Ronin Threat Actors Used a Crypto Mixer to Transfer Stolen Funds

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

The threat actors behind the Ronin bridge attack in March used privacy tools to convert stolen Ethereum (ETH) funds to Bitcoin (BTC), before transferring them through sanctioned crypto mixer services.

The hackers used renBTC (an open, community-driven cross-chain transfer protocol), along with the Bitcoin mixing services Blender and ChipMixer to process a majority of the stolen funds from the $625 million hack.

The path of the stolen funds was analyzed by ₿liteZero, an investigator who has worked at blockchain security firm SlowMist since the March 23 Ronin incident.

The hackers first converted most of the stolen assets into ETH and then used now-sanctioned crypto mixer Tornado Cash to cover their tracks.

According to ₿liteZero’s report last week, the threat actors originally transferred a portion of the stolen funds (6,249 ETH) to centralized exchanges (CEX) five days after the attack. Afterwards, they converted the ETH to BTC before funneling around $20.5 million worth of crypto assets to the Bitcoin privacy tool Blender.

Most of the stolen funds (175,000 ETH) was then gradually injected into Tornado Cash between April 4 and May 19. The hackers used the decentralized exchange (DEX) platforms 1inch and Uniswap to exchange nearly 113,000 ETH into renBTC.

Next, the threat actors used renBTC’s cross-chain capabilities to transfer the stolen funds to the Bitcoin network and convert the tokens into BTC. Finally, they then scattered around 6,631 BTC through a variety of DEX and CEX platforms and protocols.

₿liteZero said that the investigation into the Ronin hack is still currently ongoing. “I’m working on analyzing Ronin hackers, and the next work will be more complex,” he added.

The researchers believe that members of the infamous North Korean cybercrime gang Lazarus Group are the primary suspects behind the Ronin bridge attack. According to an announcement posted on Ronin’s official Twitter account, the FBI also “attributed North Korea based Lazarus Group to the Ronin Validator Security Breach.”

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.