A researcher at security firm SlowMist has stated that the attackers behind this year’s $625 million Ronin bridge exploit converted part of their stolen funds from ether (ETH) to bitcoin (BTC) and used sanctioned privacy mixers to mask their identities further.
The March exploit affected Ronin validator nodes for Sky Mavis, the publisher of the popular Axie Infinity game, and the Axie DAO, with attackers stealing some 173,600 ether and 25.5 million in USDC.
The attacker “used hacked private keys in order to forge fake withdrawals” from the Ronin bridge across two transactions, according to a blog posted at the time, as previously reported.
SlowMist’s “blitezero” said in a tweet that some 6,249 ether converted by the attacker through Tornado Cash was sent to crypto exchange Huobi, where it was exchanged for bitcoin, and 5,028 ether was sent to FTX on March 28.
Some 439 bitcoin, or US$20.5 million at current rates, held at Huobi were then sent to bitcoin privacy tool Blender. Blender is a privacy tool that masks user addresses to make transactions more private and became the first-ever bitcoin mixer to get sanctioned by the U.S. government in May.
Blitezero added that most Blender addresses sanctioned by the U.S. government were the same deposit addresses used by Ronin hackers.
The hack was ultimately linked to the infamous North Korean hacker group Lazarus.
Meanwhile, the researcher added that over 113,000 ether sent to Tornado Cash was additionally converted to renBTC, a token on the Ethereum network that represents bitcoin, through decentralized exchanges Uniswap and 1inch. The renBTC was later transferred from Ethereum to Bitcoin and redeemed for spot bitcoin.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.