Ronin Bridge Exploit — Cashing out through Huobi, FTX, Crypto.com?
Monitoring digital assets worth over $600M+ USD with ease: Uppsala Security’s latest Crypto Asset Monitor Solution
Written by: Uppsala Security Threat Intelligence Operations Team
On the 29th of March 2022, Ronin Network announced through Twitter that the Ronin Bridge had been exploited for a total of 173,600 Ethereum and 25.5M USDC, worth over $600M USD at time of writing — making this one of the largest DeFi related exploits in history.
The exploiter drained these assets through 2 fraudulent transactions, faking withdrawals from the bridge on the 23rd of March, as seen below. According to Ronin Network’s team, this was executed by the exploiter through the use of hacked private keys, and was discovered by their team the same day they had made the announcement.
Digital asset tracking, especially for incidents like this where large amounts of assets are involved, can become complicated at times. It is also both time and resource intensive to manually track and monitor the misappropriated assets, which could be split across many different wallets over multiple hops — a common money laundering method employed by some bad actors.
The Crypto Asset Monitor Solution (also known as CAMS), the latest product to be added to Uppsala Security’s growing arsenal of Anti Money Laundering, Crypto Compliance and Digital Asset Tracking toolset, aims to solve this issue.
CAMS offers close to real-time monitoring of digital assets originating from transaction hash(es) provided by users. Monitoring results are displayed through an informative dashboard, revealing key information such as the Virtual Asset Service Providers (VASPs) like Crypto Exchanges that were detected to have received the tracked funds, and a list of wallets that received and are still holding the tracked funds — enabling both investigators and even victims without blockchain tracking or forensics knowhow to monitor and track digital assets involved in a crypto incident swiftly, efficiently and effortlessly.
Using CAMS, our team has managed to and is continuing to track the assets involved in this Ronin Bridge Exploit incident.
At the head of the CAMS dashboard, information regarding the origin transaction(s) being tracked, including the list of origin transactions and tokens inclusive of the amount involved are displayed.
For the Ronin Bridge Exploit incident, the origin transactions supplied to CAMS would be the 2 fake withdrawals as seen in the List of Initial Transactions table above. The initial tokens involved were 173,600 Ether and 25.5M USDC as seen on CAMS below.
Next would be a summary of the monitoring and tracking done by CAMS.
As seen above on the CAMS dashboard, a total of 206 transactions related to Ethereum, 12 ERC20 transactions, and 6 transactions involving token swaps were detected to have been made by the exploiter, with a total of 22 suspicious wallets involved. 2 Decentralized Exchanges (DEX) and 4 VASP wallets (Exchange, Bridges, Mixers) were detected to have received the tracked funds.
CAMS is also able to identify and list all wallets that were detected to have received and are still holding the tracked funds. This also includes the amount of tracked funds sitting in each wallet. As seen below, funds from the Ronin Bridge Exploit were detected to be parked in 4 wallets as of time of writing.
An important feature of CAMS would be the identification of VASP (Exchange, Mixer, Bridge) wallets that have received tracked funds. Identification of such wallets would allow victims, investigators or law enforcement agencies to reach out to the VASPs involved to seek cooperation and assistance. This could come in the form of either the retrieval or freezing of funds, or in investigating the case through obtaining and provision of information including KYC information if available.
For the Ronin Bridge Exploit incident, funds were detected to have flowed into 3 Exchanges — Huobi, FTX and Crypto.com, across 4 exchange hot wallets.
The breakdown of tokens reaching each of the 4 Exchange wallets are accessible via the dropdown above, and shown below:
To help facilitate investigations and document the flow of tracked funds, the list of all transactions involved is also made available through the CAMS dashboard.
Also available are various graphs providing infographics which could provide valuable insights relating to the movement of tracked assets. These could potentially help investigators profile and identify patterns in the laundering or transaction activity of the bad actor.
As token swaps are supported on CAMS, we were also able to view all the token swaps that were detected to have been executed by the exploiter. This includes details on each swap, including the hash, tokens involved, smart contract which facilitated the swap, and also the DEX used. As seen below, the exploiter was detected to have swapped the USDC involved for Ether through 1inch and Uniswap.
The entire transaction flow related to the incident is also clearly displayed on the CAMS dashboard through a transaction flow visualization graph. Token swaps were made by the exploiter at 2 different wallets to 1inch and Uniswap respectively, and the tracked funds ultimately reached 4 Exchange hot wallets.
Being a close to real time monitoring solution, CAMS will continue to actively monitor any new transactions related to these tracked assets from the Ronin Bridge Exploit, and new information will subsequently be reflected on the CAMS dashboard.
CAMS will be officially released soon. Parties interested in CAMS can reach out to our team at support@uppsalasecurity.com.
Alternatively, victims of digital asset crime requiring digital asset tracking services can also head over to https://uppsalasecurity.com/trackingsvc/ to find out more on the Digital Asset Tracking Service provided by our team.
About Uppsala Security
Uppsala Security built Sentinel Protocol, the first crowdsourced Threat Intelligence Platform powered by artificial intelligence, blockchain technology, and machine learning. Supporting the framework is a team of experienced cyber security professionals who have developed an award-winning suite of advanced tools and services for Crypto AML/CFT, Transaction Risk Management (KYC/KYT), Transaction Tracking, Regulatory Compliance, and Cybersecurity enabling organizations of every type and size to protect their crypto assets from malicious attacks and scams while meeting stringent regulatory compliance standards. Today Uppsala Security has over two thousand (2K+) users including government agencies, financial institutions and leading enterprises providing crypto exchanges, payment services, wallets, custodial services, gaming, and fintech solutions.
