Reports said that the hackers behind the $625 million Ronin bridge attack in March have since transferred most of their funds from Ether (ETH) into Bitcoin (BTC) using renBTC and Bitcoin privacy tools Blender and ChipMixer.
It has been reported that the hacker’s activity has been tracked by on-chain investigator ₿liteZero, who works for SlowMist and contributed to the company’s 2022 Mid-Year Blockchain Security report. They outlined the transaction pathway of the stolen funds since the March 23 attack.
However, the majority of the stolen funds were originally converted into ETH and sent to now sanctioned Ethereum crypto mixer Tornado Cash before being bridged over to the Bitcoin network and converted into BTC via the Ren protocol.
The report said that the hackers, who are believed to be North Korean cybercrime organization Lazarus Group, initially transferred just a portion of the fund, or 6,249 ETH, to centralized exchanges (CEXs) including Huobi with 5,028 ETH and FTX with 1,219 ETH on March 28.
Likewise, from the CEXs, the 6249 ETH appeared to have been converted into BTC. The hackers then transferred 439 BTC, or $20.5 million, as of August 22, to the Bitcoin privacy tool Blender, which was also sanctioned by the US Treasury on May 6.
The analyst wrote:
“I’ve found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender’s deposit addresses used by Ronin hackers. They have deposited all their withdrawal funds to Blender after withdrawing from the exchanges.”
The overwhelming majority of stolen funds — 175,000 ETH — was transferred to Tornado Cash incrementally between April 4 and May 19. The hackers subsequently used decentralized exchanges Uniswap and 1inch to convert around 113,000 ETH to renBTC (a wrapped version of BTC) and used Ren’s decentralized cross-chain bridge to transfer the assets from Ethereum to the Bitcoin network and unwrap the renBTC into BTC.
Thus, the report also stated that the Ronin hackers withdrew 2,871 BTC of the 3,460 BTC, or $61.6 million as of August 22, via Bitcoin privacy tool ChipMixer. ₿liteZero concluded the Twitter thread by stating that the Ronin hack remains a “mystery to be investigated” and that more progress is to be made.