Hacker Exchanges $150 Million in ETH Into Staked Coins

Updated: 24 January 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

After several days of dormancy, the address linked to the theft of $323 million worth of Ethereum (ETH) from Wormhole has begun shuffling assets, according to records on Etherscan.

The news about the activity on the cross-chain protocol Wormhole was first highlighted by Twitter user @Spreekaway on Monday, January 23, noting that the threat actor had converted his ETH to wstETH and was going to borrow DAI against it.

Wormhole exploiter has converted his ETH to wstETH and is going to borrow DAI against it it seems. pic.twitter.com/9rhERSMG5u

— Spreek (@spreekaway) January 23, 2023

Based on blockchain transaction history, the exploiter transferred the funds onto a decentralized exchange (DEX) and then went on to cycle funds around different DeFi protocols.

Wormhole is a communication bridge linking Solana to other DeFi blockchain networks. The hackers stole approximately $320 million from it in 2022, marking it one of the biggest thefts of that kind. However, the losses were refunded by the crypto division of trading giant Jump, a leading force behind Wormhole.

How the Hacker Performed the Swaps

The series of swaps started as the threat attacker address consolidated Ether before starting off a swap for 95,630 ETH ($157.2 million) into the staked ether (stETH) through OpenOcean, the famous decentralized exchange (DEX) aggregator.

The exploiter then swapped the stETH for 86,473 wrapped staked ETH (wstETH). Notably, wstETH is Lido’s form of liquid staked ether and is compatible with decentralized finance (DeFi) trading platforms.

#CertiKSkynetAlert ?

We are seeing address 0x629e… Wormhole Network Exploiter swap 95,630 Ether (~$155M) to stETH

Stay safe! pic.twitter.com/ZR6zxlRuKX

— CertiK Alert (@CertiKAlert) January 23, 2023

Twitter user @Spreekaway dug further into the transaction history, highlighting that the hacker proceeded to perform several other odd transactions. Spreekaway noted, “Wormhole exploiter has converted his ETH to wstETH and is going to borrow DAI against it, it seems.”

Blockchain data shows that using the wstETH as collateral, the exploiter withdrew a $13 million DAI loan and used it to purchase almost 7,989.5 ETH through KyberNetwork.

The hacker went on to leverage up using the same process.

Speaking on the matter, the head of research at The Block Steven Zheng, said:

Either this guy is just having fun on-chain with exploited assets or has some long position on stETH when he decided to make the trade.

Staking entails earning rewards by locking up ETH coins in an attempt to aid in securing the Ethereum network. Crypto protocols such as Lido offer liquid avatars of these locked-up tokens, thereby enabling easier and more flexible access to staking rewards.

Crypto Market Impacted By the Swapping Activity

The entire crypto market felt the magnitude of the hacker’s trade, with Dune Analytics reporting that it caused stETH to regain its 1:1 ETH peg. It affected the price of stETH, causing the asset’s price to move from slightly below the peg of 0.9962 ETH on January 23 to as high as 1.0002 ETH the following day before dropping back to 0.9981 at the time of writing.

Nevertheless, in an attempt to respond to the hacker, Wormhole said through an on-chain message that it would capitulate “for the return of all stolen funds” with a $10 million bounty award. The cross-chain protocol left an embedded message conveying such in a transaction via the Wormhole: Deployer.

The Wormhole exploit was the third largest crypto hack in 2022, after the protocol’s token bridge suffered an exploit on February 2, 2022, resulting in the loss of 120,000 Wrapped ETH (wETH) worth around $321 million.

With the Wormhole exploit likely to receive more attention following this recent update, blockchain security companies like Ancilia Inc. have warned that searching the keywords “Wormhole Bridge” in Google is currently showing promoted ad websites that are actually phishing operations, according to a January 19 announcement on Twitter.

? #phishing alert? When you search "wormhole bridge" in Google, many of the "ad" entries are actually phishing site. E.g.
hxxps://wormholebridge-multichain.com/
hxxps://portaltoken-wormholebridge.com. Be careful about what you click and stay safe! pic.twitter.com/C6JW2xeaUh

— Ancilia, Inc. (@AnciliaInc) January 19, 2023

Similarly, the community has been cautioned to remain vigilant on what they click regarding the phrase “Warmhole Bridge.”