The dust of DeFi’s “Great Heist” has settled, reviewing the whole process of Ronin’s illicit money transfer

Today, the Ronin Network hacker transferred 12595.3 Ethereum to the new address (0x08723392ed15743cc38513c4925f5e6be5c17243) at 15:32:25 Beijing time. So far, almost all of the 173,600 ETH stolen from Ronin Network have been transferred out, and only about 1.8 ETH remained in the original attack wallet.

In the attack on Ronin Network that occurred at the end of March, the amount of the stolen protocol reached $610 million, surpassing the $600 million of Poly Network last year to become the largest hacking incident in DeFi history. The attackers only transferred and laundered the stolen funds for more than a month. Let’s review the transfer of the stolen money and the progress of the “Great Heist”.

On March 29, Axie Infinity’s dedicated Ethereum sidechain Ronin Network said on Twitter that Sky Mavis’ Ronin validator node and Axie DAO validator node were discovered earlier in the day to be attacked on March 23, with a total loss of 17.36 10,000 Ethereum and 25.5 million USDC.

On March 30, SlowMist posted that the funds for the hack came from Binance Coin, and 25.5 million USDC had been traded for 6,250 Ethereum, and 1,221 ETH had been transferred to FTX and ETH. Crypto.com.

The dust of DeFi's "Great Heist" has settled, reviewing the whole process of Ronin's illicit money transfer

The dust of DeFi's "Great Heist" has settled, reviewing the whole process of Ronin's illicit money transfer

Later that day, the hacker transferred 3,750 ETH to Huobi again.

The dust of DeFi's "Great Heist" has settled, reviewing the whole process of Ronin's illicit money transfer

The dust of DeFi's "Great Heist" has settled, reviewing the whole process of Ronin's illicit money transfer

On April 4, the hacker transferred 1000 ETH from the attack address (0x098B716B8Aaf21512996dC57EB0615e2383E2f96) to another address (0xbc25d57412a04956CDD95AF07825C5C1F34d29eb), and then transferred 200 ETH to Tornado Cash.

On April 5, the hacker transferred 1,526 Ethereum from the attack address to the new address (0xdf225c84a0eaeaaac20e6c1d369e94ee13b9df2a), and transferred them to Tornado Cash in batches.

On April 6th, SlowMist posted that between March 31st 17:49:06 UTC to April 6th 6:05:58 UTC, the hacker transferred 1233.9811 Ethereum to Huobi again, and a total of Tornado Cash Transfer 4400 Ethereum.

On April 7, SlowMist posted that from 6:19:03 UTC on April 6 to 7:08:59 on April 7, the Ronin Network attacker transferred 2,800 Ethereum into Tornado Cash.

The dust of DeFi's "Great Heist" has settled, reviewing the whole process of Ronin's illicit money transfer

The dust of DeFi's "Great Heist" has settled, reviewing the whole process of Ronin's illicit money transfer

On April 8, hackers transferred 4,800 ETH to Tornado Cash through the intermediate address (0x5b0431365ce1ab3693bea6f33ae67653dd30d8bd).

On April 9, hackers transferred 3,002.985 and 3,102.6215 Ethereum to two addresses (0x1361c1e18930483F4Aaf91f3a263937e4Fcc1f39, 0xBCD78C2D608e7cEB3d25Bea30faE8a9D57033868) respectively, and then both transferred to Tornado Cash.

On April 10, the hacker transferred 3002 Ethereum to 0x1361c1e18930483F4Aaf91f3a263937e4Fcc1f39, and then all transferred to Tornado Cash.

On April 12, the hacker transferred 2941 Ethereum to the new address (0xb2369D20e7f0C46270b9F79ab26Fc62fadA356c7), and then transferred it to Tornado Cash. At present, there are still about 40 ETH left in this address.

On April 13, the hacker transferred 3,202 Ethereum to the new address (0x77532dd2eb6e8eaf416f39c65f48cd2369782828), and then transferred it to Tornado Cash.

On April 14, the hacker transferred 3302.6 Ethereum to the new address (0x1Bf53ce80FF2ed5711b8A2DB8f7EA5b38DA118d6), and then transferred it to Tornado Cash.

On April 15, the Wall Street Journal reported that the U.S. Treasury Department said the Lazarus Group, a criminal group linked to the North Korean government, was the owner of the cryptocurrency addresses in the attack on the Ronin Network. A Treasury spokesman said anyone transacting with a sanctioned wallet would be at risk of U.S. sanctions.

On the same day, PeckShield stated on Twitter that the hacker has transferred about 28,000 Ethereum from the attack address to Tornado Cash, accounting for 16% of the total. There are about 147,753 Ethereum remaining in the wallet.

Later in the day, the hackers again transferred 2,900 ETH to the new address (0xBc5639887283eaF1B8E966e0b2fa6998D2ec6404) and then to Tornado Cash.

On April 18, the hacker transferred 10129.9 Ethereum to the new address (0x3cffd56b47b7b41c56258d9c7731abadc360e073).

On April 19, the hacker transferred 18256.8 Ethereum to 0x1Bf53ce80FF2ed5711b8A2DB8f7EA5b38DA118d6.

On April 21, hackers transferred 21,629 Ethereum to 0x53b6936513e738f44fb50d2b9476730c0ab3bfc1.

On April 22, the hacker transferred 1528.2 Ethereum to the new address (0x8fa7b50fc8306ab3de028254df72bf08216742b6) through the intermediate address (0x3cffd56b47b7b41c56258d9c7731abadc360e073).

On April 24, the hacker transferred 33,568 Ethereum to the new address (0x35fb6f6db4fb05e6a4ce86f2c93691425626d4b1).

On April 26, PeckShield posted that according to statistics, as of April 26, 65% of the stolen funds had been transferred from the Ronin Network attacker wallet, of which 22% (about 39,700 Ethereum) were laundered through Tornado Cash, about 41% % transfer to 3 new wallets.

On April 27, the hacker transferred 18256.8 Ethereum to the new address (0x5967524CE3Bc2BC422e584e33bD50921A22e3c0a).

Later in the day, the hackers again transferred 25,127.5192 ETH to the new address (0xf7b31119c2682c88d88d455dbb9d5932c65cf1be).

On April 28, the Ethereum sidechain Ronin Network released a vulnerability report saying that hackers penetrated the Sky Mavis IT infrastructure and gained access to the verification node by implementing a phishing attack on Sky Mavis, and discovered a backdoor through a gas-free RPC node. , and obtained the signature of the Axie DAO verification node, thus controlling 5/9 of the verification nodes.

Ronin Network stated that the current security measures taken by Sky Mavis include working with security companies to build defense systems, increasing the number of validating nodes, implementing stricter internal control procedures, conducting audits, establishing a trustless organization, launching bug bounties, and conducting ISO27001 and other Safety-related certifications. Additionally, the Ronin Network is expected to deploy the upgrade by the end of April and officially open in the first half of May, with all stolen funds secured by the recent Sky Mavis financing, Axie Infinity and Sky Mavis assets, and personal funds from the core team.

On April 29, the hacker transferred 5,000 Ethereum to the new address (0xDD6458eB5090832eB88BFfc7AdF39B0F3CdD6683), and then transferred it to Tornado Cash.

On May 3, the hacker transferred 23528.8 Ethereum to the new address (0x3e37627deaa754090fbfbb8bd226c1ce66d255e9) at 16:23:28 Beijing time.

On May 4, that is, today, the hacker completed the last transfer of 12,595.3 ETH, and almost all the stolen funds were transferred, leaving only about 1.8 ETH in the original attack wallet.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/the-dust-of-defis-great-heist-has-settled-reviewing-the-whole-process-of-ronins-illicit-money-transfer/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-05-04 22:50
Next 2022-05-04 22:54

Related articles