[Update 2022.07.10]
Our previous analysis showed that the exploiter had transferred the stolen crypto assets from the Horizon bridge to an address controlled by him via 9 transactions. Following that, the exploiter started swapping crypto assets such as WETH, SUSHI, AAVE, DAI, etc. into ETH via multiple smart contract calls. The exploiter then broke down 18k+ of the swapped ETH into smaller amounts and dispersed it into multiple wallets. Subsequently, he started moving funds into Tornado Cash.
As of July 10, 2022, the exploiter has moved roughly 85,700 ETH to Tornado. Cash: Router from 14 different addresses which were linked to the Harmony Bridge Exploit
Figure 1: Funds transferred to Tornado Cash by the Hacker
Depositing Stolen Funds into Tornado Cash
According to our analysis, the stolen funds were routed to Tornado Cash’s 100 ETH (T100) contract. We came to this conclusion by examining the spike in daily Deposit and Withdrawal volumes in the T100 contract between June 27 to July 2, 2022.
Figure 2: Spike in the Daily Deposit and Withdrawl volume in T100 contract
Based on the time lag between each subsequent deposit, it is highly probable that the exploiter used automated scripting to deposit funds.
Figure 3 - Time lag (approx 300-540) seconds between subsequent transactions
Receiving Mixed Funds from Tornado Cash
Using our custom heuristics, the Merkle Science team identified 148 addresses (withdrawal addresses) that the attacker used to receive the mixed stolen funds. Over 84,000 ETH was received by these 148 suspected addresses from the T100 contract addresses. Subsequently, after evaluating the group of 148 addresses, we were able to identify 7 addresses that have had outgoing transactions.
Of those 7 addresses with outgoing transactions, we have seen chain-hopping from Ethereum blockchain to:
- Bitcoin ⇌ Ethereum
- Binance Smart Chain ⇌ Ethereum
- Polygon ⇌ Ethereum
The stolen funds were converted into stablecoins and the chain-hopping was done using bridges such as RenVM and Multichain contracts. To hide the trail of funds, the exploiter tried to create many blockchain transactions, which would in turn ensure that the ultimate endpoint is lost in the data — in this process he attempted to throw off any sort of tracking by traditional blockchain analytics companies and law enforcement.
However, we were able to identify several overlapping points on the blockchain that were used in the process of swapping funds among different blockchains. These overlapping points include the repeated use of the same technique and addresses to swap the funds on the aforementioned blockchains.
Once bridged back to Ethereum, the stolen funds were subsequently dispersed into crypto exchanges.
Analyzing transaction time metrics to identify timezone of the hacker
If a user has made enough transactions on the blockchain, analyzing the transaction time metrics can sometimes tell you the timezone a user is operating in. In this case, the 850 transactions were grouped into buckets, and counts of these transactions by the hour of the day (0-23) were examined. According to our analysis, the exploiter lives in:
- Asia Timezone
- The time zone can be further isolated into +6GMT and +12GMT with a high confidence
Figure 4: Hour-of-day analysis of withdrawal transactions
What is the Horizon cross-chain bridge?
A cross-chain bridge connects two independent blockchains and enables an exchange of information, cryptocurrency, and NFTs from one blockchain network to another. The Horizon bridge facilitates token transfers from Ethereum (ETH), Binance Smart Chain (BSC), and Bitcoin (BTC) to the Harmony network. Meaning that users are able to send (ETH, ERC20, ERC721) tokens in a set, BNB, BEP20 assets, and Bitcoin to Harmony. In a tweet, Harmony confirmed that the crypto assets were stolen from the Ethereum side of the bridge and the trustless BTC bridge remains unaffected, and based on our analysis both ETH and BSC were exploited.