Liquid Exchange Hacker Continues to Swap Stolen ERC-20 Tokens for Ethereum (ETH) and wETH via DEXes to Prevent Funds From Being Frozen

On August 18, 2021, hackers managed to steal more than $90 million in over 69 different cryptocurrencies and digital tokens from Japan-based exchange Liquid Global. Liquid’s teams had “yet to release a postmortem detailing the attack vector used by the hacker,” the CipherTrace team noted in a blog post published on August 20, 2021.

Although around $16 million in crypto-assets from more “centralized” tokens have been frozen (as of August 20) according to Liquid, an analysis of the flow of funds “shows that the hacker continues to swap stolen ERC-20 tokens for ETH and wETH through decentralized exchanges (DEXs),” CipherTrace noted.

The blockchain security firm also mentioned that swapping more centralized tokens into ETH will “hedge against the possibility of additional frozen funds, while swapping into wETH will facilitate additional swaps.”

As noted in the analysis from CipherTrace:

“Two days after the hack, 6,005 of the ETH received in these swaps (worth almost $20 million) were sent to Tornado Cash, a cryptocurrency mixer that specializes on obfuscating transactions on the Ethereum blockchain.”

As mentioned in the update from CipherTrace, the hacker’s addresses include:

BTC: 1Fx1bhbCwp5LU2gHxfRNiSHi1QSHwZLf7q
ETH: 0xefb33ccafc98d5fdb27a6f5ff17350ca76bf3b53
ETH/ERC-20: 0x5578840aae68682a9779623fa9e8714802b59946
TRX: TSpcue3bDfZNTP1CutrRrDxRPeEvWhuXbp
XRP: rfapBqj7rUkGju7oHTwBwhEyXgwkEM4y

CipherTrace is “continuing to monitor the hacker’s flow of funds,” the company confirmed. The team at Liquid Global has also provided several updates related to their compromised warm wallets.

As noted in the incident report from the Japanese crypto exchange (on August 21, 2021):

“We would like to once again thank our community for your continued support while we take measures on mitigating this incident. We have completed setting up our new MPC infrastructure with heightened security; and are now in the process of testing and migrating our assets to the new secure vaults. We expect to restore services early next week.”

The company added:

“As mentioned in our previous updates, we are continuing to work with the appropriate authorities and taking the necessary action required in this avenue. We will continue to update the latest developments on this blog and our [social media accounts.]”

(Note: For more details on this update, check here.)

Sponsored Links by DQ Promote



Send this to a friend