The Lazarus Group, a hacking organization from North Korea, has resumed using Tornado Cash to launder stolen funds, despite sanctions against the crypto mixer. According to analytics firm Elliptic, the hackers have transferred approximately $12 million worth of cryptocurrency to Tornado’s wallets since March 13. These funds were stolen in November from the HTX crypto exchange and its cross-chain bridge, HECO.
During the attack on November 22, the hot wallets on the HTX exchange were drained for $30 million, while the HECO Chain was hacked for $86.6 million. The stolen funds were converted to Ether (ETH) through decentralized exchanges and remained dormant until recently.
Tornado Cash is a decentralized privacy tool built on the Ethereum blockchain. It operates through smart contracts that allow for deposits and withdrawals to be made from different addresses. However, the protocol was sanctioned by the U.S. Treasury Department in August 2022 for its alleged involvement in facilitating the laundering of illicit funds, including money connected to the Lazarus Group.
Despite the sanctions, Tornado Cash continues to operate. Unlike centralized mixers such as Sinbad.io, which have been shut down, Tornado Cash cannot be seized due to its decentralized nature. According to Elliptic, the Lazarus Group has returned to using Tornado Cash after losing access to other mixer options, such as cross-chain bridges and the Bitcoin mixer Sindbad.
Sindbad was seized by Finnish authorities in November 2023 following the implementation of U.S. sanctions, eliminating another laundering option for the hackers. The crackdown on crypto mixers by U.S. authorities also led to the closure of the Blender platform in May 2022.
In addition to targeting the mixers themselves, authorities are also pursuing the developers involved. The developers of Tornado Cash, Roman Storm and Alexey Pertsev, have been charged with various crimes by U.S. authorities, including money laundering, sanctions violations, and operating an unlicensed money-transmitting business. Similarly, the founder of the crypto mixer Bitcoin Fog was convicted of money laundering on March 12.
This article is part of a series titled “Inside Pink Drainer,” which explores the operations of a crypto scam franchise and features a security analyst defending his involvement.