Ronin hackers utilized sanctioned mixers to move illicit funds from ETH to BTC

By: Mark Jessy

Ronin hackers utilized sanctioned mixers to move illicit funds from ETH to BTC

August 22, 2022 9:30 AM

Despite the fact that the identity of the hackers is thought to be a North Korean cybercrime outfit, the hackers continue to disburse the illicit funds by utilizing Bitcoin privacy tools in order to remain anonymous.


Since then, the hackers that carried out the $625 million Ronin bridge assault in March have converted the majority of their ETH holdings into BTC via renBTC and the Bitcoin encryption tools Blender and ChipMixer.


On-chain investigator ₿liteZero, who works for SlowMist and contributed to the company's 2022 Mid-Year Blockchain Security Report, has been following the hacker's behavior. Since the March 23 incident, they described the transactions that took place with the stolen money.


The bulk of the stolen funds was first changed into ETH and delivered to Tornado Cash, an Ethereum crypto mixer that has since been sanctioned, before being bridged to the Bitcoin network and converted into BTC via the Ren protocol.



The report claims that on March 28, the hackers, who are thought to be members of the North Korean cybercrime group Lazarus Group, moved only a small fraction of the fund—6,249 ETH—to controlled exchanges (CEXs), including Huobi with 5,028 ETH and FTX with 1,219 ETH.


The 6249 ETH seems to have been converted into BTC from the CEXs. Following that, the hackers sent 439 BTC, or $20.5 million as of this writing, to the Blender Bitcoin privacy tool, which was also sanctioned by the US Treasury on May 6. The researcher noted:


"I've found that the answer lies in combining sanction addresses. Blender deposit addresses make up the vast bulk of Blender sanction addresses used by Ronin hackers. They have all deposited their withdrawal funds with Blender after making withdrawals from the exchanges."


But 175,000 ETH, the great majority of the stolen funds, were gradually transferred to Tornado Cash between April 4 and May 19.


The hackers then converted about 113,000 ETH to renBTC (a wrapped version of BTC) via the decentralized exchanges Uniswap and 1inch. They then used Ren's decentralized cross-chain bridge to move the assets from Ethereum to the Bitcoin network and unwrap the renBTC into BTC.


A total of 6,631 BTC were then distributed from there to a number of centralized exchanges and decentralized protocols:


The study also revealed that the Ronin hackers used the Bitcoin privacy tool ChipMixer to withdraw 2,871 BTC out of the 3,460 BTC, or $61.6 million as of August 22.



The Ronin hack is still a "mystery to be solved," according to ₿liteZero, who finished the Twitter conversation, and even more work needs to be done.