A hacker that exploited the Uranium Finance DeFi platform in 2021 may have used "Magic: The Gathering" trading cards to try and launder their loot after running it through the Tornado Cash mixing service, the pseudonymous blockchain sleuth ZachXBT said on Thursday.
In a thread on X, ZachXBT outlined a series of moves that saw someone withdraw 11,200 ETH over the past year from Tornado Cash in 100 ETH increments. Then, that user swapped the ETH for wrapped ETH (WETH), transferred it to a new address, swapped it for USDC and then used some of it to buy "Magic: The Gathering" (MTG) trading cards.
Part of the funds were also deposited to centralized exchanges Kraken, Bitpay, and Coinbase, the researcher wrote.
ZachXBT said the steps appeared to have been taken to make it harder to track the funds back to their origin, which likely was the 2021 exploit of the Uranium Finance decentralized exchange. The timing of the Uranium hacker depositing funds to Tornado Cash, and the MTG cards buyer withdrawing them suggests they might well be the same person.
"In March 2023, the Uranium hacker deposited 52 X 100 ETH to Tornado & this person received 52 X 100 ETH," ZachXBT said. "March 6 & 14: Uranium Hacker deposits 52 X 100 ETH to Tornado. March 7 & 15: Our person withdrew huge volumes from Tornado."
Uranium Finance, a Binance Smart Chain-based fork of Uniswap, lost $50 million in a 2021 exploit, when an attacker used a calculation error in the code to siphon liquidity out of the protocol. During the migration to Uranium's V2 version, 80 bitcoin, 1,800 ETH, 17.9 million BUSD, 5.7 million USDT, 638,000 ADA, 26,500 DOT, 34,000 wrapped BNB, and 112,000 U92 tokens, a native token of Uranium, were drained.
After the exploit, the attacker sent 2,438 ETH to Tornado Cash. They also swapped the DOT and ADA tokens to ETH via Binance Smart Chain-based PancakeSwap and sent 80 bitcoin to AnySwap.
To buy the trading cards, ZachXBT said a person went to a U.S.-based broker who contacted sellers on their behalf. After talking to several sellers involved in the trades, ZachXBT found that the buyer "was spending millions on starter decks, alpha sets, sealed boxes," for which they overpaid by 5-10%. The buyer sent crypto to the broker upfront and never revealed their identity to the sellers.
A MTG card collector who goes by notsofast on X told The Block that the user ZachXBT tracked likely purchased high-value vintage cards that are hard to come across.
Starter decks are "old, rare, and irreproducible, they're the one kind of vintage product that has a very high price, likely easy verifiable authenticity and provenance, and trades infrequently." Alpha sets "are at the upper price range, they don't trade often, and when they do, either everyone knows about it, or the trade is deliberately kept secret so nobody knows."
The fact that the hacker could have bought the cards potentially taints the majority of the remaining supply of those cards, notsofast suggested in post on X.
Tornado Cash was sanctioned last November by the U.S. Treasury’s Office of Foreign Assets Control, and its founders were charged with "conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money transmitting business."
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.