In brief

  • Yesterday, a hacker stole 370,000 ($8 million) from Nexus Mutual CEO Hugh Karp.
  • New data from Scorechain shows the hacker has been trying to convert the funds into Bitcoin.
  • According to the data, the hacker still has about half the stolen funds to cash out.

New data from blockchain analytics company Scorechain has shown what happened since a hacker stole about 370,000 NXM ($8 million) from Nexus Mutual CEO Hugh Karp yesterday. 

The hacker used a combination of a modified Metamask and hardware wallet to trick Karp into signing a transaction that directed funds to the attacker’s address. Described as a “targeted personal attack” by Nexus Mutual, and a “very nice trick” by Karp himself, new data sheds light on exactly what happened. 

According to Scorechain, the hacker has been busy converting the stolen NXM into Bitcoin. This is how he did it.


Following the money

First, the hacker converted the stolen funds to wrapped NXM, which was then moved to an address ending in 2e2b. What followed were multiple swaps using decentralized exchange Uniswap, through 1Inch Exchange. According to Scorechain, this was done to “find optimal swap routes,” meaning that the hacker was trying to find the best price to sell the stolen funds. 

Physical version of Bitcoin (new virtual money) and banknotes of one dollar
Bitcoin is like digital cash. Image: Shutterstock

After selling the wrapped NXM to ETH, the hacker made another move, swapping the ETH to renBTC, a token that is part of the Ren Protocol project. RenBTC is a decentralized representation of Bitcoin within the Ethereum network. The hacker exploited renBTC in order to convert the stolen funds into Bitcoin. 

The hacker did this by burning the renBTC to receive Bitcoin in three separate transactions, all of which occurred today. 

Consequently, according to Scorechain, the hacker is now in possession of 147 Bitcoin. By current prices, this represents a total of just under $2.9 million. 

Harvest Finance similarities

This is not the first time a hacker has used renBTC to convert stolen funds into Bitcoin. 


In October of this year, a hacker attacked Harvest Finance, a decentralized finance (DeFi) protocol. The attacker exploited about $24 million from the protocol before using renBTC to convert the stolen funds to Bitcoin.

“The ‘interesting’ thing in this case is again the use of the RenBTC protocol as it has been the case for the Harvest Finance hack,” Lisa Boussard, marketing team leader at Scorechain, told Decrypt.

According to Scorechain, the hacker is still to cash out 198,000 NXM, meaning he still has half the stolen funds to move.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.