The Lazarus Group, a hacking collective linked to North Korea, has resumed using Tornado Cash, a decentralised crypto mixer, to launder funds stolen from recent hacks, despite sanctions imposed against the mixer.
On-chain activity analysed by Elliptic, an analytics firm, revealed that hackers associated with the Lazarus Group moved approximately $12 million worth of cryptocurrency to Tornado Cash’s wallets since March 13. These funds were pilfered in November from HTX, a cryptocurrency exchange, and its affiliated HECO Chain.
During the November attack, hackers drained $30 million from HTX’s hot wallets and syphoned $86.6 million from the HECO Chain. The stolen funds were converted to Ether (ETH) through decentralised exchanges and remained dormant until recent transactions.
Tornado Cash, built on the Ethereum blockchain, functions as a noncustodial privacy tool utilising smart contracts to enable the deposit and withdrawal of ETH and ERC-20 tokens from different addresses. Despite being sanctioned by the U.S. Treasury Department in August 2022 for its alleged involvement in laundering over $1 billion in illicit funds, including those connected to the Lazarus Group, Tornado Cash continues to operate.
Elliptic highlighted that Tornado Cash’s decentralised nature, operating through smart contracts on decentralised blockchains, prevents it from being seized or shut down like centralised mixers such as Sinbad.io.
The Lazarus Group’s return to Tornado Cash follows the loss of other mixer options. After sanctions were imposed, the hackers resorted to using cross-chain bridges and the Bitcoin mixer Sindbad for laundering. However, Sindbad was seized by Finnish authorities in November 2023, eliminating another laundering avenue.
U.S. authorities are also targeting mixer developers, with Tornado Cash’s creators, Roman Storm and Alexey Pertsev, facing charges including conspiracy to commit money laundering and operating an unlicensed money-transmitting business. Additionally, the founder of Bitcoin Fog, another mixer, was convicted of money laundering on March 12, indicating intensified regulatory scrutiny in the crypto mixer space.