9985, per Dune Analytics.

    The sudden activity by the exploiter prompted its victims to respond. In one transaction, an address belonging to Wormhole sent an on-chain message asking the exploiter to return the stolen funds in exchange for a $10 million bounty.

    The Wormhole Network exploiter did not return a request comment to CoinDesk via Blockscan.

    Here is the walk-through for the exploiter’s shuffle of funds

    First, the Wormhole Network exploiter triggered a transaction on OpenOcean that swapped 96,630 ETH for 96,677 stETH, Lido’s derivative token that stands for the total value of a user’s initial staked ETH and its accrued interest.

    Second, the Wormhole Network exploiter decided in another transaction to wrap 86,473 stETH.

    Third, the exploiter deployed 25,000 wrapped stETH as collateral to borrow $13 million DAI.

    Fourth, the exploiter used the $13 million DAI it just borrowed to accumulate almost 8,000 stETH on Kyber Network, an Ethereum-based decentralized exchange.

    Fifth, the exploiter executed a transaction to wrap the roughly 8,000 stETH it received moments ago.

    Sixth, the exploiter received $1.5 million DAI.

    Seventh, the exploiter swapped out the $1.5 million DAI for some 923 stETH through DEX Aggregator 1Inch.

    The exploiter has since continued receiving thousands of wrapped staked ether (wstETH) tokens.


    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

    Sage D. Young

    Sage D. Young was a tech protocol reporter at CoinDesk. He owns a few NFTs, gold and silver, as well as BTC, ETH, LINK, AAVE, ARB, PEOPLE, DOGE, OS, and HTR.