Funds From Ronin Hack Transferred to Bitcoin Network

  • SlowMist researchers have found that all tokens stolen in the $625 million Ronin bridge exploit have already been transferred to the Bitcoin network.
  • The hacking group, which is believed to be North Korea-sponsored Lazarus Group, used a number of crypto mixing services and privacy tools to hide their identities.


Tokens stolen in the $625 million Ronin bridge exploit are being converted into Bitcoin (BTC) through the use of sanctioned privacy mixers and tools, on-chain investigator from SlowMist said via Twitter on 20 August.

Researcher BliteZero cited SlowMist’s “2022 Mid-Year Blockchain Security and AML Analysis Report”, which outlines the transaction pathways of the funds stolen in the Ronin bridge exploit back in March. He also noted that the hacker group connected to the exploit has already transferred all of the stolen fund to the Bitcoin network, and used a variety of sanctioned privacy mixers to mask their identities.

Back on 23 March, a hacker group — now believed to be North Korea’s Lazarus Group — used “hacked private keys” to forge fake withdrawals from the Ronin bridge. This allowed the attackers to steal around 173,600 ETH and 25.5 million USDC — at the time worth $625 million — across two transactions.

According to BliteZero, the majority of the stolen tokens were slowly transferred to Tornado Cash between 4 April and 19 May to obfuscate their origin. Around 113,000 ETH were then converted into renBTC on the Uniswap and 1inch decentralized exchanges, and then transferred to the Bitcoin network through the use of Ren’s decentralized cross-chain bridge.

A portion of the stolen tokens, around 6,250 ETH, also found their way to centralized cryptocurrency exchanges such as Huobi and FTX, where they were traded for BTC and later transferred to Bitcoin privacy tool Blender, which in May became the first BTC mixer sanctioned by the U.S. government. BliteZero also noted that most Blender addresses sanctioned by the government were connected to the Ronin hack.

Hacking groups connected to North Korea have been responsible for a number of crypto-related cyber attacks. Back in July, the U.S. Department of Justice revealed it was able to seize around $500,000 in crypto and fiat for a “North Korean state-sponsored group” which used ransomware to attack U.S. medical facilities in Kansas and Colorado.

Related Coverage
Australia to Explore CBDC Use Cases in Research Project
  • The Reserve Bank of Australia will collaborate with DFCRC, a $180 million research program, to explore use cases and potential benefits of CBDC in Australia.
  • The research project will also feature a “limited-scale” CBDC pilot, which will operate in a ring-fenced environment.
August 9, 2022, 5:23 PM

The famous Sydney Opera House, Sydney, Australia, November 2015.

Tornado Cash to Use Chainalysis to Block OFAC Sanctioned Addresses
  • Roman Semenov, co-founder of Tornado Cash, explained that the blockade only applies to the platform’s frontend, and not the underlying smart contract.
  • The news came only a day after the Treasury Department alleged that North Korean hacker group Lazarus was connected to the $625 million Ronin bridge hack.
CoinJoin to Block BTC Tied to Illegal Activities
  • The Bitcoin mixing service will now block certain unspent transaction outputs from registering through its default zkSNACKs coordinator.
  • One of the developers of the service noted that the blacklist will apply only for the default coordinator, and not to alternatives.