The perpetrators of this hack moved a portion of the stolen funds into Tornado Cash, the Ethereum mixer service, barely a week after exploiting Deribit’s hot wallet.
Deribit hack decoding
Deribit, a Dutch cryptocurrency exchange, reported the exploit on its hot wallet on November 2nd. The actual hack occurred late on November 1st, with the hackers stealing $28 million in BTC, ETH, and USDC.
Deribit stated that the hack only affected its hot wallet and not its cold wallet. The exchange also promised to reimburse any losses suffered by its customers.
Deribit hot wallet compromised, but client funds are safe and loss is covered by company reserves
Our hot wallet was hacked for USD 28m earlier this evening just before midnight UTC on 1 November 2022.
— Deribit (@DeribitExchange) November 2, 2022
Once the news of the hack rolled out, the platform immediately suspended all withdrawals. Through the tweet above, Deribit clarified that for their own safety, users should refrain from making any deposits or trades through the platform until the necessary security checks were completed.
The string of hacks and exploits continued into November, after several hundred million worth of cryptos were stolen last month.
$2.5 million moved to Tornado Cash
According to data from Etherscan, the perpetrators transferred 1610 ETH to the Ethereum mixer service. This transfer was spread across 17 different transactions, with all but one worth 100 ETH each.
At press time, the transferred ETH was worth $2.5 million.
At the time of writing, the hacker’s wallet had 7501 ETH left, which was worth $11.8 million. This wallet initially received 9080 ETH following the hack last week and the remaining amount was likely held in BTC.
Tornado Cash was sanctioned earlier this year in August by the U.S Department of Treasury’s Office of Foreign Assets Control (OFAC). Authorities cited the mixer’s role in aiding with the laundering of billions of virtual currencies with illicit origins.
However, the ban was widely criticized by the crypto-community for being unjust and infringing upon the user’s right to privacy.