On Thursday, blockchain forensics firm Chainalysis said that law enforcement had recovered $30 million in crypto stolen from the $625 million Ronin Bridge hack in March. According to Chainalysis, Lazarus Group, the North-Korea linked entity behind the attacks, first used sophisticated money-laundering techniques such as sending stolen Ether (ETH) to crypto-mixer Tornado Cash, swapping it for Bitcoin (BTC), sending theBitcoin to Tornado Cash, and then cashing out at exchanges. However, the group recently moved away from such techniques after the U.S. Department of Treasury imposed sanctions on Tornado Cash wallet addresses.
Chainalysis explains that in response, Lazarus Group hackers switched to, perhaps ironically, laundering the stolen crypto via cross-chain bridges on legitimate decentralized finance platforms. "With Chainalysis tools, these cross-chain funds movements are easily traced," the firm wrote, pointing to one transaction where hacked funds were bridged to the BNB Chain from Ethereum, then swapped for Tron's stablecoin USDD, and then finally bridged to the BitTorrent blockchain.
North-Korea-backed Lazarus Group first exploited five of the nine private keys held by transaction validators for Ronin Network's cross-chain bridge. After gaining a majority consensus, they approved two transactions for transferring 173,600 ETH and 25 million USD Coin (USDC) from Ronin Bridge, draining it of assets.
Since then, Binance has managed to recover $5.8 million in funds related to the Ronin exploit. Just four months later, Ronin developers announced that the cross-chain bridge was back after three audits. Sky Mavis, the developer of Ronin, raised over $150 million in a round backed by Binance to rebuild the protocol.