The "Once-in-a-Lifetime Heist" of DeFi has come to a conclusion, reviewing the entire process of the Ronin stolen funds transfer
The hackers' process of stealing, transferring, and laundering funds lasted for more than a month, with the original attack address having over 400 transactions.Written by: iambabywhale.eth
Compiled by: ForesightNews
Today, at 15:32:25 Beijing time, the Ronin Network hacker transferred 12,595.3 Ethereum to a new address (0x08723392ed15743cc38513c4925f5e6be5c17243). As of now, almost all of the 173,600 Ethereum stolen from the Ronin Network has been transferred out, leaving approximately 1.8 Ethereum in the original attack wallet.
In the attack on the Ronin Network that occurred at the end of March, the total amount stolen reached $610 million, surpassing last year's $600 million Poly Network incident, making it the largest hack in DeFi history. The attacker has been transferring and laundering the stolen funds for over a month. Let's review the transfer of the loot from this "unprecedented heist" and the progress of the incident.
On March 29, the Ethereum sidechain Ronin Network, dedicated to Axie Infinity, announced on Twitter that earlier that day, it discovered that Sky Mavis's Ronin validator nodes and Axie DAO validator nodes were attacked on March 23, resulting in a loss of 173,600 Ethereum and 25.5 million USDC.
On March 30, SlowMist published that the funds from this hacker attack originated from Binance withdrawals, and that 25.5 million USDC had been exchanged for 6,250 Ethereum, which were then dispersed in transfers, with 1,221 ETH transferred to FTX and Crypto.com.
Later that evening, the hacker transferred another 3,750 Ethereum to Huobi.
On April 4, the hacker transferred 1,000 Ethereum from the attack address (0x098B716B8Aaf21512996dC57EB0615e2383E2f96) to another address (0xbc25d57412a04956CDD95AF07825C5C1F34d29eb), and then transferred 200 Ethereum to Tornado Cash.
On April 5, the hacker transferred 1,526 Ethereum from the attack address to a new address (0xdf225c84a0eaeaaac20e6c1d369e94ee13b9df2a), and made batch transfers to Tornado Cash.
On April 6, SlowMist reported that between 17:49:06 UTC on March 31 and 06:05:58 on April 6, the hacker transferred 1,233.9811 Ethereum to Huobi and a total of 4,400 Ethereum to Tornado Cash.
On April 7, SlowMist reported that between 06:19:03 UTC on April 6 and 07:08:59 on April 7, the Ronin Network attacker transferred 2,800 Ethereum to Tornado Cash.
On April 8, the hacker transferred 4,800 Ethereum to Tornado Cash through an intermediary address (0x5b0431365ce1ab3693bea6f33ae67653dd30d8bd).
On April 9, the hacker transferred 3,002.985 Ethereum and 3,102.6215 Ethereum to two addresses (0x1361c1e18930483F4Aaf91f3a263937e4Fcc1f39, 0xBCD78C2D608e7cEB3d25Bea30faE8a9D57033868), both of which were subsequently transferred to Tornado Cash.
On April 10, the hacker transferred 3,002 Ethereum to 0x1361c1e18930483F4Aaf91f3a263937e4Fcc1f39, which was then entirely transferred to Tornado Cash.
On April 12, the hacker transferred 2,941 Ethereum to a new address (0xb2369D20e7f0C46270b9F79ab26Fc62fadA356c7), which was then transferred to Tornado Cash. This address currently holds approximately 40 Ethereum.
On April 13, the hacker transferred 3,202 Ethereum to a new address (0x77532dd2eb6e8eaf416f39c65f48cd2369782828), which was then transferred to Tornado Cash.
On April 14, the hacker transferred 3,302.6 Ethereum to a new address (0x1Bf53ce80FF2ed5711b8A2DB8f7EA5b38DA118d6), which was then transferred to Tornado Cash.
On April 15, The Wall Street Journal reported that the U.S. Treasury stated that the Lazarus Group, a criminal organization linked to the North Korean government, is the owner of the cryptocurrency addresses involved in the Ronin Network attack. A Treasury spokesperson indicated that anyone transacting with sanctioned wallets would face the risk of U.S. sanctions.
On the same day, PeckShield stated on Twitter that the hacker had transferred approximately 28,000 Ethereum from the attack address to Tornado Cash, accounting for 16% of the total. Approximately 147,753 Ethereum remained in the wallet.
Later that day, the hacker transferred another 2,900 Ethereum to a new address (0xBc5639887283eaF1B8E966e0b2fa6998D2ec6404), which was then transferred to Tornado Cash.
On April 18, the hacker transferred 10,129.9 Ethereum to a new address (0x3cffd56b47b7b41c56258d9c7731abadc360e073).
On April 19, the hacker transferred 18,256.8 Ethereum to 0x1Bf53ce80FF2ed5711b8A2DB8f7EA5b38DA118d6.
On April 21, the hacker transferred 21,629 Ethereum to 0x53b6936513e738f44fb50d2b9476730c0ab3bfc1.
On April 22, the hacker transferred 1,528.2 Ethereum to a new address (0x8fa7b50fc8306ab3de028254df72bf08216742b6) through an intermediary address (0x3cffd56b47b7b41c56258d9c7731abadc360e073).
On April 24, the hacker transferred 33,568 Ethereum to a new address (0x35fb6f6db4fb05e6a4ce86f2c93691425626d4b1).
On April 26, PeckShield reported that as of April 26, the Ronin Network attacker's wallet had transferred out 65% of the stolen funds, with 22% (approximately 39,700 Ethereum) laundered through Tornado Cash and about 41% transferred to three new wallets.
On April 27, the hacker transferred 18,256.8 Ethereum to a new address (0x5967524CE3Bc2BC422e584e33bD50921A22e3c0a).
Later that evening, the hacker transferred 25,127.5192 Ethereum to another new address (0xf7b31119c2682c88d88d455dbb9d5932c65cf1be).
On April 28, the Ethereum sidechain Ronin Network released a vulnerability report stating that the hacker gained access to Sky Mavis's IT infrastructure through a phishing attack on Sky Mavis, obtaining access to the validator nodes. They also discovered a backdoor through a gasless RPC node and obtained the signatures of the Axie DAO validator nodes, thus controlling 5 out of 9 validator nodes.
Ronin Network stated that the current security measures being taken by Sky Mavis include collaborating with security companies to establish defense systems, increasing the number of validator nodes, implementing stricter internal control procedures, conducting audits, establishing trustless organizations, launching bug bounties, and obtaining ISO27001 and other security-related certifications. Additionally, Ronin Network expects to deploy upgrades by the end of April and officially open in late May, with all stolen funds guaranteed by recent financing from Sky Mavis, Axie Infinity, and personal funds from the core team.
On April 29, the hacker transferred 5,000 Ethereum to a new address (0xDD6458eB5090832eB88BFfc7AdF39B0F3CdD6683), which was then transferred to Tornado Cash.
On May 3, the hacker transferred 23,528.8 Ethereum to a new address (0x3e37627deaa754090fbfbb8bd226c1ce66d255e9) at 16:23:28 Beijing time.
On May 4, today, the hacker completed the final transfer of 12,595.3 Ethereum, with almost all stolen funds now transferred, leaving approximately 1.8 Ethereum in the original attack wallet.
