North Korean Hackers Used Tornado Cash Bitcoin Mixer to Launder $12 Million

Key Takeaways

• Lazarus Group used Tornado Cash to launder $12 million in stolen Ethereum over the past day.
• Despite sanctions against Tornado Cash in 2022 and Sinbad, in 2023, Lazarus keeps finding ways to launder funds.
• Law enforcement shutting down mixers like Tornado Cash and Sinbad forces hackers to find alternatives like YoMix.

Hackers associated with North Korea’s notorious Lazarus Group have utilized the coin-mixing service Tornado Cash to launder $12 million in Ethereum (ETH) in the 24 hours.

According to research  by blockchain analytics firm Elliptic, the Group executed over 40 transactions through Tornado Cash on March 13 and March 14.

$3 Billion Hacking Spree Tied to Heco Bridge Heist

A report by the cybersecurity firm Recorded Future says Lazarus Group is implicated in hacking worth $3 billion in a six year period.

Elliptic has linked the Lazarus Group to a $100 million heist involving the Heco Bridge and HTX in November 2023.

The report said:

“Following common crypto-laundering patterns, the stolen tokens were immediately swapped for ETH, using decentralized exchanges. The stolen funds then lay dormant until yesterday, March 13, when the stolen cryptoassets began to be sent through Tornado Cash.”

The US Treasury sanctioned Tornado Cash, a mixer using decentralized smart contracts, in August 2022. These sanctions came about because of its involvement in laundering $455 million from crypto hacks attributed to the Lazarus Group.

Lazarus Group’s Laundering Spree: Dodging Sanctions, Facing Charges

The sanctions led the Lazarus Group to switch to another mixer, Sinbad, to conceal their illicit proceeds. However, after US authorities seized Sinbad in November, Lazarus returned to using Tornado Cash. Roman Storm, one of the mixer’s founders, was arrested last year and is awaiting trial on charges of money laundering. Another co-founder, Roman Semenov, has been charged but remains at large.

Despite facing sanctions on two occasions, the mixer continues to operate through decentralized smart contracts, which are impervious to seizure or shutdown.

According to Elliptic:

“The change in behavior and return to the use of Tornado Cash likely reflects the limited number of large-scale mixers now operating, thanks to law enforcement takedowns of services such as Sinbad.io and Blender.io.“

Tornado Cash Shut Down, New Mixers Emerge

In February, the Office of Foreign Assets Control (OFAC) implemented sanctions that led to the cessation of Tornado Cash’s operations in 2022. Following this, sophisticated cybercriminals swiftly transitioned to using Sinbad, a mixer identified by Elliptic research as essentially a rebranded version of Tornado Cash.

After the shutdown of Sinbad in 2023, YoMix emerged as the preferred mixer among cybercriminals. This sequence of events highlights the ongoing cat-and-mouse dynamic between hackers and regulatory or law enforcement bodies.

A report by Chainalysis noted a decrease in the amount of illicit funds going to mixers in 2023. Although this might seem like a win for regulatory efforts at first glance, the adaptability of groups such as Lazarus points to more profound underlying security challenges.