Per Etherscan data, the culprit behind last week’s $28M attack on exchange platform Deribit is transferring the funds via crypto mixer Tornado Cash.
Hacker Transfers Part Loot in 17 Operations
So far, the Deribit attacker has moved 1,610 Ethereum tokens, over 2.5 million USD at ETH’s current prices.
The hacker processed the move in 17 transactions, sixteen 100 ETH transfers, and 10 ETH later on. The first dates back to November 5, roughly 2 days after the breach took place. Notably, the funds transferred to the mixer make up a very small percentage (8.9%) of all the hacker was able to cart off when the breach initially occurred.
Blockchain security firm PeckShield first spotted the outbound Tornado Cash transactions and subsequently shared the information. This was still on November 5 and the hacker had only sent out about $350k at the time.
The Deribit Hack; a Recap
The attack, which took place late on Nov 1 saw the platform suffer losses totaling $28M. Deribit called attention to it in a Twitter post stating that their hot wallets had been compromised. However, the report noted, the attack was confined to their BTC, ETH, and USDC wallets.
Deribit hot wallet compromised, but client funds are safe and loss is covered by company reserves
Our hot wallet was hacked for USD 28m earlier this evening just before midnight UTC on 1 November 2022.
— Deribit (@DeribitExchange) November 2, 2022
Indeed the perpetrator stole 691 BTC and 9,111.59 ET. They were quick to convert the USDC to ETH for a total of 7,501 tokens, just under $12 million at press time. In their announcement, the Deribit team stated that client funds were not affected and that their reserves would compensate for the stolen assets.
Client assets, Fireblocks, or any of the cold storage addresses are not affected. It’s company procedure to keep 99% of our user funds in cold storage to limit the impact of these types of events,” the tweet read.
Deribit put withdrawals on hold following the exploit to preserve the safety of the platform. By Nov 2, however, the team opened the doors for withdrawals once more having moved all hot wallets to digital asset security platform Fireblocks. They released a warning to users, instructing them against transferring funds to their former BTC, ETH, and USDC addresses.
Instead, Deribit advised, users were to send funds to new Fireblocks wallets.
Tornado Cash’s Legitimacy Still Under Question
As stated earlier, the hacker transferred the funds to the controversial privacy protocol Tornado Cash. A few months ago, the US Treasury Department’s Office of Foreign Assets Control blacklisted the platform. The August sanction barred users in the states from carrying out operations using the crypto mixer.
Notably, however, the Crypto advocacy group Coin Center has filed a lawsuit against the OFAC regarding the ban. The suit alleges that the sanction is detrimental to US-based users and also prevents private operations on the Ethereum blockchain.
The Deribit hack is yet another in a series of DeFi hacks over the last 2 months. October was the worst month for the crypto space in terms of malicious exploits with losses worth $718M in just the first half.