$160m Wintermute Hack Analysis, Investigation & Predictions

September 20, 2022

Table of contents

    Today's $160 million Wintermute hack is the 7th largest in DeFi history. Using the Arkham Platform, we looked at the on-chain data regarding this incident & visualized the flow of funds from Wintermute to the attacker.

    At time of publishing the hacker’s top holdings are: $114M in 3CRV, $13M in $WBTC and $9M in $ETH.

    The Wintermute Hacker's Largest On-Chain ERC-20 Holdings (Source: Arkham)

    As a result of this incident, Wintermute’s on-chain holdings appear to be down to $55 million, 3x less than the hacker. With their top 3 holdings: $12.6M in $LDO, $6.2M in $YFI and $5.9M in $BTRST.

    Wintermute's Dashboard Profile on the Arkham Platform (Source: Arkham)

    The hacker immediately moved nearly all of the stolen funds to another address, first funded 23 min before the hack with 10 ETH from Tornado Cash. After exchanging $12M in BUSD/TUSD for DAI, this 2nd hacker address deposited $114M in USDC/USDT/DAI to Curve, acquiring 3CRV.

    All hacker activity occurred within a 45 min window ending at 05:48 UTC.

    The Flow of Funds Between Wintermute & the Hacker (Source: Arkham Visualizer)
    The Flow of Funds between Wintermute & the Hacker (Source: Arkham Vizualizer)

    The Wintermute Hacker’s Next Move

    Following the exploit, the hacker deposited nearly all of the obtained stablecoins into Curve's 3pool. It is likely the hacker did this to avoid having their $USDT and $USDC blacklisted by Tether & Circle. Once the stolen tokens were deposited into the pool, they could no longer be blacklisted - however, it remains unclear what the hacker's next move could be from this position.

    Though they may choose to redeem $DAI with their 3CRV, which cannot be blacklisted as $DAI does not have a centralized entity to freeze it, such a move would be straightforward to trace on chain. The PolyNetwork hacker was the last to use the CurveFinance 3pool in this way, in the 2nd biggest #DeFi hack in history.

    The Flow of Funds Between PolyNetwork & the PolyNetwork Hacker (Source: Arkham)

    During this exploit, Tether blacklisted ~$33m of the stolen $USDT. Soon after, the PolyNetwork hacker successfully moved the rest of their stolen stablecoins into the pool. However, they seemed to hit a snag in deciding what to do next.

    Within days, the hacker returned the funds in exchange for a bounty. While this could have been the goal all along, it is also possible they were unable to find a way to launder their funds from 3pool.

    It remains to be seen what the Wintermute hacker will do.

    We wish the Wintermute Team all the best with recovering from this incident. For continual updates on our analysis, visit us on Twitter.


    DISCLAIMER: The above content, including all information and opinions presented, is intended solely for educational and informational purposes. It should not be construed as financial or legal advice. The views and opinions expressed herein are those of the author(s) and do not necessarily reflect the views of Arkham and summarizes information and articles with respect to cryptocurrencies or related topics. This material is for informational purposes only and is only intended for sophisticated investors, and is not (i) an offer, or solicitation of an offer, to invest in, or to buy or sell, any interests or shares, or to participate in any investment or trading strategy, (ii) intended to provide accounting, legal, or tax advice, or investment recommendations, or (iii) an official statement of Arkham. No representation or warranty is made, expressed or implied, with respect to the accuracy or completeness of the information or to the future performance of any digital asset, financial instrument or other market or economic measure. The information is believed to be current as of the date indicated and may not be updated or otherwise revised to reflect information that subsequently became available or a change in circumstances after the date of publication. Arkham, its affiliates and its employees do not make any representation or warranty, expressed or implied, as to accuracy or completeness of the information or any other information transmitted or made available. Investing in cryptocurrency comes with risk. Recipients should consult their advisors before making any investment decision. Arkham may have financial interests in, or relationships with, some of the assets, entities and/or publications discussed or otherwise referenced in the materials. Certain links that may be provided in the materials are provided for convenience and do not imply Arkham’s endorsement, or approval of any third-party websites or their content. Any use, review, retransmission, distribution, or reproduction of these materials, in whole or in part, is strictly prohibited in any form without the express written approval of Arkham.