Ronin hackers convert assets into Bitcoin and use mixers

Hackers behind the March breach of the Ronin sidechain, worth $625 million, have converted most of the assets into Bitcoin, using privacy tools. According to researcher ₿liteZero of SlowMist.

I’ve been tracking the stolen funds on Ronin Bridge.
I’ve noticed that Ronin hackers have transferred all of their funds to the bitcoin network. Most of the funds have been deposited to mixers(ChipMixer, Blender).

This thread🧵 will illustrate the tracking analysis procedures.👇🏻 pic.twitter.com/yrazcJ22xF

— ₿liteZero (@blitezero) August 20, 2022

The hackers’ haul, believed to be linked to North Korea’s Lazarus group, consisted of 173,600 ETH and 25.5 million USDC. According to the expert, almost the entire amount in Ethereum was deposited into the Tornado Cash mixer. Only about 6,250 ETH were sent to exchanges Huobi, FTX and Crypto.com. The hackers’ addresses hold around ~667 ETH.

As of now, the vast majority of the Ronin hacker’s ETH funds have been deposited to Tornado Cash, and ~6,250 Ether deposited to exchanges(such as Huobi, FTX, or Cryptocom). @Ronin_Network https://t.co/J3ZSrtzRFp pic.twitter.com/CzBpYl7LWY

— ₿liteZero (@blitezero) August 20, 2022

In May, the U.S. Treasury imposed sanctions on the Blender mixer. According to the agency, about $20.5 million of the Ronin sum was laundered through the service.

The expert confirmed that the hackers moved about $20.72 million to the mixer from centralized exchanges. The amount aligns with what U.S. authorities have reported.

According to my calculations, the withdrawn amount from the exchanges is $20.72 million. This is consistent with the «over $20.5 million» in sanctioned releases. pic.twitter.com/LBSiNCZOUb

— ₿liteZero (@blitezero) August 20, 2022

The Ethereum funds moved through Tornado Cash were swapped for a wrapped version of Ren Protocol’s bitcoin on decentralized platforms 1inch and Uniswap.

Depositing Tornado Cash is not the end of it, either.

After withdrawing from Tornado Cash, the hacker used 1inch or Uniswap to swap the funds for renBTC before finally bridging them to the bitcoin network.https://t.co/yjqHEJYncs

— ₿liteZero (@blitezero) August 20, 2022

After exiting the protocol, half of the funds were sent to the ChipMixer mixer. The other half routed through the service were moved to Blender.

When I scanned bitcoin transactions (April 7 ~ May 14) for withdrawals from Ronin hackers, I came to the following conclusions:

After withdrawing from ChipMixer, half of the funds were deposited to Blender. pic.twitter.com/eX12fC04GO

— ₿liteZero (@blitezero) August 20, 2022

Despite the hackers’ active use of privacy-preserving services, the expert expects to track all stolen assets. He concedes that this part of the work will be more challenging than the analysis he has conducted.

In August, OFAC added Tornado Cash to the sanctions list and 39 Ethereum addresses and 6 USDC addresses linked to the mixer.

Follow ForkLog’s bitcoin news on our Telegram — cryptocurrency news, rates and analysis.

Follow ForkLog’s bitcoin news on our Telegram — cryptocurrency news, rates and analysis.