The hackers responsible for the Axie Infinity Ronin attack transferred the stolen ETH assets to the Bitcoin network. Who denounced the transfer was the researcher and blockchain developer ₿liteZero, who reported the case in his twitter.
According to the developer, he started tracking the funds on the 20th, when the money was still on the ETH network. However, hackers started moving the funds to centralized exchanges and then to the Bitcoin network.
In addition, hackers also used a mixer called Blender to hide transactions. It is worth remembering that Tornado Cash received sanctions from the United States government, as reported by Cryptheory. As a result, hackers resorted to alternative solutions to hide their funds.
Hackers connected stolen funds to the Bitcoin network
The attack on Ronin took place in March and was the biggest cryptocurrency theft in history. The attackers stole $625 million worth of USDC and ETH. They then sent the funds to Tornado Cash, making it difficult for authorities to track the movement of the funds.
But Tornado Cash was not the final destination as hackers took more steps to obscure transactions. After the attack, ₿liteZero said that it is tracking the funds and noticed that the hackers transferred all the assets to BTC.
For this, the hackers used a bridge between Ethereum and Bitcoin to transfer part of the funds. Another part of the money went through major exchanges such as FTX and Binance.
“I’ve been tracking the stolen funds at Ronin. I noticed that the hackers transferred all your funds to the Bitcoin network. Most of the funds were deposited into mixers (ChipMixer, Blender),” said the developer.
From Centralized Exchanges to BTC
As ₿liteZero explained, this was the sequence of events. Initially, hackers used Tornado Cash at a time when the service was not under US sanctions.
At that time, hackers moved around 6,250 ETH to centralized exchanges such as Binance, Huobi and FTX. Then the hackers withdrew the funds from the exchanges to another mixer, Blender.
It is worth noting that the US applied sanctions against Blender even before Tornado Cash. However, sanctions in this case only affected specific addresses. According to the Treasury Department, Blender helped Ronin hackers process more than $101 million of the stolen funds.
However, ₿liteZero claimed that the hackers rightfully used most of the sanctioned addresses in Blender.
Afterwards, the hackers shifted their focus to decentralized exchanges (DEX), especially 1inch and Uniswap. In them, the attackers converted the rest of the funds into renBTC, which is BTC wrapped in the Ethereum network powered by the Ren Protocol.
In this sense, wrapped tokens allow the movement of value between blockchains. In the case of renBTC, it allows the movement of BTC within the Ethereum network. So this is how the hackers were able to move their funds.
Afterwards, the hackers sent most of the funds back to mixers such as ChipMixer and Blender. They transferred the funds to ChipMixer before withdrawing some to Blender.
In concluding the Twitter thread, ₿liteZero said that it is currently working on analyzing the hackers, although it believes it will be more complex.
“I am working on Ronin hack analysis, and the next work will be more complex. Where is the money?’ It is a mystery to be investigated, and I look forward to further progress being made. Thanks for taking the time to read my thread, good luck!” he said.
The movement of hackers is uncommon, as the BTC network has a high degree of transparency that allows anyone to verify all transactions. In fact, several reports point out that BTC is responsible for only 0.15% of all criminal transactions, belying the thesis that cryptocurrencies are useful instruments for crime.