KuCoin Hacker Is Using DeFi Exchange Uniswap to Launder Funds

The hacker who on Friday stole about $200 million from cryptocurrency exchange KuCoin is now attempting to launder the money. 

The hacker's stolen loot was made up of several hundred different cryptocurrencies, including Bitcoin, Ethereum, and XRP. Around 150 of these tokens were ERC-20 tokens—tokens based on the Ethereum blockchain—such as Synthetix (SNX). But to cash out, the crook must eventually trade that all in for fiat currencies, such as dollars. 

Yesterday, the hacker sold off trace amounts of Synthetix, the token that powers the eponymous decentralized derivatives platform. But today, the hacker has finally gone for gold. 

According to Whale Alert, a Twitter bot that tracks significant cryptocurrency transactions on the blockchain, the hacker moved $1.1 million Synthetix (SNX) to Uniswap, a decentralized exchange. Since Uniswap is decentralized—i.e. not run by a company—the hacker doesn’t have to confirm their identity, nor can anyone prevent the hacker from trading on there.

From Uniswap, the hacker can exchange those funds for Ethereum or other Ethereum-based tokens. Since all of these transactions are indelibly recorded on the blockchain, the hacker must finish laundering the money. One obvious way would be to “mix” the stolen tokens by putting them in software designed to obscure the origins of transactions.

Breaking it down, the hacker’s moved about $1.1 million worth of SNX. The hacker has also moved huge several million of cryptocurrencies, much of it in Chainlink (LINK), according to Whale Alert, to unknown wallets. 

Several smaller crypto projects, concerned that the hacker would dump these funds on the market and break their economies, invalidated or froze the hacker’s stolen funds. (This caused a ruckus among several crypto luminaries, who said that this undermined crypto’s principle of decentralization.)

Decrypt reported yesterday that crypto projects froze or invalidated—or intend to freeze or invalidate—about $130 million of these tokens. Since then, crypto projects prevented the hacker from using another $10-15 million of the funds.

KuCoin said that the hacker drained its funds by using a leaked key to access its hot wallets. Hot wallets are cryptocurrency wallets that are connected to the internet—as opposed to cold wallets, which are held offline. The hacker is still at large and KuCoin is offering bounties of up to $100,000 to anyone who provides “valid information” about the hack.

Though crypto projects stopped much of the hacker’s money in its tracks, that crypto won’t end up back up in KuCoin’s wallets. It is still out of pocket to the tune of about $200 million. But CEO Johnny Lyu said in a livestream on Saturday that the company has enough money to cover the losses and will reimburse anyone who lost money.