n November 2021, Kyber Network, a decentralized exchange (DEX) facilitating token swaps, was exploited through a vulnerability that enabled the theft of over $5 million worth of crypto assets. At the time, little was known about the addresses involved or where the stolen funds had ultimately ended up. However, a recent analysis by Elliptic, a blockchain security firm, has provided deeper visibility into the movement of some of the exploited amounts in the aftermath.
One of the first transactions traced by Elliptic's investigation team was on November 22, just ten days after the hack occurred. It involved the transfer of 800 ETH (worth approximately $3 million at the time) from the exploiter's address to another wallet not previously associated with the incident. Through analyzing on-chain flows and clustering connected addresses, Elliptic linked this receiving wallet and several subsequent transactions to the original theft.
Tracing the Path of Stolen Funds
The report details how the 800 ETH was transferred through multiple intermediate addresses over the following months in an attempt to obscure the trail. However, Elliptic maintained the ability to follow the money by leveraging clustering algorithms and other investigative techniques. Smaller amounts were cashed out through major exchanges, with one exchange even freezing $730,000 in a linked account. The rest of the ETH was moved to a number of gambling and gaming sites.
Recovery Progress and Monitoring Continue
While not all of the originally exploited 5,000 ETH has been recovered to date, the exposure of how one portion of the stolen funds has moved since November represents progress in understanding the attacker's activities and preventing full laundering of the assets. Elliptic and other blockchain analytics companies continuing systematic monitoring of addresses involved in past attacks. Their research assists law enforcement with ongoing recovery efforts and deters would-be-exploited perpetrators by demonstrating that stolen funds can still be traced long after an incident occurs.