Many eyes in the crypto world are on a 42-character address on the Ethereum blockchain, which has unclear ownership and is currently home to the equivalent of about $600 million.
Hackers stole the funds from players of online game “Axie Infinity” in a March 23 heist uncovered last week. The criminals have moved millions of dollars of assets in recent days, according to blockchain-monitoring tools, but the majority of funds remain in place, leaving victims and outside observers awaiting next moves.
Crypto’s transparency has turned money laundering into a perverse spectator sport. Transaction records on public blockchains give authorities a bird’s-eye view of stolen funds equivalent to tens or hundreds of millions of dollars, often pilfered by targeting poorly secured software bridges that transfer assets between blockchains.
The openness leaves successful cyber thieves facing a key question: How do you launder a nine-figure score?
“When there’s a hack like that, everyone is watching the wallets,” said
Kimberly Grauer,
director of research at Chainalysis Inc., a blockchain-analytics firm. “So you better damn well know what you’re going to do.”
The fate of the money stolen from “Axie Infinity” users, one of the largest such thefts, has become a topic of speculation. On Etherscan, a monitoring platform where users can see transactions to and from the address in question, commenters claiming to be victims, broke college students or Ukrainian refugees have posted messages asking the hackers to spread their newfound wealth.
The developer behind “Axie Infinity,” Singapore-based Sky Mavis Ltd., said it intends to reimburse or recover the stolen funds. On Wednesday, the company said it raised $150 million from investors including crypto exchange Binance in a funding round it aims to use to help pay victims.
The individuals behind last month’s theft targeted the Ronin Network, a software bridge developed by Sky Mavis that allows “Axie Infinity” players to transfer assets earned in the game.
Last week, blockchain analysts and amateur digital sleuths watched as ether worth about $20 million moved to crypto exchanges based in the Bahamas and Seychelles. On Monday, an additional $12 million of assets flowed into a mixer, which blends different cryptocurrencies to help obscure their sources.
Mixers can have their own security compromises and are dependent on having enough crypto on hand to exchange illicit deposits for cleaner funds, said
Mitchell Amador,
chief executive of Immunefi, a bug-bounty platform focused on decentralized systems.
“For [$600 million] that would take years at present liquidity amounts,” he said of mixing. “You have to be real patient to make that kind of investment.”
Governments in the U.S. and other countries have ramped up law-enforcement efforts to seize stolen funds and bolstered money-laundering regulations for crypto exchanges.
Such efforts make the transfers of some Ronin Network funds to exchanges potentially dicey, said
Jess Symington,
research lead at Elliptic Enterprises Ltd., a blockchain-analytics firm.
“This might be an opportunity for law enforcement to jump in,” she said.
Some victim companies have tried to pay off their hackers in return for getting their cryptocurrency back.
After the Qubit Finance app was hit with an $80 million heist in January, the decentralized lending platform publicly offered $2 million “with no persecution” for the rest of the funds. It is unclear if the hackers took the deal, but a crypto address linked to the exploit on Etherscan still holds more than $76 million of funds.
The app’s developers have since said on
that they have reduced their team’s size and taken out a loan to help compensate users. Qubit didn’t respond to requests for comment.
Following a $320 million hack in February of the Wormhole bridge, investors behind the project said they reimbursed users’ funds in a move that helped stabilize crypto prices underpinning the applications that the bridge helps support. Wormhole later offered a $10 million reward for hackers who spot such vulnerabilities in the future, saying on Twitter that “we believe it’s important to keep the good guys motivated.”
While companies such as Sky Mavis can more aggressively hunt for bugs, individual victims are often left watching their money move across blockchains with the hope that it is somehow recovered or reimbursed, said
Yajin Zhou,
co-founder of China-based blockchain security firm BlockSec.
“For users, honestly, there is not much to do,” he said.
Write to David Uberti at david.uberti@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
