Almost a month ago, Ronin Network, the sidechain built to scale Axie Infinity, was exploited by hackers who made off with over $615 million worth of ETH.

The hackers appear to have redeemed 28,164 ETH from the 173,000 ETH stolen in the Ronin Bridge attack, with a current market value of $86,128,384.73.

The attackers initially moved over 2000 ETH ($6 million) 2 weeks ago and now the hackers are back on the move.

The image below, taken from Redditshows a list of outgoing transactions related to the wallets involved in the exploit.

Ronin attack - outgoing transactions
Outgoing transactions from wallets related to the Axie Infinity Ronin Bridge attack

Reddit user ThatGuy222666 has been tracking the main wallet since the Ronin Bridge was exploited. It looks like the attackers are using multiple wallets to deposit the ETH Tornado Casha crypto mixer that allows users to obfuscate their digital trail on the Ethereum blockchain.

According to the image below, it takes the hackers 4-6 hours to empty each new wallet of 100 ETH.

4-6 hours to empty new wallets
It takes attackers 4-6 hours to empty each wallet with 100 ETH – image from Reddit post.

There are outliers like this wallet where the attacker sent 10,000 ETH over a day ago.

the biggest eth train
The hackers’ biggest ETH move at the time.

Whoever the exploiter is, the amount of ETH transferred is constantly increasing.

“The most confusing part of the whole situation for me is that 327 different wallets actually sent small amounts of ETH to this person hoping he would share the wealth,” said the Reddit user.

Wallets that sent eth to the exploiter
Wallets that sent ETH to the hacker

Reddit user ThatGuy222666 went on to say, “I’ve never been so intrigued by a random person on the internet. This whole situation blows my mind.”

The Reddit user concluded by saying:

“I plan to keep following where all this ETH is going just out of curiosity, the absolute scale of this exploit is too much for my little brain to comprehend.”

The Reddit poster believes the attack was carried out by a single person who may have been moving the funds slowly to avoid detection.

According to the Reddit post, the address was “on a US watch list prior to the exploit” and was “connected to North Korea.” However, the savvy user still believes that the attack was carried out by 1-2 users.

What's your reaction?
Leave a Comment