Laundering of the proceeds from Saturday’s $290 million rsETH hack is well and truly underway, and state-sponsored North Korean hacking collective Lazarus Group is suspected to be behind the theft, given the commingling of funds with other TraderTraitor-related hacks, BTC Turk and ByBit.
As with previous incidents, the culprits have taken to funneling vast volumes through blockchain bridges. The tools used so far even include LayerZero, the bridging protocol from which the $290 million rsETH were originally stolen.
Read more: DeFi sector in $14B meltdown as $290M rsETH hack fallout burns Aave
The efforts began shortly after Arbitrum’s Security Council rescued over 30,000 ether (ETH), slashing the hackers’ realized profit from $245 million to around $175 million.
One on-chain analyst, who goes by “Specter,” claims to have tracked over 1,600 transactions via 370 addresses in the first 12 hours of laundering. That’s an average of one transaction every 25 seconds.
As of Wednesday morning, they tallied $116 million as having been laundered to bitcoin (BTC), with another wallet currently holding $61 million still to go.
Read more: DeFi plays the blame game
Mixed reactions
The projects behind the bridges themselves have responded differently to the ill-gotten gains flowing through their tech.
Privacy protocol Umbra acknowledged that $800,000 worth of ETH had passed through its system. While the project underlined its inability to stop illicit use of its autonomous smart contracts, it did put its own hosted front end into “maintenance mode.”
THORChain, as usual, washed its hands of responsibility, with varying degrees of diplomacy.
Read more: Vultisig founder says DPRK-linked Bybit transactions are ‘legitimate’
Specter estimates that 99% of the laundered funds flowed through THORChain, whose dashboard shows over $100,000 of affiliate fees earned on Tuesday.
While THORChain’s bridging infrastructure is decentralized across a network of 95 active nodes, affiliate fees come from use of its front end. Blockchain investigator Tanuki42 puts the recent fees at more than double year-to-date revenue.
In attempting to defend THORChain’s inability to prevent illicit use, founder JP let slip that the protocol held an admin key for many years.
Read more: DeFi karma: Garden hacked for $11M after bridging Lazarus’ loot
No let up
The DeFi sector has faced two catastrophic hacks so far this month, with combined losses of well over half a billion dollars.
On top of this, a slew of smaller incidents also continue to batter community morale.
While DeFi users and developers alike are still reeling from the fallout of Saturday’s incident, just last night a further $3.5 million was lost.
Read more: Inside the $280M Drift hack: weeks of setup, minutes to drain
Since the hack, Volo has provided two separate updates, informing users it had recovered $500,000, and then 19.6 BTC ($1.3 million).
As if near constant multi-million dollar hacks weren’t enough to worry about, ongoing phishing campaigns continue to hook victims.
In a span of just 11 hours, four victims reportedly lost almost $600,000 to the same drainer contract.
Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
Source: https://protos.com/layerzero-among-bridges-lazarus-using-to-launder-loot/
