Once the hacker consolidated the stolen funds into 0x4766…e2, they quickly began obfuscating fund movements through a multi-step laundering process.
The first step involved converting stETH and mETH into ETH, which was done at 0xa4b2…449e. This conversion increased liquidity and allowed the attacker to distribute funds more efficiently. However, an attempt to exchange cmETH at 0x1542…4443 was left incomplete, possibly due to liquidity constraints or security countermeasures.
With the majority of the stolen assets now in ETH, the hacker initiated a systematic dispersal operation. ETH was distributed in 10,000 ETH increments across multiple addresses, making tracking and recovery efforts more challenging.
One of the key laundering hubs was 0xdd90…f92, which received 98,048 ETH before further distributing 90,000 ETH across multiple wallets. That suggested an intentional multi-layered laundering approach, possibly involving bridges, decentralized exchanges, and mixers to further obscure the origin of the funds.
Attackers’ subsequent actions reinforced this hypothesis. They began strategically layering the stolen funds by utilizing decentralized exchanges (DEXes), cross-chain bridges or well known mixers (in total over 20 entities and growing). This approach deliberately circumvented centralized exchanges at this stage, likely to avoid the heightened scrutiny and potential tracking mechanisms associated with centralized platforms. DEXes, by their nature, offer a greater degree of anonymity and control over the transaction process, making them attractive for illicit activities. Cross-chain bridges, on the other hand, enable the transfer of assets between different blockchain networks, further obfuscating the movement of stolen funds. This calculated use of DEXes and cross-chain bridges highlights the attackers’ sophistication and their intent to maximize their chances of successfully laundering and retaining the stolen assets.