An attacker who stole about $8.25 million from Nexus Mutual founder Hugh Karp's wallet address yesterday has now successfully withdrawn almost 35% of the funds.
According to The Block Research, the attacker used renBTC — an ERC-20 token backed 1:1 by bitcoin, to withdraw 137 bitcoin to two addresses. The withdrawn bitcoin is currently worth about $2.65 million or about 35% of the stolen funds. It was worth about $2 million at the time of withdrawal (see chart below).
The attacker initially stole Nexus Mutual (NXM) tokens and then converted them into ether (ETH) first and then renBTC via decentralized exchange (DEX) aggregator 1inch and DEX protocol Matcha. Specifically, the attacker sold 102,000 NXM on 1inch and 16,000 NXM on Matcha. The rest of the funds are still intact in the attacker's other addresses.
One of the attacker's addresses has a connection with crypto exchange Huobi, i.e., it is their Ethereum address on the exchange.
The attacker's withdrawals suggest that they are unlikely to return funds to Karp, who offered a bounty of $300,000 yesterday. While Karp has lost most of his funds, he said he still has a "material amount of NXM left."
As for how the attack occurred, Karp was tricked into approving one spoof transaction since the attacker gained access to his computer and altered his MetaMask extension.