Phemex hacker transfers some funds to coin mixers such as Tornado Cash

PANews reported on February 20 that according to The block, on-chain data showed that the stolen funds caused by the Phemex vulnerability were being transferred last month. The hacker (or more likely a group of hackers) began to split some of the ill-gotten gains into new addresses and transfer the tokens to Tornado Cash.

According to a report released by Swiss blockchain analytics firm Global Ledger, hackers first transferred more than 2,080 ETH (worth about $6 million) to 14 new addresses. The remaining ETH in the main Ethereum wallet associated with this attack is less than 4,000 ETH.

Like the initial hacking of the Singapore exchange, the transfer appears to be conducted by a group of people with rich on-chain experience, which involves multiple jumps and interacts with multiple different protocols and platforms. For example, a newly created wallet received 601.34 ETH in five independent transactions, and then integrated the funds into another new address on the cross-chain token bridge Across Protocol. These funds are further confused when sent to the second Across address.

In addition to transferring directly to Tornado Cash and eXch mixers to anonymize funds, hackers sometimes use platforms such as Wintermute, DLN Trade protocol and THORChain to exchange assets.

Global Legder notes that while a small portion of the funds also flows to platforms such as OKX and CoinEx (which may be cashed out), most of the funds transfers use on-chain tools such as Bitget's bridging services and ChangeNOW wallets.