In Nov. 2022, an exploiter took advantage of lax security at now-bankrupt crypto exchange FTX and drained upwards of $400 million from company-affiliated wallets. Part of those funds might be linked to Russian cybercriminal groups, according to data from blockchain analytics firm Elliptic that was shared with CoinDesk.

The stolen funds sat still for five days before 65,000 ETH (worth $100 million) was transferred to the Bitcoin blockchain using the RenBridge service, where the exploiters then used a mixer called ChipMixer to mask their wallet addresses.

Elliptic said that on-chain data hints that Russian groups were involved in the attack.

“Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges,” the research firm told CoinDesk.

Earlier this week, Wired Magazine published an inside look at how FTX employees responded to the exploit as it was happening, which included establishing “cold” or hardware wallets to protect more than $1 billion in assets.

The exploiter has been active in recent weeks, transferring $17 million in ether (ETH) to five different addresses since Sept. 30.

The exploiter also moved funds onto the decentralized exchange THORSwap, prompting the DEX to enter maintenance mode and pause swaps to combat the potential illicit trading. The movements came as the eventful criminal trial of former FTX CEO Sam Bankman-Fried kicked off in New York.