According to the latest report by blockchain developer and researcher BliteZero, Ronin hackers have transferred the stolen assets from the Ethereum network to the Bitcoin network.
Following the Ronin bridge incident in March, the hackers moved $625 million worth of USDC and ETH to the Ethereum-based crypto-mixer Tornado Cash. This made it challenging for law authorities to trace the flow of the funds. After the Tornado, though, the hackers are now still trying to hide the transactions.
I've been tracking the stolen funds on Ronin Bridge.
I've noticed that Ronin hackers have transferred all of their funds to the bitcoin network. Most of the funds have been deposited to mixers(ChipMixer, Blender).
This thread🧵 will illustrate the tracking analysis procedures.👇🏻 pic.twitter.com/yrazcJ22xF
— ₿liteZero (@blitezero) August 20, 2022
The on-chain investigator, a contributor to SlowMist’s 2022 Mid-Year Blockchain Security report, has long been following the hacker’s behavior. In fact, since the 23 March incident, SlowMist has been at the head of tracing the transactions that took place with the stolen money.
So, what happened to the money?
The report claimed that on 28 March, the hackers— thought to be members of the North Korean cybercrime group Lazarus Group —transferred only a small fraction of the funds (6,249 ETH) to centralized exchanges. These include Huobi (5,028 ETH) and FTX (1,219 ETH).
The 6249 ETH seems to have been converted into BTC from the centralized exchanges. In the following phase, the hackers sent 439 BTC ($20.5 million) to the 6 May sanctioned Bitcoin privacy tool Blender. The researcher noted,
“I’ve found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender’s deposit addresses used by Ronin hackers. They have deposited all their withdrawal funds to Blender after withdrawing from the exchanges.”
Here, it’s interesting to note that BliteZero claimed that the Ronin hackers used the majority of the authorized Blender addresses to receive money after making withdrawals from CEXs. The investigator added that the total amount of money taken out of the exchanges was $20.72 million – In line with the claim made by the U.S. Treasury.
Stolen funds on the Bitcoin network
Using 1inch or Uniswap, the hackers changed the remaining assets to renBTC. Ren Protocol-powered renBTC is wrapped Bitcoin running on the Ethereum network. The ability of Ren to transport value between blockchains allowed the hackers to connect the Ethereum assets to the Bitcoin network.
A majority of the money was then sent by the hackers to cryptocurrency mixers like Blender and ChipMixer. Before extracting some money for Blender, they transferred the money to ChipMixer. BliteZero concluded the Twitter discussion by stating that they are now working on analyzing the hackers, even though they think it will be more difficult.
The Ronin bridge attack is one of the biggest attacks in the history of crypto-crime. The crucial bridge chain was attacked, causing a loss of 173,600 Ethereum and 25.5M USDC, or more than $600M. The stolen money has been transferred to FTX, Huobi, and CryptoCom after the breach on 23 March. Following the same, each of these companies has promised to take steps to track down the money.
Furthermore, the Ronin Network has temporarily stopped accepting deposits and withdrawals.