The hackers continue to spread out the stolen funds using Bitcoin privacy tools as a means to remain anonymous, despite the identity of the hackers believed to be a North Korean cybercrime group.
The hackers behind the $625 million Ronin bridge attack in March have since transferred most of their funds from ETH into BTC using renBTC and Bitcoin privacy tools Blender and ChipMixer.
The hacker’s activity has been tracked by on-chain investigator ‘₿liteZero’, who works for SlowMist and contributed to the company’s 2022 Mid-Year Blockchain Security report. They outlined the transaction pathway of the stolen funds since the Mar. 23 attack.
The majority of the stolen funds were originally converted into ETH and sent to now sanctioned Ethereum crypto mixer Tornado Cash before being bridged over to the Bitcoin network and converted into BTC via the Ren protocol.
I've been tracking the stolen funds on Ronin Bridge.
I've noticed that Ronin hackers have transferred all of their funds to the bitcoin network. Most of the funds have been deposited to mixers(ChipMixer, Blender).This thread will illustrate the tracking analysis procedures. pic.twitter.com/yrazcJ22xF
— ₿liteZero (@blitezero) August 20, 2022
According to the report, the hackers, who are believed to be North Korean cybercrime organization Lazarus Group, initially transferred just a portion of the fund (6,249 ETH) to centralized exchanges including Huobi (5,028 ETH) and FTX (1,219 ETH) on Mar. 28.
From the centralized exchanges, the 6249 ETH appeared to have been converted into BTC. The hackers then transferred 439 BTC ($20.5 million) to Bitcoin privacy tool Blender, which was also sanctioned by the U.S. Treasury on May. 6. The analyst wrote:
“I’ve found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender’s deposit addresses used by Ronin hackers. They have deposited all their withdrawal funds to Blender after withdrawing from the exchanges.”
However the overwhelming majority of stolen funds — 175,000 ETH — was transferred Tornado Cash incrementally between April 4 and May 19.
Related: The aftermath of Axie Infinity’s $650M Ronin Bridge hack
The hackers subsequently used decentralized exchanges Uniswap and 1inch to convert around 113,000 ETH to renBTC (a wrapped version of BTC), and used Ren’s decentralized cross-chain bridge to transfer the assets from Ethereum to the Bitcoin network and unwrap the renBTC into BTC.
From there, approximately 6,631 BTC was distributed to a variety of centralized exchanges and decentralized protocols:
The report also stated that the Ronin hackers withdrew 2,871 BTC (of the 3,460 BTC) ($61.6 million as of Aug. 22) via Bitcoin privacy tool ChipMixer.
₿liteZero concluded the Twitter thread by stating that the Ronin hack remains a “mystery to be investigated” and that more progress is to be made.
