The hackers responsible for the $625 million Ronin bridge assault in March have converted the majority of their assets from Ether (ETH) to Bitcoin (BTC) using renBTC and Bitcoin privacy tools Blender and ChipMixer.
Since then, the hackers that carried out the $625 million Ronin bridge assault in March have converted the majority of their ETH holdings into BTC via renBTC and the Bitcoin privacy tools Blender and ChipMixer.
On-chain investigator liteZero, who works for SlowMist and contributed to the company’s 2022 Mid-Year Blockchain Security report, has been following the hacker’s behavior.
The majority of the stolen asset was first changed into ETH and delivered to Tornado Cash, an Ethereum crypto mixer that has since been sanctioned, before being bridged to the Bitcoin network and exchanged into BTC via the Ren protocol.
The Ronin hackers initially moved only a portion of the funds
The report claims that on March 28, the hackers, who are thought to be members of the North Korean cybercrime group Lazarus Group, moved only a small fraction of the fund—6,249 ETH—to controlled exchanges (CEXs), including Huobi with 5,028 ETH and FTX with 1,219 ETH.
The 6249 ETH seems to have been swapped into BTC from the CEXs. Following that, the hackers sent 439 BTC, or $20.5 million as of this writing, to the Blender Bitcoin privacy tool, which was also sanctioned by the US Treasury on May 6. The researcher noted:
“I’ve found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender’s deposit addresses used by Ronin hackers. They have deposited all their withdrawal funds to Blender after withdrawing from the exchanges.”
The hackers then converted about 113,000 ETH to renBTC (a wrapped version of BTC) via the decentralized exchanges Uniswap and 1inch. They then used Ren’s decentralized cross-chain bridge to move the assets from Ethereum to the Bitcoin network and unwrap the renBTC into BTC.
The distribution of roughly 6,631 BTC to various centralized exchanges and decentralized protocols began there.