In April last year, a hacker exploited a bug in Optimism-based DeFi protocol Hundred Finance, making off with $7.4 million.
After over a year of silence, the stolen funds are now on the move.
At around 10:25 am London time on Wednesday, the hacker withdrew almost $800,000 worth of Ether and Tether’s USDT stablecoin from decentralised exchange Curve after using the tokens to provide liquidity there over a year ago.
Following the withdrawal, the hacker used decentralised exchange Uniswap to swap the USDT, as well as smaller amounts of other cryptocurrencies like PAXG, WOO, FRAX and DAI into Ether.
In total, the transactions increased the wallet’s Ether holdings by just over $1 million.
The hacker now holds $4.2 million worth of Ether, $1.2 million DAI, $859,000 of Synthetix’s sUSD stablecoin, and smaller amounts of Wrapped Ether, FRAX, SNX, and Wrapped Bitcoin.
Why the hacker suddenly decided to start moving funds after all this time isn’t known. If the hacker is still in control of the wallet and behind the transactions, it could signal they are preparing to cash out the stolen funds.
Hackers often convert stolen crypto into Bitcoin or Ether in order to more easily swap it for fiat currency.
Could the hacker cash out?
It may be increasingly difficult for the hacker to cash out their stolen crypto.
Before attempting to cash out funds through a centralised crypto exchange, the hacker will need to break the chain of traceability that links the funds to the wallet that conducted the hack.
Previously, hackers have relied on crypto mixers such as Samourai Wallet or privacy protocols like Tornado Cash to launder funds.
But regulators worldwide are cracking down on ways crypto users can obfuscate their transaction histories.
On April 24, the European Parliament voted to ban crypto mixers as part of new anti-money laundering regulations.
Then on April 25, the DoJ charged two founders of crypto mixer Samourai Wallet with conspiracy to commit money laundering and conspiracy to operate an unlicensed money transmitting business.
In the case like Samourai Wallet, US authorities took control of the crypto mixer’s servers, leaving it inoperable.
The enforcement actions have also dissuaded users from using crypto mixers and privacy protocols. In September 2022, developers at privacy protocol Tornado Cash told crypto security firm Elliptic that low liquidity on the protocol meant that users were struggling to mix even $100.
The Hundred Finance hack: One year later
Hundred Finance was a protocol forked from popular lending protocol Compound v2 that let users lend and borrow crypto.
On April 15 2023, a hacker exploited a bug in Hundred Finance’s code to steal approximately $7.4 million from depositors.
The hacker exploited a rounding error in how the protocol processed withdrawals, letting them use a small amount of Wrapped Bitcoin as collateral to withdraw more assets then they should have been able to.
Following the exploit, Hundred Finance first offered a $500,000 open bounty for information that could lead to the arrest of the hacker and the retrieval of the stolen assets.
Later, the protocol attempted to negotiate a return of the funds by offering the hacker 10% of the stolen funds, around $740,000, for the safe return of the remaining 90%.
Both attempts to recover the stolen funds failed, and Hundred Finance token holders voted to shut the project down on August 9.
Tim Craig is a DeFi Correspondent at DL News. Got a tip? Email him at tim@dlnews.com.