The Ronin bridge was exploited for 173k ETH and 25.5M USDC worth about $590M in cryptocurrencies. The hack took place on March 23, 2022 but it was only made public by the Ronin Network on March 29, 2022.
In this article, we will look into the movement of the stolen funds from the Ronin Bridge to the Hacker’s main addresses:
Main hacker address: 0x098b716b8aaf21512996dc57eb0615e2383e2f96 (https://www.breadcrumbs.app/reports/1266)
Axie Infinity Ronin Bridge address: 0x1a2a1c938ce3ec39b6d47113c7955baa9dd454f2 (https://www.breadcrumbs.app/reports/1267)
The hacker’s main address was active on the day of the attack on March 23, 2022, until March 30, 2022. In two transactions, it stole 173,600 ETH and 25,500,000 USDC from the Ronin Network Contract with the following transaction hash:
A review of the Hacker’s first transactions showed that after the hack, it interacted with two addresses:
These two addresses were used to swap the stolen funds via Uniswap and 1inch. They swapped the stolen funds into USDC, USDT, DAI and WETH and converted them back to muddy the trail of funds. These two addresses sent the converted funds back to the main Hacker address.
The Hacker waited for four days to move the funds from its main wallet to shell wallets that served as pass through addresses from March 27 to March 29, 2022. It then moved the funds to addresses linked to centralized exchanges such as Huobi and FTX.
Since these addresses were only made active during the hack, it can be assumed that these are addresses controlled by the Hacker:
- 0x17a96cd2aff8bece22b54a83955fbab5c92a98ca – Huobi
- 0x6102f081de19eb53404b684b4e14667745a4c874 – Huobi
- 0xbc771fb7b6a8876d09fd2e3e2f17fbc91896d8c8 – Huobi
- 0x036587e77eabe6a7e181886a5a6ed10dc25654f9 – FTX
Address on the third hop 0x82906886796d110b7ec4c54f6611fb29128699dd moved the stolen funds to a known Crypto.com wallet: 0x6262998ced04146fa42253a5c0af90ca02dfd2a3
Where are the stolen funds now?
Despite the reported movement of funds, most of the stolen crypto is still on chain sitting in the Hacker’s main address. https://monitor.breadcrumbs.app/dashboard/1452/transactions
Can the hacker be identified?
There is a possibility that the hacker can be identified as it used centralized exchanges to withdraw the funds. Centralized exchanges have Know-Your-Customer policies and programs in place before onboarding a new user and it is likely that the Hacker went through this process to be able to open an account in a centralized exchange.
However, there is also the possibility that the hacker is aware of the thresholds setup by exchanges to not trigger suspicious activity, or the limitations set for non-verified users of centralized exchanges.
This article is published on BitPinas: Tracking the Stolen Funds from Ronin Network Using Breadcrumbs