Whoever was behind last week’s $600 million exploit of crypto exchange FTX started moving millions of dollars in stolen funds during European morning hours on Tuesday.

The funds were siphoned from FTX's crypto wallets late Friday. Soon after, the exchange said on its official Telegram channel that it had been compromised, instructing users not to install any new upgrades and to delete all FTX apps.

Multiple addresses connected to the accounts drainer on Tuesday transferred more than 21,555 ether (ETH), or over $27 million, to a single address. The tokens were later converted to stablecoin DAI on the swapping service CowSwap, blockchain data shows.

The addresses, over several transactions, amassed over $48 million of DAI and swapped it all into 37,000 ether. The address now holds more than 288,000 ether and is the 35th-largest owner of the cryptocurrency, blockchain data pointed out by security firm PeckShield shows.

Separately, 7,420 BNB tokens that were stolen and that are worth just above $2 million were converted to 1,500 ether using BNB Chain-based exchange PancakeSwap. The exploiter then bridged the converted ether to the Ethereum network.