Tokens stolen in the $625 million Ronin bridge exploit are being converted into Bitcoin (BTC) through the use of sanctioned privacy mixers and tools, on-chain investigator from SlowMist said via Twitter on 20 August.
Researcher BliteZero cited SlowMist’s “2022 Mid-Year Blockchain Security and AML Analysis Report”, which outlines the transaction pathways of the funds stolen in the Ronin bridge exploit back in March. He also noted that the hacker group connected to the exploit has already transferred all of the stolen fund to the Bitcoin network, and used a variety of sanctioned privacy mixers to mask their identities.
Back on 23 March, a hacker group — now believed to be North Korea’s Lazarus Group — used “hacked private keys” to forge fake withdrawals from the Ronin bridge. This allowed the attackers to steal around 173,600 ETH and 25.5 million USDC — at the time worth $625 million — across two transactions.
According to BliteZero, the majority of the stolen tokens were slowly transferred to Tornado Cash between 4 April and 19 May to obfuscate their origin. Around 113,000 ETH were then converted into renBTC on the Uniswap and 1inch decentralized exchanges, and then transferred to the Bitcoin network through the use of Ren’s decentralized cross-chain bridge.
A portion of the stolen tokens, around 6,250 ETH, also found their way to centralized cryptocurrency exchanges such as Huobi and FTX, where they were traded for BTC and later transferred to Bitcoin privacy tool Blender, which in May became the first BTC mixer sanctioned by the U.S. government. BliteZero also noted that most Blender addresses sanctioned by the government were connected to the Ronin hack.
Hacking groups connected to North Korea have been responsible for a number of crypto-related cyber attacks. Back in July, the U.S. Department of Justice revealed it was able to seize around $500,000 in crypto and fiat for a “North Korean state-sponsored group” which used ransomware to attack U.S. medical facilities in Kansas and Colorado.