What did the Ronin hacker do after the March attack?

Immediately after the particularly egregious Ronin hack in March, the attacker is said to have spread the stolen assets under a highly sophisticated scheme. 

Immediately after the most severe March incident in crypto industry history, on-chain investigator “₿liteZero” who works for SlowMist and contributed to the Mid-2022 Blockchain Security report by company, tracked the hackers' moves. ₿liteZero reported that criminals had plotted a rather sophisticated escape route for the then $622 million worth of loot. 


Even after withdrawing money from the Ronin bridge, hackers have continued to look to Bitcoin security tools as an anonymous means of "jamming" data. 

According to reports, the hacker accused by the US is the North Korean Lazarus Group cybercrime organization, initially transferring only part of the funds (6,249 ETH) to centralized exchanges (CEX) including Huobi ( 5,028 ETH) and FTX (1,219 ETH) on March 28.

From CEX exchanges, 6,249 ETH seems to have been converted into BTC. The hackers then transferred 439 BTC ($20.5 million) to Bitcoin Blender, which was also sanctioned by the US Treasury Department on June 5. The analyst wrote:

“I found the answer in Blender's penalized addresses. Most of these addresses are deposit addresses used by the Ronin hacker. They sent all the extracted funds to Blender after withdrawing from the exchanges.”

However, most of the money was extracted, 175,000 ETH was gradually transferred to Tornado Cash –  the platform was "locked" by the US on August 8 and is still complicated, from April 4 to May 19. It wasn't until April 15, that Tornado Cash put the hacker Ronin's wallet address on a "blacklist" to prevent this address from laundering money, but only blocked the hacker's original wallet. 
The hackers then used Uniswap and 1inch decentralized exchanges (DEX) to transfer 113,000 ETH to renBTC and used Ren's cross-chain bridge to bridge the asset from Ethereum to the Bitcoin network. and unwrap renBTC to BTC.

Since then, about 6,631 BTC has been distributed to various centralized exchanges and decentralized protocols as shown in the following table:

The report also reflects that the hacker Ronin withdrew 2,871 BTC (out of 3,460 BTC) ($61.6 million as of Aug. 22) via Bitcoin ChipMixer.


Concluding the post, ₿liteZero said that the Ronin hack is still a "mystery to be investigated" and needs to be pushed faster. 

On the project side, as updated by Crypto Fox News, Ronin is still in the recovery phase. Immediately after the security incident, the project immediately raised 150 million USD to fulfill its commitment to compensate 100% of users' losses; program Bug Bounty to detect bugs with a prize of up to 1 million USD; Announce the reform plan; Conduct an audit before reopening the bridge; Apply new governance mechanism; Set a maximum withdrawal limit per day and most recently announced an increase in the number of transaction validation nodes to enhance network security last week.

Crypto Fox News summary


Aug 22, 2022

3 0