Ronin Hackers Transferred Stolen Funds To Bitcoin Network Using Privacy Tools

Hackers who drained around $625 million from the Ronin Bridge attack in March have transferred funds from Ethereum to the Bitcoin network using privacy tools. In order to hide their identity, cybercriminals, who are believed to be part of the North Korean cybercrime group, Lazarus, used the Ren protocol, mixers, and several centralized exchanges to move funds from one blockchain to another.

₿liteZero, a blockchain investigator, developer, and major contributor to SlowMist’s mid-year Blockchain Security report, tracked those stolen funds. It outlined the funds’ movement after March 23 after the exploit and noted that stolen funds are now converted into Bitcoins anonymously.

Related Reading: Crypto Exchange FTX Revenue Reportedly Balloons 1,000% To Over $1 Billion In 2021

₿liteZero noted in a tweet;

I’ve been tracking the stolen funds on Ronin Bridge. I’ve noticed that Ronin hackers have transferred all of their funds to the bitcoin network. Most of the funds have been deposited to mixers(ChipMixer, Blender).

After getting access to the $625 worth of USDC and Ethereum, hackers moved funds to Tornado Cash in an effort to hide from authorities. Tornado is an Ethereum-based virtual currency tumbler that mixes crypto transactions and provides access with specific keys to individuals.

As it was not the end of the process to obscure the transactions, hackers used several crypto exchanges and a network bridge after withdrawing funds from Tornado cash. Investigator revealed in the Twitter thread that Ronin hackers circulated funds from Binance, Huobi, and FTX before sending the funds into the North Korean mixer, Blender.

U.S Treasury Accused Blender Of Assisting Hackers In May

Ethereum’s price is below $1,600, down by over 3%. | Source: ETHUSD price chart from

As per the ₿liteZero findings, just a portion of the stolen asset, or 6,249 ETHs, have appeared to be converted into Bitcoins, with Huobi receiving 5,028 ETHs and FTX 1,219 ETHs. Then, hackers sent 439 BTC (20.5 million) to the Bitcoin privacy tool Blender.

The analyst added;

I’ve found the answer in Blender sanction addresses. Most Blender sanction addresses are Blender’s deposit addresses used by Ronin hackers. After withdrawing from the exchanges, they have deposited all their withdrawal funds to Blender.

Interestingly, the ₿liteZero report comes after U.S. Treasury imposed sanctions on the mixer tool Blender on May 06, accusing the firm of assisting North Korean hackers in processing 20.5 million stolen funds. This figure of withdrawn amount from exchanges by cybercriminals is constant with the facts provided by ₿liteZero(20.72).

In addition, the hackers bridged the rest of the assets with the Bitcoin network using the renBTC protocol. The investigator explained hackers used Uniswap or 1inch to convert the funds into renBTC.

Since the Ren protocol came into existence, it opened the way for money laundering actors around the globe as it paved the way to convert an asset from Ethereum to a Bitcoin network. 

Then again, after converting and passing funds from several platforms, they used a mixer like ChipMex or Blenders. Funds are relocated to ChipMixer before withdrawing some amount from Blender.

Related Reading: Bitcoin Scam Called ‘Pig Butchering’ Grows Alarmingly Popular

The ₿liteZero ended up noting that more complex things may come out as the research team is currently analyzing the hackers.

Featured image from Pixabay and chart from