The hackers continue to disperse the stolen assets using Bitcoin privacy tools to conceal their identities, despite the fact that they are suspected to be a North Korean cybercrime organization.
Ronin Hackers Convert Stolen ETH to BTC
The hackers responsible for the $625 million Ronin bridge exploit in March have moved the majority of their funds from Ether (ETH) to Bitcoin (BTC) using renBTC and Bitcoin privacy tools Blender and ChipMixer.
On-chain investigator ₿liteZero, who works for SlowMist and contributed to the company’s 2022 Mid-Year Blockchain Security report, has traced the hacker’s activities. They detailed the trail of the stolen funds’ transactions since the March 23 incident.
The majority of the stolen funds were initially converted into ETH and transferred to the now-sanctioned Ethereum crypto mixer Tornado Cash prior to being bridged to the Bitcoin network and converted into BTC through the Ren protocol.
According to the report, the hackers, suspected to be members of the North Korean cybercrime organization Lazarus Group, first moved only a fraction of the funds, or 6,249 ETH, to centralized exchanges (CEXs) on March 28, including Huobi with 5,028 ETH and FTX with 1,219 ETH.
The 6249 ETH seems to have been converted into BTC via the CEXs. The hackers then sent 439 BTC (about $20.5 million at the time of writing) to the Bitcoin privacy tool Blender, which was also sanctioned by the US Treasury on May 6. The analyst stated:
I’ve found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender’s deposit addresses used by Ronin hackers. They have deposited all their withdrawal funds to Blender after withdrawing from the exchanges.
However, the vast majority of stolen funds, 175,000 ETH, were gradually transferred to Tornado Cash between April 4 and May 19.
Stolen Funds on the Bitcoin Network
The hackers then converted about 113,000 ETH to renBTC (a wrapped version of BTC) via the decentralized exchanges Uniswap and 1inch. They then used Ren’s decentralized cross-chain bridge to move the assets from Ethereum to the Bitcoin network and unwrap the renBTC into BTC.
Following that, the majority of the funds were sent to crypto mixers such as ChipMixer and Blender. They moved the funds to ChipMixer before withdrawing some to Blender.
₿liteZero stated at the conclusion of the Twitter thread that they are presently analyzing the hackers; however, they anticipate that this will be a task that is far more complex.
This report comes at a time when the use of crypto mixing services has surged in 2022. These services enable users to conceal the history of transactions involving certain cryptocurrencies by pooling and mixing them with the funds of other users.
According to a report published in July by Chainalysis, the 30-day moving average of value received by mixers reached an all-time high of almost $52 million worth of cryptocurrency on April 19, which is roughly double the volumes that were seen at the same time in 2021.