Since then, the hackers behind Ronin’s $625 million bridge attack in March have transferred most of their funds from Ether (ETH) to Bitcoin (BTC) using privacy tools of renBTC, Bitcoin Blender, and ChipMixer.
The hacker’s activity was tracked by on-chain investigator ₿liteZero, who works at SlowMist and contributed to the company’s mid-year 2022 blockchain security report. They traced the transaction path of the funds stolen since the March 23 attack.
The majority of the stolen funds were originally converted into ETH and sent to the now sanctioned Tornado Cash for an Ethereum crypto-mixer before being transferred to the Bitcoin network and converted to BTC via the Ren protocol.
According to the report, the hackers, believed to be the North Korean cybercrime organization Lazarus Group, initially transferred only a portion of the fund, or 6,249 ETH, to central exchanges (CEXs) including Huobi with 5,028 ETH and FTX with 1,219 ETH on March 28.
From the CEXs, it appears that 6,249 ETH has been converted into BTC. The hackers then transferred 439 BTC, or $20.5 million at the time of writing, to the Bitcoin Blender privacy tool, which was sanctioned by the US Treasury on May 6.
“I found the answer in the Blender penalty addresses. Most of the Blender penalty addresses are the Blender deposit addresses used by Ronin hackers. They deposited all their withdrawal funds into Blender after withdrawing from the exchanges.”
However, the vast majority of the stolen funds – 175,000 ETH – were increasingly transferred to Tornado Cash between April 4 and May 19.
Related: Fallout from Axie Infinity’s $650 Million Ronin Bridge Hack
The hackers later used decentralized exchange Uniswap and 1 inch to convert about 113,000 ETH into renBTC (a laminated version of BTC) and used the RenBTC decentralized bridge to transfer assets from Ethereum to the Bitcoin network and decrypt the renBTC to BTC.
From there, approximately 6,631 BTC was distributed to a variety of centralized exchanges and decentralized protocols:
The platforms that hackers used to transfer BTC to. Source: SlowMist.
The report also stated that Ronin hackers had withdrawn 2,871 BTC of 3,460 BTC, or $61.6 million as of August 22, via Bitcoin privacy tool ChipMixer.
BTC balance on exchanges after hackers withdrew funds. Source: SlowMist.
₿liteZero concluded the Twitter thread by saying that Ronin’s hack remains a “mystery to be investigated” and that more progress needs to be made.