The hackers who stole $625 million in Ethereum ETH/USD and USD Coin USDC/USD from Axie Infinity’s Ronin bridge in March this year have converted the majority of their holdings into Bitcoin BTC/USD using renBTC and privacy tools like Blender, ChipMixer and TornadoCash, according to a report.
According to a report released by blockchain security firm SlowMist, a majority portion of the stolen funds was first converted into Ethereum and sent to the Ethereum crypto mixer Tornado Cash, now sanctioned by the U.S. Treasury, before being transferred to the Bitcoin network and converted into Bitcoin via the Ren protocol.
The 2022 mid-year Blockchain Security and AML Analysis Report by SlowMist outlines the pathway of the stolen funds since the hack on March 23.
Hackers suspected to be from North Korea
According to the report, the hackers, who are understood to be members of the North Korean cybercrime group Lazarus Group, only transferred a small portion of the funds — 6,249 Ethereum — to centralized exchanges on March 28.
5,028 Ethereum were transferred to Huobi and 1,219 Ethereum were transferred to FTX.
The 6,249 Ethereum seems to have been converted into Bitcoin from the CEXs.
Bitcoin sent to Bitcoin privacy tool Blender
Following that, the hackers sent 439 Bitcoin, or $20.5 million, to Blender, a Bitcoin privacy tool, which was also sanctioned by the U.S. Treasury on May 6.
“I’ve found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender’s deposit addresses used by Ronin hackers. They have deposited all their withdrawal funds to Blender after withdrawing from the exchanges,” the report states.
Between April 4 and May 19, the vast majority of the stolen money— 175,000 Ethereum — was gradually moved to Tornado Cash.
The hackers then converted about 113,000 Ethereum to renBTC (a wrapped form of Bitcoin) via the decentralized exchanges Uniswap and 1inch.
The hackers then utilized Ren’s decentralized cross-chain bridge to move the assets from Ethereum to the Bitcoin network and unwrap the renBTC into Bitcoin
Bitcoin distributed on CEXs
A total of 6,631 Bitcoin were then dispersed from there to a number of centralized exchanges and decentralized protocols.
The study also revealed that the Ronin hackers used the Bitcoin privacy tool ChipMixer to withdraw 2,871 Bitcoin out of the 3,460 Bitcoin, or $61.6 million as of Aug. 22.
