About $63 million in StormCash reserves have been linked to a $282 million cryptocurrency wallet as of January 10.
Blockchain security firm Sertech said in an X-post on Monday that its monitoring system identified the StormCash interaction linked to the exploit.
The update expands on the money laundering mechanics following the January 10 incident, which is being tracked by multiple crypto investigators due to the amount lost and the speed with which the funds were transferred.
A sertech diagram maps the laundering route
According to Serek’s analysis, a portion of the stolen Bitcoin (BTC) was flipped into Ethereum, converted to Ether and then distributed to several addresses.
Serek found that at least 686 BTC were flipped to Ethereum using a cross-chain exchange, resulting in 19,600 ETH received by a single Ethereum address.
The funds were then split into multiple wallets, with several hundred tokens sent from each address before entering the TornadoCash, a privacy-based mixing protocol.
The figure of $63 million represents only a fraction of the total amount lost. However, fund movement shows how the attacker is working to obscure the trail after the initial cross-chain transfer during exploitation.
The recovery potential drops to “near zero” after entering the mixer
According to Marwan Hachim, CEO of blockchain security firm Firsof, the fund movements observed in the January 10 compromise reflect an established laundering playbook.
“This flow follows the large-scale money laundering playbook very closely, especially for cross-chain thefts involving BTC and LTC,” Hachim told QuintileGraph.
He said the use of Thorswap to convert so much to bitcoin before entering the mixer, and the resulting liquidation of the funds in about 400 ETH chunks, was “textbook”, as they help reduce distractions and significantly tighten post-mix recovery.
“Tornado is a major kill switch for cash traceability,” he said, adding that the chances of recovery in most cases “drop to near zero” once funds enter the mixer.
According to Hachim, mitigation options after mixer deposits are limited and increasingly unreliable.
Related: Travel? ‘Evil Twin’ Can Steal Wi-Fi Network Crypto Passwords
A social engineering attack turns into a seed phrase compromise
As previously reported by QuintalGraph, the Jan. 10 theft was discovered to be a social engineering attack that forced the victim to reveal a seed phrase.
Blockchain investigator Zack XBT said the attacker impersonated the wallet’s support staff, gaining complete control over the victim’s acquisitions. The compromised wallet contained approximately 1,459 BTC and over 2 million Litecoin (LTC).
Some of the stolen assets were also converted into privacy-oriented digital assets.
Security firm ZeroShadow previously said that about $700,000 in stolen funds had been flagged and frozen in the laundering process, although the majority of the assets have been out of reach.
Magazine: The Big Questions: Will Bitcoin Survive a 10-Year Power Outage?
