Chainalysis Tracks THORChain Attack Source: Demonstrates Sophisticated Money Laundering Capabilities, Moving Funds Cross-Chain for Weeks Before Executing Attack

Odaily News, Chainalysis posted on X platform, stating that before the THORChain exploit, wallets potentially linked to the attacker had been moving funds across Monero, Hyperliquid, and THORChain for several weeks. As early as late April, the attacker-associated wallets funded positions on Hyperliquid via the Monero privacy bridge. The funds were then converted to USDC and transferred to Arbitrum, subsequently bridged to Ethereum. A portion of the ETH was then sent to THORChain to stake RUNE for a newly joined node, which is believed to be the source of the attack.

Subsequently, the attacker bridged some of the RUNE back to Ethereum and split it into four chains. One of these chains led directly to the attacker; after moving through intermediary wallets, 8 ETH was sent to the wallet that would ultimately receive the stolen funds just 43 minutes before the attack. The funds in the other three chains flowed in reverse. Between May 14 and 15, these wallets bridged the ETH back to Arbitrum again, deposited it into Hyperliquid, and then transferred it to Monero via the same privacy bridge, with the final transaction occurring less than 5 hours before the attack began. As of Friday afternoon, the stolen funds have not been moved, but the attacker has demonstrated their proficient cross-chain money laundering capabilities. The Hyperliquid to Monero route may indicate their next move.