PANews reported on February 20 that according to The block, on-chain data showed that the stolen funds caused by the Phemex vulnerability last month were being transferred. The hacker (or more likely a group of hackers) began to divide part of the ill-gotten gains into new addresses and transfer the tokens to Tornado Cash.

According to a report published by Swiss blockchain analysis firm Global Ledger, the hacker first transferred more than 2,080 ETH (worth about $6 million) to 14 new addresses. Less than 4,000 ETH remained in the main Ethereum wallet associated with the attack.

As with the initial hack of the Singapore exchange, the transfers appear to have been coordinated by a group of people with extensive on-chain experience, involving multiple hops and interacting with multiple different protocols and platforms. For example, a newly created wallet received 601.34 ETH in five separate transactions, and then consolidated those funds into another new address on the cross-chain token bridge Across Protocol. The funds were further obfuscated when sent to a second Across address.

In addition to direct transfers to Tornado Cash and eXch mixers to anonymize funds, hackers sometimes used platforms such as Wintermute, DLN Trade Protocol, and THORChain to exchange assets.

Global Legder noted that while a small amount of funds also flowed to platforms such as OKX and CoinEx (possibly to be cashed out), most fund transfers used on-chain tools such as Bitget’s bridge service and the ChangeNOW wallet.