Ronin Hackers Converted Some Stolen Ether to Bitcoin: SlowMist Researcher

A researcher at security firm SlowMist has stated that the attackers behind this year’s $625 million Ronin bridge exploit converted part of their stolen funds from ether (ETH) to bitcoin (BTC) and used sanctioned privacy mixers to mask their identities further.

The March exploit affected Ronin validator nodes for Sky Mavis, the publisher of the popular Axie Infinity game, and the Axie DAO, with attackers stealing some 173,600 ether and 25.5 million in USDC.

The attacker “used hacked private keys in order to forge fake withdrawals” from the Ronin bridge across two transactions, according to a blog posted at the time, as previously reported.

SlowMist’s “blitezero” said in a tweet that some 6,249 ether converted by the attacker through Tornado Cash was sent to crypto exchange Huobi, where it was exchanged for bitcoin, and 5,028 ether was sent to FTX on March 28.

Read more: Ronin Attack Shows Cross-Chain Crypto Is a ‘Bridge’ Too Far

Some 439 bitcoin, or US$20.5 million at current rates, held at Huobi were then sent to bitcoin privacy tool Blender. Blender is a privacy tool that masks user addresses to make transactions more private and became the first-ever bitcoin mixer to get sanctioned by the U.S. government in May.

Blitezero added that most Blender addresses sanctioned by the U.S. government were the same deposit addresses used by Ronin hackers.

The hack was ultimately linked to the infamous North Korean hacker group Lazarus.

Meanwhile, the researcher added that over 113,000 ether sent to Tornado Cash was additionally converted to renBTC, a token on the Ethereum network that represents bitcoin, through decentralized exchanges Uniswap and 1inch. The renBTC was later transferred from Ethereum to Bitcoin and redeemed for spot bitcoin.