Ronin Hackers Converted Some Stolen Ether to Bitcoin: SlowMist Researcher

The exploiters converted their ill-gotten gains initially to ether and then to bitcoin before using sanctioned mixers to mask their identities.

AccessTimeIconAug 22, 2022 at 10:00 a.m. UTC
Updated May 11, 2023 at 5:25 p.m. UTC

A researcher at security firm SlowMist has stated that the attackers behind this year’s $625 million Ronin bridge exploit converted part of their stolen funds from ether (ETH) to bitcoin (BTC) and used sanctioned privacy mixers to mask their identities further.

The March exploit affected Ronin validator nodes for Sky Mavis, the publisher of the popular Axie Infinity game, and the Axie DAO, with attackers stealing some 173,600 ether and 25.5 million in USDC.

The attacker “used hacked private keys in order to forge fake withdrawals” from the Ronin bridge across two transactions, according to a blog posted at the time, as previously reported.

SlowMist’s “blitezero” said in a tweet that some 6,249 ether converted by the attacker through Tornado Cash was sent to crypto exchange Huobi, where it was exchanged for bitcoin, and 5,028 ether was sent to FTX on March 28.

Some 439 bitcoin, or US$20.5 million at current rates, held at Huobi were then sent to bitcoin privacy tool Blender. Blender is a privacy tool that masks user addresses to make transactions more private and became the first-ever bitcoin mixer to get sanctioned by the U.S. government in May.

Blitezero added that most Blender addresses sanctioned by the U.S. government were the same deposit addresses used by Ronin hackers.

The hack was ultimately linked to the infamous North Korean hacker group Lazarus.

Meanwhile, the researcher added that over 113,000 ether sent to Tornado Cash was additionally converted to renBTC, a token on the Ethereum network that represents bitcoin, through decentralized exchanges Uniswap and 1inch. The renBTC was later transferred from Ethereum to Bitcoin and redeemed for spot bitcoin.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.

Read more about