Ronin Hack, The Aftermath

Blockchain Intelligence Group | Crypto Investigations Platform

What is the Ronin Bridge and how it was exploited

The Ronin Bridge functions similarly to BullionVault, in that a user can bring a gold bar and exchange it for a gold certificate. Ethereum tokens are equivalent to gold in this example, and wrapped Ethereum (wETH) is the gold certificate. No individual Ronin user was compromised, however, all Ronin system users now have undercollateralized wETH. The crime was uncovered only when one of the customers failed to withdraw 5,000 ETH on March 29, 2022.

The Ronin Bridge was built in such a way that to recognize a deposit or withdrawal, five out of nine validator signatures are required. This means that any five secret keys working together can shift funds. This attack is a private key hack. The hacker was able to compromise four validators belonging to the same entity, and then used a secondary attack vector to request the fifth key.

Tracking the stolen funds

The hack occurred on March 23, where 173,600 ETH and 25,500,000 USDC were stolen and transferred to the hacker’s Ethereum address:  (0x098b716b8aaf21512996dc57eb0615e2383e2f96). 

The FBI linked the Ronin validator security breach to the North Korean-based Lazarus Group. Later, the US Government’s Treasury Department sanctioned eight Ethereum addresses that were linked to the hack.

The investigation conducted by our internal analysis shows the hacker later transferred the 25,500,000 USDC to two separate addresses and converted them to 8,562.86 ETH. 

Amount in ETH stolen: 173,600 ETH

Amount of USDC stolen: 25,500,000 USDC

USDC converted to ETH: 8,562.86 ETH

Figure from QLUE™ shows funds moving from the hacker’s address to various unknown addresses, and eventually to Tornado Cash 

Between the 28th and 29th of March, 6,250 ETH were transferred to 5 new addresses. These new addresses split the ETH total and sent it to three different exchanges in several transactions. Out of 182,162.86 ETH, the amount transferred to exchanges makes up about 3.43% of the total amount stolen.

Amount of stolen funds sent to exchanges: 6,249.89 ETH

Breakdown of funds sent to exchanges:

FTX (Exchange): 1,219.98 ETH (as of March 29, split into 23 transactions)

Crypto (Exchange): 1 ETH (as of March 29, in 1 transaction)

Huobi (Exchange): 5,028.91 ETH (as of March 29, split into 131 transactions)

Later, 175,100 ETH were laundered through Tornado Cash as of May 24. This is about 96% of the total amount stolen. 

Amount of stolen funds sent to Tornado cash: 175,100 ETH

As of May 24, the total funds remaining unspent in the various unknown addresses is 716.9 ETH, which is about 0.39% of the total amount. 

Stolen amount currently unspent: 716.9 ETH

Approximate amount lost in transaction fee: 96 ETH

Most of the stolen funds moved through Tornado Cash 

The hacker transferred the stolen funds from the original wallet to several unknown wallets from where most of the funds were transferred to Tornado Cash. 

In April, 59,100 ETH, or about $179,662,012.20, were sent in 591 transactions from the Ronin Bridge hacker to Tornado Cash. While in May, 106,500 ETH or about $256,948,460.4 were sent in 1,065  transactions to Tornado Cash. 

Transactions on Tornado Cash are “mixed” before they reach their intended destination. After depositing ETH to Tornado Cash, users can withdraw their funds using a new address. Once the asset is sent to the new address it becomes difficult to link the withdrawal to the deposit which ensures asset privacy.

The table below shows the total number of addresses used to withdraw funds from the Tornado Cash 100 ETH contract along with a breakdown showing the number of addresses with no transaction history and the number of reused addresses. The majority of addresses used to withdraw funds have no transaction history, which implies that Tornado Cash users prefer to create new addresses to withdraw funds rather than reusing the same address.

Month Number of addresses used to withdraw funds from Tornado Cash Number of addresses used with no previous transactions Number of addresses used with previous transactions
January 2022 568 524 44
February 2022 484 426 58
March 2022 404 347 57
April 2022 532 477 55

By examining the number of incoming and outgoing transactions to the Tornado Cash 100 ETH contract and comparing the volume of transactions in different months of this year, a significant increase in the number of transactions is to be found for both April and May 2022. 

Month Number of incoming transactions to the Tornado Cash mixer Value sent in ETH Value in USD
January 2022 921  92,100 $216,130,149
February 2022 923 92,300 $217,276,046
March 2022 847 84,700 $200,285,008
April 2022 2005 200,500 $471,894,795
May 1 to May 24 2000 200,000 $389,727,144 ($1948.48/ETH)
Month Number on outgoing transactions from the Tornado Cash mixer Value received in ETH Value in USD 
January 2022 919 91,816.18  $215,464,130.5
February 2022 812 81,117.13 $190,951,357.5
March 2022 883 88,041.83 $208,187,240.9
April 2022 1527 152,231.43 $358,290,373.6
May 1 to May 24 1835 182,772.73 $356,143,106.9 ($1948.48/ETH)

Moving cross-chain to the Bitcoin Blockchain using RenBTC


After analyzing outgoing transaction data from the Tornado Cash 100 ETH contract, our internal analysis identified RenBTC as the most commonly used cross-chain gateway, in this case moving funds from the Ethereum Blockchain to the Bitcoin Blockchain. 

RenBTC is an ERC-20 token built on the Ethereum network and its market value is pegged to the value of Bitcoin. This means that each RenBTC can always be redeemed for one Bitcoin, and hence tends to maintain its value at close to the Bitcoin market rate.

Number of transactions in ETH sent to Tornado Cash from the Ronin hacker’s address Date sent Time Range UTC The number of transactions from Tornado Cash moved to addresses that sent to renBTC Date received Time Range UTC
0 April 1 0
0 April 2 0
0 April 3 0
20 April 4 3 – 9 AM 15 April 4 3 AM – 2 PM
15 April 5 2 – 3 AM 12 April 5 4 – 7 AM
17 April 6 2 – 9 AM 14 April 6 6 AM – 5 PM
20 April 7 2 – 7 AM 16 April 7 6 – 7 AM
28 April 8 4 – 5 AM 28 April 8 5 – 6 AM
31 April 9 2 – 4 AM 27 April 9 6 – 7 AM
30 April 10 8 -11 AM 30 April 10 11 AM – 1 PM
25 April 11 12 – 3 PM 25 April 11 12 – 3 PM
29 April 12 5 – 7 AM 29 April 12 6 – 8 AM
32 April 13 4 – 5 AM 32 April 13 6 – 8 AM
33 April 14 2 – 4 AM 33 April 14 2 – 7 AM
29 April 15 8 – 9 AM 29 April 15 10 AM – 4 PM
0 April 16 2 April 16 10 – 11 PM
0 April 17 0 April 17
0 April 18 0 April 18
0 April 19 1 April 19 2:04 PM
0 April 20 2 April 20 1 – 5 PM
0 April 21 0 April 21
6 April 22 11 AM – 11 PM 4 April 22 3 – 12 PM
30 April 23 11 AM – 11 PM 20 April 23 1 AM – 8 PM
15 April 24 12 AM – 6 PM 20 April 24 1 AM – 12 PM
31 April 25 12 AM – 10 PM 24 April 25 12 AM – 12 PM
18 April 26 12 AM – 7 PM 22 April 26 12 AM to 12 PM
45 April 27 1 AM – 11 PM 53 April 27 12 AM – 12 PM
29 April 28 3 AM – 12 PM 22 April 28 12 AM – 12 PM
56 April 29 12 AM – 12 PM 55 April 29 12 AM – 12 PM
52 April 30 12 AM – 7 PM 61 April 30 3 AM – 12 PM

The rows highlighted in green in the table above reveal an exact match between the number of transactions sent from the Ronin Bridge hacker’s account to the Tornado Cash mixer and the number of transactions from Tornado Cash to addresses that eventually sent funds to renBTC. This indicates that in April, funds from the Ronin Bridge hack may have been sent to the Bitcoin Blockchain via RenBTC.

Furthermore, by observing the timestamps of the transactions that were sent to Tornado Cash from the Ronin hacker’s address and the timestamps at which transactions from Tornado Cash moved to addresses that sent ETH to RenBTC, our team was able to identify a higher likelihood that the stolen funds moved to the Bitcoin Blockchain through the RenBTC gateway.

For better visualization, the graph below shows how the number of transactions sent by the hacker to Tornado Cash in April 2022 is matching the number of all transactions sent from Tornado Cash to RenBTC on certain days.

In April 2022, 

  • 59,100 ETH or about $179,662,012.20 were sent in 591 transactions from the Ronin Bridge Hacker to Tornado Cash.
  • 57,388.20 ETH or about $135,068,302.2 were withdrawn in 576 transactions from Tornado Cash to addresses that eventually converted this ETH to RenBTC.

The data collected for May follow a similar trend although fewer addresses that received funds from Tornado Cash converted these funds to RenBTC.

As of May 24, 2022,

  • 116,000 ETH or about $275,629,072.2 were sent in 1,160 transactions from the Ronin Bridge hacker to Tornado Cash. 
  • 34,957.36 ETH or about $68,130,146 were withdrawn in 351 transactions from Tornado Cash to addresses that converted ETH to RenBTC.

However, tracking funds after any mixer, including Tornado Cash, is a probabilistic process, and we cannot be certain which outgoing transactions are linked to the transactions sent by the hacker’s address. But by tracking the volume of transfers, their timestamps, as well as the use of the same address for multiple withdrawals, we can establish a possible connection between the deposits and the withdrawals. 

Our team further examined outgoing transactions from Tornado Cash sent cross-chain to Bitcoin using the RenBTC gateway for different months of this year. As seen on the histogram below, there is an increase in the number of transactions sent cross-chain using the RenBTC gateway in April, which appears to be directly related to the Ronin hack. 

Tracking the funds on the Bitcoin Blockchain 

Our team was able to successfully track the funds from the Tornado Cash mixer to addresses that converted the funds to RenBTC tokens, and later withdrew the value of funds on the Bitcoin Blockchain. By matching the amount with the temporal patterns, we were able to discover the destination of funds on the Bitcoin Blockchain. 

In April, 2,311.5 BTC were received by 89 addresses.

  • 2,022 BTC from 76 of these 89 addresses were sent to a mixer. 
  • 267.27 BTC in 10 addresses are currently unspent.
  • 14.92 BTC from 2 addresses were sent to an exchange.
  • 7.34 BTC from 1 address was bridged back to the Ethereum Blockchain using the RenBTC gateway.

In May, 3,960.57 BTC were received by 110 addresses.

  • 1,175.47 BTC from 29 of these 110 addresses were sent to a mixer.
  • 2,534.66 BTC in 71 addresses are currently unspent.
  • 250.43 BTC in 10 addresses are sent to unknown addresses.

Conclusion 

The Ronin Bridge hack is the largest crypto heist in history by assessing the value of funds at the time they were stolen. The hackers, which were later identified as the Lazarus Group, stole crypto worth over $629.3M. Tornado Cash was used to launder 175,100 ETH ($604M) which is about 96% of the total amount stolen. 

Incidentally, in the period after the hacker started laundering these funds through Tornado Cash, it was observed that the number of withdrawals from Tornado Cash to addresses that eventually converted and sent funds cross-chain to the Bitcoin blockchain using RenBTC saw a significant increase when compared to the first three months of 2022. A total of 92,345 ETH ($316M) that were withdrawn from the Tornado Cash 100 ETH contract were converted to renBTC. 

Our analysis shows that, on certain days, the stolen funds deposited by the hackers into Tornado Cash matched exactly with the funds that were withdrawn from Tornado Cash and converted to RenBTC. This leads us to conclude that it is highly likely that a major portion of the stolen funds from the Ronin Bridge exploit that were sent to Tornado Cash were sent cross-chain to Bitcoin using the RenBTC gateway. Tracking these funds in the Bitcoin blockchain showed that about 51% of these funds were sent to additional mixing services on the Bitcoin blockchain to further obfuscate the trail of funds.


  • Solutions
  • Training
  • Resources
  • Support