On 20 September 2022, crypto market maker Wintermute was hacked for circa $160 million. According to the tweet from Wintermute’s Founder and CEO Evgeny Gaevoy, the amount lost was related to its decentralized finance (DeFi) operations, while its centralized exchange and over-the-counter offerings remain unaffected.
Our previous analysis showed that the exploiter had transferred the stolen crypto assets from the Horizon bridge to an address controlled by him via 9 transactions. Following that, the exploiter started swapping crypto assets such as WETH, SUSHI, AAVE, DAI, etc. into ETH via multiple smart contract calls. The exploiter then broke down 18k+ of the swapped ETH into smaller amounts and dispersed it into multiple wallets. Subsequently, he started moving funds into Tornado Cash.
Figure 1: Funds transferred to Tornado Cash by the Hacker
Depositing Stolen Funds into Tornado Cash
According to our analysis, the stolen funds were routed to Tornado Cash’s 100 ETH (T100) contract. We came to this conclusion by examining the spike in daily Deposit and Withdrawal volumes in the T100 contract between June 27 to July 2, 2022.
Figure 2: Spike in the Daily Deposit and Withdrawl volume in T100 contract
Based on the time lag between each subsequent deposit, it is highly probable that the exploiter used automated scripting to deposit funds.
Figure 3 - Time lag (approx 300-540) seconds between subsequent transactions
Receiving Mixed Funds from Tornado Cash
Using our custom heuristics, the Merkle Science team identified 148 addresses (withdrawal addresses) that the attacker used to receive the mixed stolen funds. Over 84,000 ETH was received by these 148 suspected addresses from the T100 contract addresses. Subsequently, after evaluating the group of 148 addresses, we were able to identify 7 addresses that have had outgoing transactions.
Of those 7 addresses with outgoing transactions, we have seen chain-hopping from Ethereum blockchain to:
- Bitcoin ⇌ Ethereum
- Binance Smart Chain ⇌ Ethereum
- Polygon ⇌ Ethereum
The stolen funds were converted into stablecoins and the chain-hopping was done using bridges such as RenVM and Multichain contracts. To hide the trail of funds, the exploiter tried to create many blockchain transactions, which would in turn ensure that the ultimate endpoint is lost in the data — in this process he attempted to throw off any sort of tracking by traditional blockchain analytics companies and law enforcement.
However, we were able to identify several overlapping points on the blockchain that were used in the process of swapping funds among different blockchains. These overlapping points include the repeated use of the same technique and addresses to swap the funds on the aforementioned blockchains.
Once bridged back to Ethereum, the stolen funds were subsequently dispersed into crypto exchanges.
Analyzing transaction time metrics to identify timezone of the hacker
If a user has made enough transactions on the blockchain, analyzing the transaction time metrics can sometimes tell you the timezone a user is operating in. In this case, the 850 transactions were grouped into buckets, and counts of these transactions by the hour of the day (0-23) were examined. According to our analysis, the exploiter lives in:
- Asia Timezone
- The time zone can be further isolated into +6GMT and +12GMT with a high confidence
Figure 4: Hour-of-day analysis of withdrawal transactions
What is the Horizon cross-chain bridge?
A cross-chain bridge connects two independent blockchains and enables an exchange of information, cryptocurrency, and NFTs from one blockchain network to another. The Horizon bridge facilitates token transfers from Ethereum (ETH), Binance Smart Chain (BSC), and Bitcoin (BTC) to the Harmony network. Meaning that users are able to send (ETH, ERC20, ERC721) tokens in a set, BNB, BEP20 assets, and Bitcoin to Harmony. In a tweet, Harmony confirmed that the crypto assets were stolen from the Ethereum side of the bridge and the trustless BTC bridge remains unaffected, and based on our analysis both ETH and BSC were exploited.
On April 17, 2022, Beanstalk Farms, a decentralized credit-focused stablecoin protocol built on Ethereum, suffered an exploit. The attackers exploited Beanstalk’s governance protocol to extract $182 million in collateral, around $80 million of which went to the hacker as profit. Beanstalk enables participants to earn rewards such as Stalk and Seeds by contributing to a central funding pool called the Silo. The participants receive four Seeds for every Bean stablecoin deposited in the Silo, which in turn, earns them 0.004 Stalk every hour. Stalks are ERC-20 standards tokens that bestow governance rights over the protocol to its holders and give holders voting power. Unlike Stalks, Seeds are not liquid and do not give voting rights to their holders.
On April 14, 2022, the U.S. Department of Treasury’s Office tied the North Korea-based hacking group, Lazarus, to the Ronin Network exploit. The Office of Foreign Assets Control (OFAC) added an Ethereum wallet address (0x098B716B8Aaf21512996dC57EB0615e2383E2f96) associated with Lazarus to its sanctions list. The sanctioned wallet address contains funds stolen in the Ronin security breach. At the time of the publication, the wallet holds 138,433.136 ETH valuing close to $402 million. The Ronin Bridge was exploited for 173,600 ETH and 25.5 million USDC, worth around $568 million at the time of the transaction.
The North Korean state-sponsored Lazarus group, has been associated with several major cyberattacks over the years, including a 2014 hack on Sony Pictures and the 2017 WannaCry ransomware attacks. The OFAC first imposed sanctions on Lazarus and two of its sub-groups Bluenoroff and Andariel in September 2019. In the announcement, the U.S. Department of Treasury stated Lazarus and its sub-groups are controlled by North Korea’s primary intelligence agency, the Reconnaissance General Bureau (RGB).
In its official update, the Ronin Network confirmed that the FBI has linked Lazarus to its validator security breach. Additionally, the Ronin Network also stated that it is “still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk.” The bridge is expected to be deployed by end of April.
Around $568 million worth of crypto has been stolen from the Ronin Network, the blockchain underlying the popular crypto game Axie Infinity. The amount lost is calculated based on the ETH/USD price conversion rate on the date of the transaction — March 23, 2022. On March 29, 2022, Sky Mavis, the creator of both Ronin and Axie Infinity, reported that the Ronin bridge had been exploited for 173,600 Ethereum (ETH) and 25.5 million USDC
On February 2, 2022, the Wormhole Token Bridge, suffered an exploit, which resulted in the loss of 120,000 Wrapped Ether (wETH) tokens worth over $320 million at the time. Wormhole is a popular cross-chain bridge that links Ethereum and Solana blockchain.
This is the largest crypto exploit of 2022 so far and the second-largest decentralized finance (DeFi) attack to date. The attack happened amidst a rapid increase in hacking incidents suffered by DeFi platforms. In fact, according to a report by CertiK, which is a leading security-landing platform, the amount of money lost in the hack of DeFi projects more than doubled to $1.3 billion in 2021.
Of late, the attacks on bridge platforms are on the rise. The news of the Wormhole exploit comes shortly after the Quibit Finance attack, wherein the attacker took advantage of a logical error in Qubit’s smart contract to input malicious data to steal $80 million worth of cryptocurrency. Bridges between chains are often more susceptible to exploits as they require more interactions and contract approvals than the other
On January 27, 2022, an attacker stole $80 million from the decentralized lending and borrowing platform, Qubit Finance. Exploiting Qubit’s Finance’s QBridge protocol, the attacker drained 206,809 Binance coins (BNB) from the platform. The QBridge protocol is an Ethereum-Binance Smart Chain bridge that facilitates the swapping of tokens from Ethereum (ETH) to Binance Smart Chain (BSC) blockchain. The protocol is implemented as a set of smart contracts built on top of the BSC.
Pegged to be the next frontier of fintech innovation, decentralized finance (DeFi) has grown exponentially over the past year. In 2020, less than $20 billion worth of value was locked in various DeFi products. In 2021, the total value locked in DeFi was $250.55 billion, suggesting a growth rate of more than 1,000% in just a single year.
On December 4, 2021, crypto exchange BitMart suffered an attack on its Ethereum and Binance Smart Chain hot wallets, resulting in a loss of nearly $200 million USD. Founder and CEO Sheldon Xia confirmed the incident, writing on Twitter: "We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets.”
On October 27, 2021, C.R.E.A.M. Finance lending markets were exploited. The attacker stole over $136 million worth of crypto assets from the C.R.E.A.M. v1 lending markets. The majority of the crypto assets stolen are reportedly ERC-20 coins and C.R.E.A.M. Liquidity Protocol tokens.