The Nexus Mutual attacker has laundered $2.7 million of the $8 million that they stole from the Nexus Mutual founder on December 14th. According to the blockchain analytics firm Scorechain, the attacker has cashed out roughly 35% of the funds that they stole and has been liquidating the funds by way of decentralized exchanges.
How the attacker cashed out
It all started on December 14th when the attacker was able to trick Nexus Mutual CEO Hugh Karp into signing a transaction that drained his wallet of 370,000 NXM (which was equal to roughly $8.3 million at the time of the attack) and sent that money directly to the attacker’s wallet.
Afterward, the attacker sent the stolen NXM to the 1inch exchange, and made several swaps through Uniswap, via 1inch exchange, to find the optimal routes to swap the NXM for ETH.
Subsequently, the attacker swapped their ETH for renBTC–an ERC-20 token backed 1:1 by BTC. Then the attacker redeemed their renBTC for BTC through three separate transactions worth 46.14 renBTC, 75.93 renBTC, and 15.12 renBTC respectively–which leaves the attacker with 137 BTC, worth roughly $2.7 million as of press time.
Considering that the attacker has already begun cashing out, it is probably safe to say that the Nexus Mutual founder will not be getting the stolen funds returned to him–even though he kindly asked the attacker to return the money.
Is renBTC a tool to launder money?
Interestingly, the Nexus Mutual attacker used a similar liquidation method as the Harvest Finance attacker, swapping the stolen funds for renBTC and redeeming their renBTC for BTC.
“The ‘interesting’ thing in this case is again the use of the renBTC protocol as it has been the case for the Harvest Finance hack,” said Lisa Boussard, the marketing team leader at Scorechain.
If DeFi project attackers continue to use renBTC to launder their funds, it may pose some trouble for the project and put them under the radar of law enforcement officials as well as blockchain analytic firms.