North Korea’s Lazarus Group has resumed using Tornado Cash to launder stolen funds, despite the sanctions imposed on the crypto mixer. According to Elliptic, an analytics firm, the hackers have transferred $12 million worth of cryptocurrency to Tornado’s wallets since March 13. These funds were originally stolen in November from the HTX crypto exchange and its cross-chain bridge, HECO.
During the attack on November 22, the hot wallets on the HTX exchange were drained of $30 million, while the HECO Chain was hacked for $86.6 million. The stolen funds were then converted to Ether (ETH) through decentralized exchanges and remained dormant until recently.
Tornado Cash is a decentralized and noncustodial privacy tool built on the Ethereum blockchain. It uses smart contracts to accept ETH and ERC-20 token deposits from one address and allows them to be withdrawn from a different address.
The U.S. Treasury Department sanctioned Tornado Cash in August 2022 due to its alleged involvement in facilitating the laundering of over $1 billion in illicit funds, including funds connected to the Lazarus Group. However, the mixer continues to operate as it runs on decentralized blockchains, making it difficult to seize or shut down.
The Lazarus Group has returned to using Tornado Cash after losing access to other mixing options. They had previously used cross-chain bridges and the Bitcoin mixer Sindbad, but Sindbad was seized by Finnish authorities in November 2023 following the implementation of U.S. sanctions. Additionally, the Blender platform was shut down in May 2022 as part of the U.S. crackdown on crypto mixers.
Authorities are not only targeting the mixers themselves but also the developers behind them. The developers of Tornado Cash, Roman Storm and Alexey Pertsev, have been charged with various crimes by U.S. authorities, including conspiracy to commit money laundering, sanctions violations, and operating an unlicensed money-transmitting business. Similarly, the founder of the crypto mixer Bitcoin Fog was convicted of money laundering on March 12.
In related news, a security analyst has come forward to defend his involvement in the “Pink Drainer” crypto scam franchise.