Following days of inactivity, the address associated with the theft of $323 million worth of ETH from the cross-chain protocol Wormhole began shuffling assets, Etherscan records show.
News of the activity was first noted by Twitter user @Spreekaway earlier Monday.
The series of swaps began as the exploiter address consolidated ETH prior to initiating a swap for 95,630 ether ($157.2 million) into staked ether (stETH) via the DEX aggregator OpenOcean.
After that the stETH was swapped for 86,473 wrapped staked ETH (wstETH), Lido’s form of liquid staked ether, which is compatible with DeFi trading platforms.
With the wstETH as collateral, the hacker took out a $13 million DAI loan that was used to buy roughly 7,989.5 ETH via KyberNetwork, according to blockchain data. The hacker repeated the process to continue leveraging up.
“Either this guy is just having fun on-chain with exploited assets or has some long position on stETH when he decided to make the trade,” said Steven Zheng, The Block’s director of research.
The magnitude of the trade was felt in markets, causing stETH to repeg, according to Dune Analytics.
Wormhole responded to the exploiter reiterating its offer to capitulate with a $10 million bounty award “for the return of all stolen funds” in an on-chain message.