Hacker Moves $155M in ETH, Takes $13M Loan to Buy Cryptocurrency
• The hacker of Wormhole, a cross-chain bridge between Solana and other blockchains, moved $155 million in ETH this week
• The funds were sent to the OpenOcean DEX, where they were converted into ETH-pegged assets such as Lido Finance’s staked ETH (stETH) and wrapped staked (wstETH)
• The hacker then used the wrapped staked Ether (wstETH) as collateral to take a $13 million loan in the stablecoin DAI, in a bid to buy nearly 7,989.5 ETH via KyberNetwor
This week saw an eruption in on-chain activity from the address associated with the $320 million exploit of Wormhole, one of the largest cross-chain bridges between Solana and other blockchains. 95,630 ETH was sent to the OpenOcean DEX, where it was then converted into ETH-pegged assets such as Lido Finance’s staked ETH (stETH) and wrapped staked (wstETH).
The hacker then used the wrapped staked Ether (wstETH) as collateral to take a $13 million loan in the stablecoin DAI. This enabled the hacker to buy nearly 7,989.5 ETH via KyberNetwor. The trades were repeated multiple times, causing the hacker’s address to shrink by $155 million in ETH.
The hacker’s address was initially identified by CertiK, a blockchain analytics platform. The platform reported that the address had previously been seen transacting with various decentralized exchanges, as well as creating several transactions involving ERC-20 tokens.
Experts have speculated that the hacker’s activities were intended to obfuscate the origin of the stolen funds. It is possible that the hacker was using the ETH-pegged assets to convert the stolen ETH into other digital currencies, in an attempt to make the funds more difficult to trace.
The Wormhole attack was first discovered in October 2020, when a hacker gained access to the protocol’s developer wallets and stole over $320 million worth of ETH. Since then, the hacker has been moving the funds around in an attempt to conceal their identity and the origin of the funds.
It is unclear whether the hacker was successful in masking the stolen funds, or if the stolen funds will eventually be recovered. However, the recent activity from the hacker’s address suggests that the hacker is actively attempting to launder the stolen funds. As such, the incident serves as a reminder to cryptocurrency users to take appropriate security measures in order to protect their funds.