Report on the Ronin Network Exploit and AML Analysis of Stolen Funds

We recently released the “2022 Mid-Year Blockchain Security and AML Analysis Report”. We’ll be breaking down this report into four section for the convenience of our readers.

This last article focues on the Ronin Network Exploit and AML Analysis of Stolen Funds.

The Axie Infinity sidechain, Ronin Network, issued a community warning on March 29th regarding a security breach. A total of 173,600 ETH and 25.5 million USDC were stolen, totaling a $610 million loss. The attacker used compromised private keys to establish withdrawals and siphon funds from the Ronin bridge in just two transactions. Notably, the hack occurred on March 23, but officials allegedly discovered it after users reported that they were unable to withdraw 5,000 in ETH from the bridge. This incident’s loss is even greater than last year’s PolyNetwork hack, which lost over $600 million.

The story begins in November of last year, when Sky Mavis asked Axie DAO for assistance in distributing free transactions. Due to the high volume of users, the Axie DAO whitelisted Sky Mavis, allowing Sky Mavis to sign various transactions on its behalf, a process that was discontinued in December. Access to the whitelist, on the other hand, was not revoked, allowing an attacker to sign from the Axie DAO validator via gas-free RPC once they gained access to Sky Mavis. The Sky Mavis’ Ronin chain is made up of nine validating nodes, each of which requires at least five signatures to identify a deposit or withdrawal. The attackers discovered a backdoor via a gas-free RPC node, where they eventually gained control of five private keys, including Sky Mavis’ four Ronin validators and an Axie DAO-run third-party validator. US investigators believe the incident was caused by the North Korean cybercrime organization, Lazarus Group.

Tools & Methods Used

Basic Tools- MistTrack

(MistTrack — Example Diagram of Anti-Money Laundering Tracking System)

MistTrack was designed by SlowMist as a crypto analytics platform that combines a number of SaaS systems. It was specifically designed to target crypto money laundering activities. Our core functions include AML Risk Scores, Transaction Analysis, Asset Tracing, and Monitoring.

  • AML Risk Score

The AML risk score is a score assigned to an address owner by analyzing its historical transaction data against SlowMist’s database of malicious wallets. If an address belongs to a high-risk entity, such as a mixer, or if it received cash from it, it will be assigned a high risk score. Any confirmed addresses involved in illicit activities such as extortion, theft, phishing, and/or fraud are automatically marked as risky in SlowMist’s database.

  • Address Labels

The MistTrack database has accumulated over 200 million wallet addresses. These address include information based on the following 3 categories:

1. Entity addresses such as Coinbase, Binance, etc.

2. On-chain analytics on DeFi whales, MEV Bots, and ENS.

Off-chain data, such as imToken/MetaMask wallets users.

  • Investigations

MistTrack plays a crucial part in the analysis and evaluation of anti-money laundering through its analysis of transaction characteristics, on-chain activities, and capacity to monitor any wallet address.

Our investigation feature allows users to track and visualize the flow of crypto assets between wallets. Users can also monitor the movements of funds in real time. All information, on-chain and off-chain, are integrated into one panel to provide a complete analysis that can be turned over to law enforcement agencies as evidence.

(MistTrack — Example Diagram of Tracking Analysis)

Our database has over 1,000 entity addresses, 100,000 threat intelligence addresses, 90 million malicious activity addresses, and has tagged over 200 million addresses. This is to provide users with a comprehensive database for anti-money laundering research and analysis.

Extended Methods — Data Analysis

We can see from a number of incidents that stolen funds on the ETH/BSC chain have typically been transferred to mixers such as Tornado Cash, making it the platform of choice for scammers and hackers to launder their funds. While MistTrack is effective for conventional AML analysis, additional resources are required for more complex cases.

New laundering techniques necessitate the development of new analytical processes including the analysis of Tornado Cash transactions. Here we will discuss one of the methods we use for analyzing transfers out of Tornado Cash.

● First, we’ll make a note of what information we know currently, such as the total number of transfers, the time of the initial deposit, and the block height of the first deposit.

● Then, we fill in the parameters in the Dune dashboard we’ve prepared.

● We’ll obtain preliminary withdrawal data and then further filter the results using the feature classification method.

Following a screening, the addresses that’s most likely to be associated with the scammer will be provided and the result set with the highest probability is selected and verified.

(Dune Dashboard — Tornado Cash Withdrawal Analysis)

Through this technique, we were able to correctly identify the withdrawal address of stolen funds from numerous incidents such as the Ronin network exploiter.

Evidently, this strategy has some limitations:

A parameter is the amount of funds sent to Tornado Cash. The amount of anonymity set decreases as the amount of funding increases. The opposite is true when lesser funds are sent. As a result, it is more challenging to analyze small sums sent to tornado cash.

On the Bitcoin network, ChipMixer and Blender are platforms frequently utilized for laundering by malicious actors. Blender is currently sanctioned by the United States Treasury; hence, the website is no longer accessible and will not be addressed further.

Due to the substantial influx of funds via ChipMixer, we have also proposed a method for analyzing their transactions.

  • We identify ChipMixer’s withdrawal characteristics.
  • We then scan and filter the structured block data for the relevant time period based on the aforementioned withdrawal characteristics. Then we collect ChipMixer’s withdrawal records within this time frame.
  • We categorize the withdrawal data and verify the results with the highest probability.

Based on the above method, the following analysis is made for Ronin Network security incidents:

Hacker address: 0x098B716B8Aaf21512996dC57EB0615e2383E2f96 (ETH)
Date: 03/23/2022
Amount: 173,600 ETH, 25,500,000 USDC
Initial funding:SimpleSwap

(Ronin Bridge Exploiter — Timeline of Fund Transfers)

ETH Transfer:

The hacker exchanged the 25,500,000 USDC from the attack to 8,562.6801 ETH, bringing the total amount needed to launder to 182,163.737 ETH (Binance withdrawal 1.0569 ETH + stolen 173,600 ETH + exchange from USDC 8,562.6801 ETH).

(Ronin Bridge Exploiter — Diagram of Funds Transferred)

Transfer Chart:

Note: The funds not account were lost during the laundering process

Tornado Cash Transfer:

The hacker transferred a total of 175,100 ETH to Tornado Cash. After our analysis, we concluded that the Ronin hacker’s withdrawal from Tornado Cash had the following characteristics.

After withdrawing from Tornado Cash, the hacker used 1inch & Uniswap to exchange the funds for renBTC before finally bridging it to the Bitcoin network.

Using Dune Analytics, we filtered out data pertaining to Tornado Cash withdrawals and funds that were moved to the Bitcoin network that matched the criteria above.

This process is illustrated below:

(Ronin Hacker from Tornado Cash Cross-chain data of renBTC after transfer)

Transfer Chart:

Note. Data is valid up to July 20. 2022

BTC Transfer:

Based on our analysis, a total of 8,075.9329 BTC met the criteria using the method above. Among them, 6,191.2542 BTC were possibly associated with the Ronin hacker, coupled with the 439.7818 BTC that was withdrawn from Huobi and FTX. A total of 6,631.036 BTC had possible connections to the Ronin hacker.

Additional details provided below:

Note. Transfers below 0.1 BTC aren’t accounted for,

ChipMixer Transfer:

According to the transfer of BTC, it can be seen that 3460.6845 BTC was transferred to ChipMixer. By combining on-chain data along with the analysis of ChipMixer’s withdrawal data, we were able to determine that the Ronin hackers withdrew a total of 2,871.03 BTC through ChipMixer.

Details below:

Note. Transfers below 0.1 BTC aren’t accounted for.

Download the full report: first-half-of-the-2022-report(EN).pdf



SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.