Funds From Ronin Hack Transferred to Bitcoin Network

  • SlowMist researchers have found that all tokens stolen in the $625 million Ronin bridge exploit have already been transferred to the Bitcoin network.
  • The hacking group, which is believed to be North Korea-sponsored Lazarus Group, used a number of crypto mixing services and privacy tools to hide their identities.


Tokens stolen in the $625 million Ronin bridge exploit are being converted into Bitcoin (BTC) through the use of sanctioned privacy mixers and tools, on-chain investigator from SlowMist said via Twitter on 20 August.

Researcher BliteZero cited SlowMist’s “2022 Mid-Year Blockchain Security and AML Analysis Report”, which outlines the transaction pathways of the funds stolen in the Ronin bridge exploit back in March. He also noted that the hacker group connected to the exploit has already transferred all of the stolen fund to the Bitcoin network, and used a variety of sanctioned privacy mixers to mask their identities.

Back on 23 March, a hacker group — now believed to be North Korea’s Lazarus Group — used “hacked private keys” to forge fake withdrawals from the Ronin bridge. This allowed the attackers to steal around 173,600 ETH and 25.5 million USDC — at the time worth $625 million — across two transactions.

According to BliteZero, the majority of the stolen tokens were slowly transferred to Tornado Cash between 4 April and 19 May to obfuscate their origin. Around 113,000 ETH were then converted into renBTC on the Uniswap and 1inch decentralized exchanges, and then transferred to the Bitcoin network through the use of Ren’s decentralized cross-chain bridge.

A portion of the stolen tokens, around 6,250 ETH, also found their way to centralized cryptocurrency exchanges such as Huobi and FTX, where they were traded for BTC and later transferred to Bitcoin privacy tool Blender, which in May became the first BTC mixer sanctioned by the U.S. government. BliteZero also noted that most Blender addresses sanctioned by the government were connected to the Ronin hack.

Hacking groups connected to North Korea have been responsible for a number of crypto-related cyber attacks. Back in July, the U.S. Department of Justice revealed it was able to seize around $500,000 in crypto and fiat for a “North Korean state-sponsored group” which used ransomware to attack U.S. medical facilities in Kansas and Colorado.

Loading comments...
Related Coverage
Tornado Cash Attacker Proposes to Revert Attack
  • On Saturday, the Tornado Cash DAO passed a malicious proposal that allowed an attacker to gain full control over the crypto mixer’s governance system.
  • Hours after the incident, the attacker published a new proposal that, if passed, would return the governance control back to TORN token holders.
2 hours ago


North Korean Hackers Move 41,000 ETH Stolen From Harmony
  • North Korea’s Lazarus Group has moved around $63.5 million of crypto assets connected to the Harmony bridge hack over the weekend.
  • The hackers tried to move a portion of the funds through Binance and Huobi, but the exchanges were able to freeze their account and recover around 124 BTC.
U.S. Senators Propose Stricter AML Rules for Crypto
  • U.S. Senators Elizabeth Warren (D-Mass) and Roger Marshall (R-Ken) have proposed a bill that will extend KYC rules to wallet providers, miners, and validators.
  • The legislation will also require banks and money service businesses to report and keep record of certain transactions that involve self-custody wallets.