Chainalysis traces THORChain attack source: Possesses sophisticated money laundering capabilities, moving funds across chains for several weeks before executing the attack

Odaily Planet Daily News, Chainalysis posted on platform X stating that before the THORChain theft, wallets allegedly related to the attacker had been moving funds through Monero, Hyperliquid, and THORChain for several consecutive weeks. As early as the end of April, the attacker's associated wallets funded Hyperliquid positions via Hyperliquid and the Monero privacy bridge. Subsequently, the funds were exchanged for USDC and transferred to Arbitrum, then bridged to Ethereum. Part of the ETH was then transferred to THORChain to stake RUNE for a newly joined node, which is considered the source of the attack.

Afterwards, the attacker bridged part of the RUNE back to Ethereum and split it into four chains. One of these chains went directly to the attacker. After passing through intermediate wallets, 8 ETH was transferred to the wallet that ultimately received the stolen funds 43 minutes before the attack. The funds on the other three chains flowed in reverse. From May 14 to 15, these wallets bridged the ETH back to Arbitrum again, deposited it into Hyperliquid, and transferred it to Monero via the same privacy bridge. The last transaction occurred less than 5 hours before the attack began. As of Friday afternoon, the stolen funds have not been touched, but the attacker has demonstrated their sophisticated cross-chain money laundering capabilities. The path from Hyperliquid to Monero may be the next move.