🧵 on what’s occurring with $wBTC, $REN, $renBTC, $ETH and why this may impact those who reside on-chain, regulations, and price of crypto.
Let’s begin by following the $
What has occurred? What will occur?
(1/22)
I’m aware that’s a long thread.
Plenty of evidence to be shown
Let’s begin by following the $
What has occurred? What will occur?
(1/22)
I’m aware that’s a long thread.
Plenty of evidence to be shown
We start by following the money.
Address for FTX account drainer is here:
etherscan.io/address/0x59ab…
20hrs or so ago, this wallet moved 10k ETH & then 25k ETH
(2/22)
Address for FTX account drainer is here:
etherscan.io/address/0x59ab…
20hrs or so ago, this wallet moved 10k ETH & then 25k ETH
(2/22)
To this wallet:
etherscan.io/address/0x866e…
Here’s a tx for the 10k ETH:
etherscan.io/tx/0x44a3c70c7…
Here’s a tx for the 25k ETH:
etherscan.io/tx/0x28ac04b18…
And the first test tx of 5k ETH
etherscan.io/tx/0xe3f288d78…
(3/22)
etherscan.io/address/0x866e…
Here’s a tx for the 10k ETH:
etherscan.io/tx/0x44a3c70c7…
Here’s a tx for the 25k ETH:
etherscan.io/tx/0x28ac04b18…
And the first test tx of 5k ETH
etherscan.io/tx/0xe3f288d78…
(3/22)
So, we see in that next hour the receiving address began swapping in increments of ranging from 1k ETH to 5k ETH.
I’m not gonna post all those txs. Hacker routed through whatever they could. But all they wanted was a single ERC-20:
$renBTC
etherscan.io/token/0xeb4c27…
(4/22)
I’m not gonna post all those txs. Hacker routed through whatever they could. But all they wanted was a single ERC-20:
$renBTC
etherscan.io/token/0xeb4c27…
(4/22)
Why $renBTC?
Lemme provide a few links and then will explain a bit more.
bridge.renproject.io/about
bridge.renproject.io/welcome
bridge.renproject.io/release
So, here’s the main links for what $REN has made a name for itself as. A trustless cross-chain bridge- super cool stuff!
(5/22)
Lemme provide a few links and then will explain a bit more.
bridge.renproject.io/about
bridge.renproject.io/welcome
bridge.renproject.io/release
So, here’s the main links for what $REN has made a name for itself as. A trustless cross-chain bridge- super cool stuff!
(5/22)
Why does this matter?
Well, it allows you to bridge assets like $renBTC (which is an ERC-20 on ETH mainnet) to $BTC.
Importantly, $REN has done a great job. 1 to 1 backing of assets so each renBTC is backed by a BTC on bitcoin’s actual chain.
(6/22)
Well, it allows you to bridge assets like $renBTC (which is an ERC-20 on ETH mainnet) to $BTC.
Importantly, $REN has done a great job. 1 to 1 backing of assets so each renBTC is backed by a BTC on bitcoin’s actual chain.
(6/22)
Now since Tornado Cash ( $TORN ) has been sanctioned, how can a hacker obfuscate their path and still perhaps keep their treasure they amassed?
Well, here’s a warning before you use RenBridge.
As you can see, very little data is retained by REN protocol.
(7/22)
Well, here’s a warning before you use RenBridge.
As you can see, very little data is retained by REN protocol.
(7/22)
The problem with that, or rather the upside of that is that it is something, to the best of my knowledge, quite a well developed protocol that sticks to crypto philosophies & values.
This makes it a solid candidate for laundering hacked ETH assets
(8/22)
This makes it a solid candidate for laundering hacked ETH assets
(8/22)
The FTX Account Drainer takes the $renBTC & over a 4hr period, sends it to the RenBridge; which then burns the renBTC (once again, REN has attested the assets are backed 1-to-1)
etherscan.io/tx/0x7f292e8f1… (1755 BTC)
etherscan.io/tx/0xf3b12ae1e… (692 BTC)
Poof goes 2447 BTC!
(9/22)
etherscan.io/tx/0x7f292e8f1… (1755 BTC)
etherscan.io/tx/0xf3b12ae1e… (692 BTC)
Poof goes 2447 BTC!
(9/22)
Now where does this go?
Well, from my hazy recollection, it takes about 15-30 minutes or so for RenBridge to then send the BTC to the selected BTC deposit address of the hacker(s) choosing.
Can we sleuth more? Yes, we can!
We love the on-chain 😎
(10/22)
Well, from my hazy recollection, it takes about 15-30 minutes or so for RenBridge to then send the BTC to the selected BTC deposit address of the hacker(s) choosing.
Can we sleuth more? Yes, we can!
We love the on-chain 😎
(10/22)
So, the method of how cross-chain via RenBridge exists is that the RenVM interacts with both ETH & BTC.
Since REN has (as I said earlier) really done well at sticking to crypto values, we can look at the REN Explorer:
explorer.renproject.io
(11/22)
Since REN has (as I said earlier) really done well at sticking to crypto values, we can look at the REN Explorer:
explorer.renproject.io
(11/22)
So, we take the tx hash of the two big burns of renBTC and we search it on there.
Copy & paste… and BOOM:
explorer.renproject.io/tx/F-rBrH0bVer…
explorer.renproject.io/tx/owd5XnL-4sw…
(12/22)
Copy & paste… and BOOM:
explorer.renproject.io/tx/F-rBrH0bVer…
explorer.renproject.io/tx/owd5XnL-4sw…
(12/22)
Now we can see the exact BTC txs that took place and where the deposits went.
live.blockcypher.com/btc/tx/4923ac7… (692 BTC minus tx fees)
live.blockcypher.com/btc/tx/3a27a9f… (1753 BTC minus tx fees)
The address these went to?
bc1qaq09p8qy97pf9rhnwtxvj7htqhmyejvv6n0702
(13/22)
live.blockcypher.com/btc/tx/4923ac7… (692 BTC minus tx fees)
live.blockcypher.com/btc/tx/3a27a9f… (1753 BTC minus tx fees)
The address these went to?
bc1qaq09p8qy97pf9rhnwtxvj7htqhmyejvv6n0702
(13/22)
So, now we can look at where the hacker is holding their BTC they successfully bridged from an ERC-20 to hard BTC.
Choose your BTC explorer and take a look at the balances yourself:
live.blockcypher.com/btc/address/bc…
blockchair.com/bitcoin/addres…
(14/22)
Choose your BTC explorer and take a look at the balances yourself:
live.blockcypher.com/btc/address/bc…
blockchair.com/bitcoin/addres…
(14/22)
So, we see how much is sitting unmoved on BTC chain. As of now the balances for the the FTX Account Drainer has 200k ETH + 8.1k $PAXG (coin pegged to 1 Ounce of gold) still in the FTX Account Drainer ETH wallet + 2444 BTC on bitcoin. The current USD value is ~$278mil
(15/22)
(15/22)
So what does this all mean for the rest of us?
1st comment: since Tornado Cash is gone. I would say it’s.. wise actually that the hacker went to BTC chain. Wasabi Wallet & other mixers were never sanctioned in the same way. Which is.. not bad. Privacy is important.
(16/22)
1st comment: since Tornado Cash is gone. I would say it’s.. wise actually that the hacker went to BTC chain. Wasabi Wallet & other mixers were never sanctioned in the same way. Which is.. not bad. Privacy is important.
(16/22)
I would be curious to see the movements of the next 200k. I wonder if @PaxosGlobal freezes the $PAXG. I wonder, since the hacker now has about $40mil in BTC, they feel safer? Mixing is expensive but jail is even more taxing. I am curious now how governments handle this.
(17/22)
(17/22)
Is this going to be another Tornado Cash watershed moment in terms of regulation against all mixers? What about bridges?
We can only hope that regs don’t come too hard on to innovation. That said, most are curious, financially. What happens next to $BTC & $ETH?
(18/22)
We can only hope that regs don’t come too hard on to innovation. That said, most are curious, financially. What happens next to $BTC & $ETH?
(18/22)
I’m no fortune teller and certainly not a TA type person. I imagine the contagioooon continues to spread. Now impacting things that were assumed safe which is assets on-chain.
My two cents is: better safe than sorry; not your keys, not your coins, don’t trust, verify.
(19/22)
My two cents is: better safe than sorry; not your keys, not your coins, don’t trust, verify.
(19/22)
My personal opinion? We get some more dump, but this could mean that the hacker is going to have some difficulty in moving funds around. It’s not going to be easy to liquidate that much BTC without some trail. Additionally, chain-analysis has improved in recent years.
(20/22)
(20/22)
For now, we continue to be the watchers on the wall.
For those better than me at this sort of sleuthing, I hope I’ve provided some information for y’all to continue tracking. I’m not as familiar with the more complex analysis that BTC mixers require to undo the web.
(21/22)
For those better than me at this sort of sleuthing, I hope I’ve provided some information for y’all to continue tracking. I’m not as familiar with the more complex analysis that BTC mixers require to undo the web.
(21/22)
Crypto has always been YOUR responsibility in that YOU are your own bank; of course, this has pros & cons.
In these situations, I’ve moved my assets to safe, cold storage- keeps me sane.
Use a hardware wallet & be mindful of approvals, where you’re sending things.
(22/22)
In these situations, I’ve moved my assets to safe, cold storage- keeps me sane.
Use a hardware wallet & be mindful of approvals, where you’re sending things.
(22/22)
Saga isn’t done yet. Obviously.
FTX Account drainer just restarted the dumping- sent to a new ETH wallet. Similar playbook as the above outlined dump strategy.
etherscan.io/address/0x8059… 15k ETH dumped to renBTC again via #1INCH and instantly moved to RenBridge.
(1/2)
FTX Account drainer just restarted the dumping- sent to a new ETH wallet. Similar playbook as the above outlined dump strategy.
etherscan.io/address/0x8059… 15k ETH dumped to renBTC again via #1INCH and instantly moved to RenBridge.
(1/2)
So we take a look at where the funds are going. Here’s the RenVM txs:
explorer.renproject.io/tx/oRjVSt4VgyB… (338BTC)
explorer.renproject.io/tx/2mwq6qDmHBQ… (684 BTC)
The hacker is using another BTC deposit this time which has a balance of about 1022 BTC:
bc1qexzss0wh5lz0q5emcm7rp29h9tqrc0tulvpp4t
(2/2)
explorer.renproject.io/tx/oRjVSt4VgyB… (338BTC)
explorer.renproject.io/tx/2mwq6qDmHBQ… (684 BTC)
The hacker is using another BTC deposit this time which has a balance of about 1022 BTC:
bc1qexzss0wh5lz0q5emcm7rp29h9tqrc0tulvpp4t
(2/2)
I’ll keep tracking this as this all happened in the past 60minutes but, alas, there’s a World Cup to watch and enjoy so I’ll update as I can. That said. Seems like, for now, things have calmed.
Here’s the beginning of the 🧵🪡 detailing the FTX Drainers movements on-chain.
Here’s the beginning of the 🧵🪡 detailing the FTX Drainers movements on-chain.
https://twitter.com/anoktweet/status/1594606651054690305
This seems to be the address for the BTC bridge for $REN:
blockchain.com/btc/address/19…
The hacker has still 185k ETH (current price equivalent of 12k BTC). If this hacker intends on converting as much as possible to BTC.. not enough on RenBridge (3000BTC current balance) for that.
blockchain.com/btc/address/19…
The hacker has still 185k ETH (current price equivalent of 12k BTC). If this hacker intends on converting as much as possible to BTC.. not enough on RenBridge (3000BTC current balance) for that.
If the attacker is dumping everything into BTC for mixing purposes.
RenBridge was the 2nd biggest wrapped Bitcoin.
The biggest is $wBTC itself however in order for that to be converted into $BTC.
There is custodians and merchants that it must pass through as opposed to RenVM.
RenBridge was the 2nd biggest wrapped Bitcoin.
The biggest is $wBTC itself however in order for that to be converted into $BTC.
There is custodians and merchants that it must pass through as opposed to RenVM.
Attacker effectively has another ~45k ETH to dump to drain the entire RenBridge of the remaining 3k BTC. $renBTC has a supply of only 2400 remaining left on ETH.
I am expecting $sBTC to be the next drained via 1INCH & $CRV to be dumped into renBTC.
(1/2)
I am expecting $sBTC to be the next drained via 1INCH & $CRV to be dumped into renBTC.
(1/2)
However exhaustion seems apparent as the remaining top holders of renBTC are more sporadic/not available as liquidity (for now)
etherscan.io/token/0xeb4c27…
(2/2)
etherscan.io/token/0xeb4c27…
(2/2)
Updates:
FTX Drainer Wallet has dropped to 5.7k ETH. What happened to the other ~180k in the time since I’ve been tracking it?
Let’s follow the money again:
etherscan.io/address/0x59ab…
(1/6)
FTX Drainer Wallet has dropped to 5.7k ETH. What happened to the other ~180k in the time since I’ve been tracking it?
Let’s follow the money again:
etherscan.io/address/0x59ab…
(1/6)
Well, very easy actually. FTX Account Drainer is probably not happy with his wallet being watched.
Or, there’s another explanation, that others are being paid to stay silent.
Either way, I don’t know regarding those things. What I do know is on-chain.
(2/6)
Or, there’s another explanation, that others are being paid to stay silent.
Either way, I don’t know regarding those things. What I do know is on-chain.
(2/6)
31hrs ago, the FTX Drainer wallet had sent 15k ETH which was dumped into $renBTC.
As I said earlier, liquidity for that bridge and the ERC-20 has run a bit dry.
24.5hrs ago, the wallet began sending out increments of 15k ETH to 12 different wallets.
(3/6)
As I said earlier, liquidity for that bridge and the ERC-20 has run a bit dry.
24.5hrs ago, the wallet began sending out increments of 15k ETH to 12 different wallets.
(3/6)
Here are the 12 wallets:
etherscan.io/address/0x9b10…
etherscan.io/address/0xa122…
etherscan.io/address/0x5ab5…
etherscan.io/address/0xd53c…
etherscan.io/address/0x7f3d…
etherscan.io/address/0x3e95…
etherscan.io/address/0x52da…
etherscan.io/address/0x9907…
(4/6)
etherscan.io/address/0x9b10…
etherscan.io/address/0xa122…
etherscan.io/address/0x5ab5…
etherscan.io/address/0xd53c…
etherscan.io/address/0x7f3d…
etherscan.io/address/0x3e95…
etherscan.io/address/0x52da…
etherscan.io/address/0x9907…
(4/6)
etherscan.io/address/0xd11f…
etherscan.io/address/0x44b5…
etherscan.io/address/0xc0c8…
etherscan.io/address/0x1113…
(5/6)
etherscan.io/address/0x44b5…
etherscan.io/address/0xc0c8…
etherscan.io/address/0x1113…
(5/6)
This updated situation is interesting but not a very outlandish move.
Moving ETH to multiple wallets occurs for a variety of reasons like cold storage, protecting against compromised private keys, obfuscation via complicating chain analysis, etc. We’ll be watching closely.
(6/6)
Moving ETH to multiple wallets occurs for a variety of reasons like cold storage, protecting against compromised private keys, obfuscation via complicating chain analysis, etc. We’ll be watching closely.
(6/6)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
