The Cream Finance exploiter is moving funds, more than 16 months after hacking the DeFi protocol, stealing over $136 million of various crypto assets.
Cream Finance Exploiter Transfers Funds
According to CertiK, a blockchain analytic platform, the exploiter moved 365.69 ETH, worth roughly $600,000 at spot rates, to a new address. The amount is part of the over $136 million tokens stolen in late October 2021.
Cream Finance exploiter 0x70747df6ac244979a2ae9ca1e1a82899d02bbea4 sent ~$600K (365.69 ETH) to address 0x4648451b5f87ff8f0f7d622bd40574bb97e25980
Stay vigilant! pic.twitter.com/IpFdzctstp
— CertiK Alert (@CertiKAlert) January 30, 2023
Funds were moved to another address. It is not yet clear what the hacker intends to do with the $600,000. Cream Finance is a blockchain-agnostic DeFi protocol deployed on Ethereum, Fantom, Polygon, and the BNB Smart Chain (BSC).
It was forked from Compound, a competing lending platform, and remains open source. Cream Finance offers a wide range of services, including lending, yield farming, and token exchange. CREAM, the governance token of Cream Finance, is changing hands at $12.83 when writing on January 30.
In crypto, addresses holding stolen funds are always marked and therefore tainted. It makes it hard for hackers to launder stolen funds on centralized exchanges or other platforms without being identified. The decision by platforms to join hands to combat money laundering from crypto and DeFi hackers is bearing fruits.
These platforms, mostly centralized exchanges like Binance, Coinbase, or Huobi, allow users to purchase fiat currencies, including the USD, JPY, or Euro, and are compliant with applicable know-your-customer (KYC) and anti-money laundering (AML) rules. This means agents trying to launder funds through these portals can be mapped out in the real world and prosecuted.
By picking out this transfer, CertiK is updating the crypto and DeFi community that the perpetrator of the hack is still active and trying to shuffle funds through various addresses. However, considering the transparent nature of underlying blockchains, including Ethereum, it is easy to track transactions despite the sender’s private identity. Any mistake on the hacker’s end can lead to their IP address being uncovered or their identity decrypted, bringing them to the custody of law enforcement agents.
To counter this possibility and conceal their tracks, hackers use crypto mixers like Tornado Cash. Despite the United States Treasury Department banning citizens from using mixers like Tornado Cash, users prefer the tool. Many users are hackers wishing to cash out the funds anonymously.
DeFi Under Attack
In late October 2021, Cream Finance was hacked for over $136 million. The hacker targeted the protocol’s v1 lending market, siphoning several ERC-20 tokens and CREAM governance tokens. Through a series of flash loans, the attacker manipulated the protocol’s yield, allowing for borrowing more assets than collateralized.
The attack was the protocol’s third in 2021, questioning the security of DeFi dApps against determined attackers, some of whom might be sponsored by governments like North Korea. In mid-January, Lazarus Group, a hacker cell associated with North Korea, attempted to launder $63.5 million.
We detected Harmony One hacker fund movement. They previously tried to launder through Binance and we froze his accounts. This time he used Huobi. We assisted Huobi team to freeze his accounts. Together, 124 BTC have been recovered. CeFi helping to keep DeFi #SAFU!
— CZ Binance (@cz_binance) January 16, 2023
However, Binance and Huobi picked out their transfers and froze assets. Funds were part of the amount stolen from the Harmony Bridge hack.