Hackers who have drained about $ 625 million since Attack on the Ronin Bridge in March they transferred funds from Ethereum to the Bitcoin network using privacy tools. To hide their identity, cybercriminals, believed to be part of the North Korean cybercrime group Lazarus, used the Ren protocol, mixers, and several centralized exchanges to move funds from one blockchain to another.
₿liteZero, a blockchain investigator, developer and major contributor to SlowMist’s mid-year report on Blockchain Security, tracked down those stolen funds. He outlined the movement of funds after March 23 after the exploit and noted that the stolen funds are now being converted into Bitcoin anonymously.
Related Reading: Crypto Exchange’s FTX Revenue Reportedly Up 1,000% to Over $ 1 Billion in 2021
₿liteZero indicated in a tweet;
I tracked down the stolen funds on Ronin Bridge. I noticed that the Ronin hackers transferred all their funds to the bitcoin network. Most of the funds were deposited on mixers (ChipMixer, Blender).
After gaining access to $ 625 worth of USDC and Ethereum, the hackers transferred funds to Tornado Cash in an attempt to hide from the authorities. Tornado is an Ethereum-based virtual currency glass that mixes crypto transactions and provides access with specific keys to people.
As it was not the end of the process to obscure transactions, the hackers used several cryptocurrency exchanges and a network bridge after withdrawing funds from Tornado cash. The investigator revealed in the Twitter thread that the Ronin hackers circulated funds from Binance, Huobi and FTX before sending the funds to the North Korean mixer Blender.
The US Treasury accused Blender of assisting hackers in May
According to the results of ₿liteZero, only part of the stolen asset, or 6,249 ETH, appears to have been converted into Bitcoin, with Huobi receiving 5,028 ETH and FTX 1,219 ETH. Then, the hackers sent 439 BTC (20.5 million) to the Bitcoin Blender privacy tool.
The analyst added;
I found the answer in Blender’s sanctions addresses. Most of Blender’s sanction addresses are Blender’s filing addresses used by Ronin hackers. After they pulled out of the exchanges, they deposited all withdrawal funds into Blender.
Interestingly, the ₿liteZero report comes after the US Treasury imposed sanctions on the Blender mixer tool on May 6, accusing the company of assisting North Korean hackers in processing 20.5 million stolen funds. This figure of the amount withdrawn from exchanges by cybercriminals is consistent with the facts provided by ₿liteZero (20.72).
Furthermore, the hackers connected the rest of the assets with the Bitcoin network using the renBTC protocol. The investigator explained that the hackers used Uniswap or 1inch to convert the funds into renBTC.
Since the Ren protocol was born, it has paved the way for money laundering actors around the world, paving the way for the conversion of an asset from Ethereum to a Bitcoin network.
Then again, after converting and switching funds from different platforms, they used a mixer like ChipMex or Blenders. Funds are transferred to ChipMixer before withdrawing an amount from Blender.
Related reading: Bitcoin scam called “pig slaughter” is growing alarmingly
The ₿liteZero ended up noting that more complex things could come up while the research team is currently analyzing the hackers.
Featured image from Pixabay and chart from TradingView.com