Despite being blacklisted by OFAC, the Tornado Cash mixer continues to operate, helping North Korea-linked hackers in laundering millions of stolen crypto.
The DPRK-affiliated hacking group Lazarus Group successfully laundered hundreds of millions of dollars worth of Ethereum (ETH) stolen from HTX (formerly Huobi) and Heco Bridge in November 2023.
Taylor Monahan, the founder and CEO of MyEtherWallet, revealed in an X post on Mar. 28 that the hackers had successfully laundered over 48,194 ETH (currently valued at ~$170 million) through Tornado Cash, a mixing service sanctioned by the Office of Foreign Assets Control (OFAC), in an effort obscure the transaction trail.
Monahan also attached graphs illustrating the tactics employed by the hackers, who dispersed their stolen crypto in hundreds of transactions across multiple wallets, adding they “hopped each withdrawal around a few times.”
Once the hackers mixed their funds on the Ethereum network, they transferred them to the Bitcoin blockchain using THORSwap, a service enabling cross-chain asset transfers between different networks. It remains unclear whether the hackers have cashed out, as they typically sell stolen crypto on over-the-counter (OTC) markets for fiat currency.
In November 2023, HTX and the Heco Chain’s Ethereum bridge fell victim to a hacker attack, resulting in the loss of tens of millions of dollars worth of cryptocurrency. At the time, Justin Sun, an investor at the exchange, assured customers that they would be fully reimbursed. However, it remains unclear so far how exactly the hackers gained control over the exchange’s hot wallet.
OFAC imposed sanctions against Tornado Cash back in 2022, claiming the service was used to launder more than $7 billion worth of crypto since 2019. This included over $455 million stolen by Lazarus Group, more than $96 million of malicious cyber actors’ funds derived from the Harmony Bridge heist, and at least $7.8 million from the Nomad heist.