Blockchain analysis firm Chainalysis has shared new findings regarding the addresses behind the THORChain attack. According to the analysis published on the company’s X platform, the attackers used sophisticated money laundering methods, carrying out complex cross-chain fund transfers weeks before the attack.
According to data from Chainalysis, wallets linked to the attack have been moving funds between Monero, Hyperliquid and THORChain since late April. It appears that the attackers’ wallets deposited funds into positions on Hyperliquid via the Hyperliquid and Monero privacy bridges, then converted these assets to USDC and transferred them to the Arbitrum network. Subsequently, part of the funds were transferred to the Ethereum network and then sent to THORChain for staking. $RUNE for a newly joined node, which would be the source of the attack.
Related news Next US ETF Spot Jackpot Will Likely Hit This Altcoin
The analysis indicates that the attackers subsequently filled part of the $RUNE assets to the Ethereum network and split them into four different connections. One of these connections went directly to the attackers, going through an intermediary wallet and transferring 8 $ETH to an address that would receive the stolen funds just 43 minutes before the attack. In the other three connections, the flow of funds occurred in the opposite direction.
Chainalysis also said that between May 14 and 15, the wallets in question moved them. $ETH assets are sent back to the Arbitrum network, then deposited into Hyperliquid and finally transferred to Monero via the same privacy bridge. The last transfer reportedly took place less than five hours before the attack began.
The company added that as of Friday afternoon, the stolen funds had not yet been moved, but that the attackers possessed sophisticated cross-chain money laundering capabilities.
*This does not constitute investment advice.