Ronin Hackers transferred stolen funds to the Bitcoin network using privacy tools
Hackers who drained around $625 million from Ronin Bridge attack in March has transferred funds from Ethereum to the Bitcoin network using privacy tools. To hide their identity, the cybercriminals, who are believed to be part of the North Korean cybercrime group Lazarus, used the Ren protocol, mixers and multiple centralized exchanges to move funds from one blockchain to another.
₿liteZero, a blockchain investigator, developer and major contributor to SlowMist’s mid-year Blockchain Security report, tracked the stolen funds. It outlined the funds’ movement after March 23 following the exploit and noted that stolen funds are now being anonymously converted into Bitcoins.
Related Read: Crypto Exchange FTX Revenue Reportedly Balloons 1,000% To Over $1 Billion By 2021
₿liteZero listed in a chirping;
I have traced the stolen funds to Ronin Bridge. I have noticed that Ronin hackers have transferred all their money to the bitcoin network. Most of the funds have been invested in mixers (ChipMixer, Blender).
After gaining access to $625 worth of USDC and Ethereum, hackers moved funds to Tornado Cash in an attempt to hide from the authorities. Tornado is an Ethereum-based virtual currency tumbler that mixes crypto transactions and provides access with specific keys to individuals.
Since that was not the end of the process of hiding the transactions, hackers used several crypto exchanges and a network bridge after withdrawing money from Tornado cash. Investigator revealed in the Twitter thread that Ronin hackers circulated funds from Binance, Huobi and FTX before sending the funds into the North Korean mixer Blender.
The US Treasury accused Blender of helping hackers in May
According to ₿liteZero findings, only a portion of the stolen asset, or 6,249 ETHs, appears to have been converted to Bitcoins, with Huobi receiving 5,028 ETHs and FTX 1,219 ETHs. Then hackers sent 439 BTC (20.5 million) to Bitcoin privacy tool Blender.
The analyst added;
I have found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender deposit addresses used by Ronin hackers. After withdrawing from the exchanges, they have deposited all their withdrawal funds into Blender.
Interestingly, the ₿liteZero report comes after the US Treasury imposed sanctions on blending tool Blender on May 6, accusing the firm of helping North Korean hackers process 20.5 million stolen funds. This figure for amounts withdrawn from cybercriminal exchanges is constant with facts provided by ₿liteZero(20.72).
In addition, the hackers bridged the rest of the assets with the Bitcoin network using the renBTC protocol. The investigator explained that hackers used Uniswap or 1inch to convert the funds into pureBTC.
Since its inception, the Ren protocol opened the way for money laundering actors worldwide as it paved the way for converting an asset from Ethereum to a Bitcoin network.
Then again, after converting and sending funds from multiple platforms, they used a mixer like ChipMex or Blenders. Funds are moved to ChipMixer before an amount is withdrawn from Blender.
Related reading: Bitcoin Scam Called ‘Pig Slaughter’ Growing Alarmingly Popular
₿liteZero ended up noting that more complex things may come out as the research team is currently analyzing the hackers.
Featured image from Pixabay and chart from TradingView.com