15% of deposits at Tornado Cash are from Axie Infinity’s Ronin hack

THE hacker attack to Ronin Network, from the play-to-earn game Axie Infinity, was one of the biggest in the history of the crypto market. In all, the attackers managed to drain more than $620 million worth of USDC and ETH.

The hacker then managed to move a good part of those funds into the Tornado Cash privacy tool. Now one month after the attack, on-chain data shows that 15% of deposits at Tornado Cash are from the attacker Ronin.

The information was revealed by Alex Svanevik, CEO of blockchain analytics platform Nansen. He posted on his Twitter account.

“15% of Tornado deposits are from explorer Ronin.”

Axie Infinity’s Ronin Attack

As reported, the protocol that bridges the gap between ETH and Axie Infinity was explored in the last week of March.

Most of the tokens were unaffected, but the hacker managed to steal 173,000 Ether (ETH) and 25.5 million in USD Coin (USDC) stablecoin. Five days after the attack, thousands of ETH were moved for Tornado Cash, the main mixer used in the market.

As per data from Etherscan Block Explorer, hackers performed dozens of Ether transactions ranging from 0.00001 ETH to 1,000 ETH. All of them were sent from the hacker’s address to Tornado Cash, a service that mixes cryptocurrency transactions.

The tool provides private and anonymous transactions for ETH and ERC-20 tokens, breaking the association between source and destination addresses on the blockchain. This makes it more difficult to trace the origin of the transferred funds.

Using mixers like Tornado Cash is not necessarily a crime. However, the tool has been used by criminals to hide stolen funds, in a kind of modern money laundering. Therefore, these tools are increasingly in the authorities’ sights.

Nansen’s CEO “seized on” the debate on the matter and took a poll on Twitter, asking community members:

“Sensitive topic but curious about how people think: what % of funds would have to be from known exploits/hacks/scams for you to stop using Tornado?”

The final result of the poll shows that the answer with the most votes (63.2%) was:

“Any % is ok; never stop”.

Sensitive topic but curious on how people think:

What % of funds would have to be from known exploits/hacks/scams for you to stop using Tornado?

— Alex Svanevik 🐧 (@ASvanevik) April 30, 2022

Group behind the attack

While only $5.8 million of the stolen funds were recovered by Binance, those responsible for the hack are already known.

A few days after the attack, the US Federal Bureau of Investigation (FBI) revealed that the “Lazarus Group”, associated with the Democratic People’s Republic of Korea (DPRK), was behind the attack.

The information was confirmed later by Sky Mavis, the company behind Axie Infinity and Ronin Network.

The Lazarus Group has been sanctioned by the US Department of the Treasury. Furthermore, the Tornado Cash mixer has banned the state-sponsored North Korean hacking group from using its mixing service.