An in-depth analysis of the hack targeting Ripple co-founder Chris Larsen last week suggests there may be more to the story than meets the eye.

On Jan. 31, a hacker stole 213 million XRP tokens, worth around $112.4 million at the time, from Larsen’s wallet and sent the funds to a number of trading platforms, including OKX, Kraken and Binance. 

Blockchain security researchers at Hacken traced the flow of funds both to and from the compromised wallet, and pieced together a more detailed picture of the events.

The researchers found that funds from Larsen’s compromised wallet were transferred to eight different wallets, some of which made subsequent transfers to intermediate wallets before the funds ultimately ended up on the exchanges. 

An incoming transfer from one of these wallets, in particular, stood out to researchers. A wallet address that begins with “rU1bPM4” had sent $64.6 million in XRP to Larsen’s wallet in the past, and had also made a transfer of $37,500 in XRP to one of the intermediate wallets that were involved in the transfer of stolen funds. 

Hacken also found that the “rU1bPM4” wallet had sent close to $2 million to a Kraken deposit address in 2020 – the same address that the Larsen hacker used to funnel funds through. 

“Our investigation reveals a complex network of transactions, with some leading back to XRP. In this incident, two wallets connected to XRP’s authorized wallet played key roles,” said Hacken. 

“It’s early for conclusions, but the story is getting more interesting,” it added.