Ronin Hackers Used Sanctioned Crypto Mixers to Transfer Stolen Funds

Threat actors behind the massive Ronin bridge hack in March used privacy tools to convert stolen Ethereum (ETH) funds to Bitcoin (BTC), then transferred them through sanctioned mixer services.

The perpetrators processed most of the stolen assets from the $625 million hack using renBTC, an open, community-driven cross-chain transfer protocol, and Bitcoin mixing services Blender and ChipMixer.

The itinerary of the stolen funds has been analyzed by ₿liteZero, an investigator who works at blockchain security firm SlowMist, since the March 23 incident.

Hackers initially converted most of the stolen assets into ETH and used now-sanctioned crypto mixer Tornado Cash to cover their traces. They then bridged the funds to the Bitcoin network and used RenBTC to convert them into BTC.

As ₿liteZero’s report shows, the threat actors originally transferred a chunk of the funds (6,249 ETH) to centralized exchanges (CEX) five days after the attack. They then converted the tokens to BTC before sending almost $20.5 million worth of crypto assets to Bitcoin privacy tool Blender.

The bulk of the funds, 175,000 ETH, was gradually injected into Tornado Cash between April 4 and May 19. Hackers then used decentralized exchange (DEX) platforms 1inch and Uniswap to exchange nearly 113,000 ETH into renBTC.

Afterward, threat actors used renBTC’s cross-chain capabilities to bridge the stolen funds to the Bitcoin network and unwrap the tokens into BTC. Last but not least, the attackers scattered roughly 6,631 BTC through various DEX and CEX platforms and protocols.

Currently, the Ronin hack is still under scrutiny, as the on-chain investigator mentioned in the report.

I'm working on analyzing Ronin hackers, and the next work will be more complex.

'Where's the money?'

It is a mystery to be investigated, and I look forward to more progress being made.

Thanks for taking the time to read my thread, good luck!

Researchers believe that infamous North Korean cybercrime gang Lazarus Group members are the prime suspects behind the Ronin bridge hack. According to an announcement from Ronin’s official Twitter account, the FBI also “attributed North Korea based Lazarus Group to the Ronin Validator Security Breach.”