One of the wallets associated with the $50 million exploit of Uranium Finance in April 2021 appears to have awoken after 647 days of dormancy, with funds headed towards crypto mixer Tornado Cash.
The sudden move was highlighted on Mar. 7 by cyber security firms PeckShield and CertiK on their respective alert accounts on Twitter.
#PeckShieldAlert After 647 days, @UraniumFinance hacker started move 2250 ETH (~$3.35m) stolen funds into @TornadoCash. On April 28, 2021, the hacker drained approximately $50 million worth of tokens from Uranium's “pair contracts”. https://t.co/mBhMxmAdS5 pic.twitter.com/OOF3R0w3ll
— PeckShieldAlert (@PeckShieldAlert) March 7, 2023According to data from Etherscan, the hacker moved the 2,250 Ether (ETH) or $3.35 million over a seven-hour period in transactions ranging from 1 ETH to 100 ETH — with all the funds heading to Tornado Cash.
This is, however, just one of the wallets associated with the hacker. Another Ethereum wallet linked to the hacker shows it was last active 159 days ago, with 5 ETH being sent to privacy-focused Ethereum zk-rollup on Aztec.
This marks yet another occasion in 2023 in which a hacker’s wallet has come out of dormancy after a lengthy hiatus. In January, the Wormhole hacker moved around $155 million worth of ETH almost a year after exploiting the Wormhole bridge for $321 million in early 2022.
The same month, a notorious hacker dubbed the “blockchain bandit” also moved around $90 million after a six-year slumber.
In February, the Wormhole hacker moved another $46 million worth of stolen funds, while popular blockchain sleuth ZacXBT highlighted via Twitter on Feb. 23 that “dormant funds left over” from the April 2018 $230 million Gate.io exchange hack by “North Korea began to move after over 4.5 years.”
Dormant funds left over from the April 2018 Gate $230m hack by North Korea began to move after over 4.5 years.
0xff8E0c9Cf3d7C0239aB157eC2D56bC1cFcD80757
A small amount was deposited to MEXC 10 hrs ago. pic.twitter.com/iHhniTtVIM
— ZachXBT (@zachxbt) February 22, 2023Binance Smart Chain-based automated market maker Uranium Finance was exploited on Apr. 28, 2021. The hack itself was reportedly the result of a coding vulnerability that allowed the hacker to siphon $50 million during Uranium’s v2.1 protocol launch and token migration event.
The platform seemingly shut down shortly after the hack, with its last Twitter post published on Apr. 30, 2021 and urges users to remove funds from its various liquidity pools.
Please read our latest medium article : "Last rewards of the money pot, please remove funds from pools" :https://t.co/W5uw0DUSXS
— Uranium Finance (@UraniumFinance) April 29, 2021Unanswered questions
It is also worth noting that on Apr. 28, 2021, someone claiming to be a member of the project’s development team suggested in the Uranium discord channel the hack may have been an inside job.
They outlined that only a small number of team members knew of the security flaw prior to the v2.1 protocol launch, and questioned the suspicious timing of the hack being just two hours before launch.
Since then, reports have gone cold on the project and its victims. However, Binance forum posts from October 2022 suggest that users have been left out in the cold.
Related: 7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama
On Oct. 26, User “RecoveryMad” made a post asking for a follow-up on the hack, and noted that the person representing the Uranium team in the community Telegram had “vanished.”
In response, user “nofiatnolie” claimed that “No investigation was performed. It was swept up under the rug. There are still victim groups with no answers and crowd-sourced investigations [are] pointing at the developers of Uranium and others as the suspects.”