Home Ethereum Ronin hackers transferred stolen funds from ETH to BTC and used sanctioned mixers

Ronin hackers transferred stolen funds from ETH to BTC and used sanctioned mixers

Ronin hackers transferred stolen funds from ETH to BTC and used sanctioned mixers

The hackers behind the $625 Million Ronin Bridge Attack in March have since transferred most of their funds from Ether (ETH) to Bitcoin (BTC) using renBTC privacy tools and Bitcoin Blender and ChipMixer.

Hacker activity was followed by on-chain investigator ₿liteZero, who works for SlowMist and contributed to the company’s 2022 Blockchain Security Mid-Year Report. They described the transaction path of the stolen funds since the March 23 attack.

The majority of the stolen funds were initially converted into ETH and sent to the now-sanctioned Ethereum crypto mixer Tornado Cash before being linked to the Bitcoin network and converted into BTC via the Ren protocol.

According to the report, the hackers, who are believed to be North Korean Cybercrime Organization Lazarus Groupinitially transferred only part of the fund, 6,249 ETH, to centralized exchanges (CEX), including Huobi with 5,028 ETH and FTX with 1,219 ETH on March 28.

From the CEX, 6249 ETH seems to have been converted to BTC. The hackers then transferred 439 BTC, or $20.5 million at the time of writing, to Bitcoin privacy tool Blender, which was also sanctioned by the US Treasury May 6. The analyst wrote:

“I found the answer in Blender’s Penalty Addresses. Most Blender sanction addresses are Blender drop addresses used by Ronin hackers. They deposited all of their withdrawal funds into Blender after withdrawing from exchanges.

However, the overwhelming majority of the stolen funds – 175,000 ETH – were transferred to Tornado Cash gradually between April 4 and May 19.

Related: The Aftermath of Axie Infinity’s $650 Million Ronin Bridge Hack

Hackers then used decentralized exchanges Uniswap and 1inch to convert approximately 113,000 ETH to renBTC (a wrapped version of BTC) and used Ren’s decentralized cross-chain bridge to transfer assets from Ethereum to the Bitcoin network and unpack renBTC to BTC.

From there, approximately 6,631 BTC were distributed to a variety of centralized exchanges and decentralized protocols:

Platforms used by hackers to transfer BTC. Source: Slow Mist.

The report also states that Ronin hackers withdrew 2,871 BTC of the 3,460 BTC, or $61.6 million as of August 22, via Bitcoin privacy tool ChipMixer.

BTC balance on platforms after hackers withdraw funds. Source: Slow Mist.

₿liteZero concluded the Twitter thread by stating that the Ronin hack remains a “mystery to be investigated” and that more progress needs to be made.