The WazirX exploiter continues to move thousands of stolen assets between new wallets, with some of the latest batch being laundered through cryptocurrency mixer Tornado Cash.
Blockchain security platform Cyvers recently indexed the transfer of exactly 5,001 Ethereum (ETH) from the abuser’s address to a new wallet.
On-chain data confirms that this transaction occurred today at 06:53 UTC, resulting in the creation of the recipient address 0x5…a6a.
Shortly after receiving the 5,000 ETH tokens, the new wallet began laundering them in multiple batches of 100 ETH each, worth around $232,000, through Tornado Cash. The address has moved 36 batches, or 3,600 ETH, to the crypto mixer so far.
As the news is being prepared for publication, the money laundering operation is ongoing and the total amount is expected to increase in the coming hours in light of data from previous transactions.
This pattern is consistent with the behavior of the WazirX exploiter. After accumulating over 43,800 ETH through multiple transactions after the attack, the primary wallet held the tokens for up to six days and redirected the funds to Tornado Cash via new addresses.
To date, the abuser has transferred 20,004 ETH to four different addresses, each of which has received 5,001 ETH since September 12. These new wallets typically transfer the entire amount to Tornado Cash in batches of 100 ETH, meaning the latest address still has 2,601 ETH waiting to be laundered.
Meanwhile, another primary wallet connected to the exploiter also conducted similar transactions, with one of the 5,000 ETH transfers identified in a report dated September 5.
Recall that the WazirX hack in July saw the leading Indian exchange lose more than $230 million worth of crypto assets from its multi-signature wallet. Shortly after, the hacker began converting the assets to Ethereum.
The exchange attributed the attack to a vulnerability in its custody provider, Liminal Custody. However, the crypto custodian denied these speculations. Interestingly, a recent audit by Grant Thornton found that the exploit occurred outside of Liminal.
Amid the ongoing money laundering scheme, an X account seeking justice for affected WazirX users has alleged that the attack may have involved an insider, citing on-chain data and reports submitted to the Delhi police.