North Korean Hackers Used Tornado Cash Bitcoin Mixer to Launder $12 Million

Key Takeaways

• Lazarus Group used Tornado Cash to launder $12 million in stolen Ethereum over the past day.
• Despite sanctions against Tornado Cash in 2022 and Sinbad, in 2023, Lazarus keeps finding ways to launder funds.
• Law enforcement shutting down mixers like Tornado Cash and Sinbad forces hackers to find alternatives like YoMix.

Hackers associated with North Korea’s notorious Lazarus Group have utilized the coin-mixing service Tornado Cash to launder $12 million in Ethereum (ETH) in the 24 hours.

According to research  by blockchain analytics firm Elliptic, the Group executed over 40 transactions through Tornado Cash on March 13 and March 14.

$3 Billion Hacking Spree Tied to Heco Bridge Heist

A report by the cybersecurity firm Recorded Future says Lazarus Group is implicated in hacking worth $3 billion in a six year period.

Elliptic has linked the Lazarus Group to a $100 million heist involving the Heco Bridge  and HTX in November 2023.

The report said:

“Following common  crypto-laundering patterns, the stolen tokens were immediately swapped for ETH, using decentralized exchanges. The stolen funds then lay dormant until yesterday, March 13, when the stolen cryptoassets began to be sent through Tornado Cash.”

The US Treasury sanctioned Tornado Cash, a mixer using decentralized smart contracts, in August 2022. These sanctions came about because of its involvement in laundering $455 million from crypto hacks attributed to the Lazarus Group.

Lazarus Group’s Laundering Spree: Dodging Sanctions, Facing Charges

The sanctions led the Lazarus Group to switch to another mixer, Sinbad, to conceal their illicit proceeds. However, after US authorities seized Sinbad in November, Lazarus returned  to using Tornado Cash. Roman Storm, one of the mixer’s founders, was arrested last year and is awaiting trial on charges of money laundering. Another co-founder, Roman Semenov, has been charged but remains at large.

Despite facing sanctions on two occasions, the mixer continues to operate through decentralized smart contracts, which are impervious to seizure or shutdown.

According to  Elliptic:

“The change in behavior and return to the use of Tornado Cash likely reflects the limited number of large-scale mixers now operating, thanks to law enforcement takedowns of services such as Sinbad.io and Blender.io.“

Tornado Cash Shut Down, New Mixers Emerge

In February, the Office of Foreign Assets Control (OFAC) implemented sanctions that led to the cessation of Tornado Cash’s operations in 2022. Following this, sophisticated cybercriminals swiftly transitioned to using Sinbad, a mixer identified by Elliptic research  as essentially a rebranded version of Tornado Cash.

After the shutdown of Sinbad in 2023, YoMix emerged as the preferred mixer among cybercriminals. This sequence of events highlights the ongoing cat-and-mouse dynamic between hackers and regulatory or law enforcement bodies.

A report by Chainalysis  noted a decrease in the amount of illicit funds going to mixers in 2023. Although this might seem like a win for regulatory efforts at first glance, the adaptability of groups such as Lazarus points to more profound underlying security challenges.

About the Author

Teuta Franjkovic

Teuta is a seasoned writer and editor with more than 15 years of experience. She has expertise in covering macroeconomics and technology as well as the cryptocurrency and blockchain industries. She has worked for several publications as a journalist and editor, including Forbes, Bloomberg, CoinTelegraph, Coin Rivet, CoinSpeaker, VRWorld and Arcane Bear. Teuta began her professional career in 2005, working as a lifestyle writer at Cosmopolitan in Croatia. From there, she branched out to several other publications, covering mainly business and the economy. She then turned her attention to the world of cryptocurrency and blockchain, believing that crypto is among the most important inventions in the history of humanity. Her involvement in fintech began in 2014 and she has since lent her expertise in writing, editing and gathering information about the world of crypto, blockchain, NFTs and Web3. An all-round news hound, mentor, editor, and writer, Teuta enjoys teamwork and good communication. She holds a WSET2 diploma and has a thing for chablis, punkrock music and shoes. She also holds a double MA in Political science and Entrepreneurship.

See more

[email protected] LinkedIn Twitter