Update on Ronin Bridge’s Exploit: Cross-chain Bridge Attacks Still a Concern

Aurora Labs' CEO Alex Shevchenko, on Monday (Aug 12), shared in a 15-part Twitter post details of an unsuccessful attack on Rainbow Bridge over the weekend. The attack was thwarted by automated watchdogs in under a minute, slashing the attacker's safe deposit worth roughly $8,000. The attacker sought to steal funds from the trustless – doesn't use selected middlemen – bridge on Saturday, presumably hoping for a delayed or slow reaction.

Posing as a Rainbow Bridge relayers sending info on NEAR blocks to Ethereum, the attacker tried to submit a fabricated NEAR block to its smart contract. The attempted exploit was, however, detected and suppressed by the protocol's automated defense within four Ethereum blocks – 31 seconds – slashing the required safe deposit of 5 ETH. In May, a similar occurrence was averted on the NEAR Protocol Rainbow Bridge without loss of any user funds. Shevchenko noted at the time that the attack was initiated with a deposit via the now-sanctioned coin mixer, Tornado Cash.

Solana, NEAR Protocol, and Axie Infinity have been exploited in 2022

Cross-chain bridges have become a hotbed of cyber criminals looking to exploit loopholes in DeFi protocols to steal users' funds. The Aurora Lab CEO divulged in the Monday post that increasing the safe deposit sum was in the past been considered as a way to prevent such exploits. This approach was, however, eventually disregarded as it would make “the bridge more permissioned” conflict with the firm's decentralization push.

Wormhole, a bridge between the Solana blockchain and other decentralized finance networks, suffered an exploit for 120,000 wETH (translating to about $320 million) in February. Less than two months later, another DeFi hack, this time involving the Ronin Bridge, saw an attacker drain 173,600 ETH and 25.5 million in USDC, worth approximately $625 million. Security research firm SlowMist recently reported that entities that executed what is one of the largest hacks in the DeFi history have since moved the stolen assets from the Ethereum network to the Bitcoin network.

SlowMist reports the latest on Axie Infinity's Ronin bridge hack

SlowMist's BliteZero observed that the funds have been transferred to throw off authorities tracking the funds as they try to uncover the perpetrators behind the exploit. In the mid-year report on blockchain security and AML analysis, the firm wrote that the hackers used ChipMixer and Blender, sanctioned by the US Treasury in May to move the stolen funds to the Bitcoin network.

Tracking the funds

The SlowMist report detailed that the Lazarus Group, credited for this attack, channeled part of their ETH via crypto exchanges. 5,029 ETH was transferred to the HTX crypto exchange, 1,219.98 ETH via FTX, and 667.39 ETH via Binance. The report notes that a total of 6,249.98 ETH was sent to centralized crypto exchanges on Mar 28.

The North Korean hacking collective is said to have then sent 439.78 BTC (withdrawn via exchanges to the Bitcoin network) to the sanctioned Bitcoin mixer Blender.io. Now, the massive chunk of this stolen stash –175,000 ETH – was sent to Tornado Cash between Apr 4 and May 19.

Following the Ronin attack in late March, Blender became the first virtual currency mixer to be sanctioned by the US Treasury Department's OFAC on May 6. In fact, blockchain investigator BliteZero notes most of the mixer's sanctioned addresses were deposit addresses associated with the Ronin hackers. The US OFAC said that over $20.5 million of crypto hacked from the Ronin bridge was channeled via Blender, which BliteZero has confirmed equals a calculated figure of $20.72 million in these addresses – the 439.78 BTC withdrawn via HTX and FTX.

More ETH to Bitcoin transfers

It has been confirmed that the attacker(s) hacked private keys in order to forge fake withdrawals. The exploit continued with the Tornado-ed crypto getting exchanged for renBTC via the UniSwap and 1inch. Since Ren allows for the transfer of assets between blockchains, the criminal group is then said to have used the protocol and leveraged renBTC to complete asset transfers between the Ethereum and Bitcoin networks.

After withdrawal from the Ren Protocol, most of the wrapped BTC was pooled and further concealed via a transfer through Bitcoin blockchain mixers Wasabi Coinjoin and ChipMixer. The hackers have been transferring the proceeds to crypto mixers like ChipMixer and Blender since Apr 6. The money withdrawn via ChipMixer is being sent to other mixers, including Coinjoin, Blender, and ChipMixer. The rest of the wrapped crypto was exchanged for spot Bitcoin on crypto exchanges such as Binance, WhiteBit, and Coinbase.

The popularity of cryptocurrency mixers

SlowMist's report comes as 2022 sees increased use of crypto mixing services to facilitate illicit financial activities. These coin mixers enable users to hide the transaction history of cryptocurrencies by pooling them with other users' funds. The average value of funds received by mixers hit an all-time peak of $52 million worth of crypto on Apr 19. As an impact of the hack, tighter regulations and oversight have been imposed on these privacy-focused coin mixing tools.