Lazarus Group moves $12M from HTX, HECO hacks to Tornado Cash

Despite U.S. sanctions, North Koreas Lazarus Group has resumed laundering stolen crypto funds through Tornado Cash.

North Koreas Lazarus Group has resumed using Tornado Cash to launder funds stolen from hacks, despite sanctions against the crypto mixer.

According to on-chain activity flagged by analytics firm Elliptic, hackers from Lazarus Group have transferred cryptocurrency worth $12 million to Tornados wallets since March 13. The funds were stolen in November from the crypto exchange HTX and its cross-chain bridge HTX Eco Chain, or HECO.

Hot wallets on HTXs exchange were drained $30 million during an attack on Nov. 22, while the HECO Chain was hacked for $86.6 million on the same day. The funds were swapped to Ether (ETH) through decentralized exchanges and were dormant until this week.

Flow of funds from HTX/HECO hacks to Tornado Cash. Source: Elliptic.

Tornado Cash is a decentralized and noncustodial privacy tool built on the Ethereum blockchain. The crypto mixer uses smart contracts to accept ETH and ERC-20 token deposits from one address and enables them to be withdrawn by a different address.

The protocol was sanctioned in August 2022 by the U.S. Treasury Department for its alleged role in allowing the laundering of over $1 billion in illicit funds, including money linked to the Lazarus Group.

“Tornado Cash continues to operate despite sanctions. The mixer operates through smart contracts running on decentralized blockchains, so it cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been,” explained Elliptic.

The Lazarus Group has apparently switched back to Tornado Cash after losing other mixer options. According to Ellipitc, the hackers chose cross-chain bridges and the Bitcoin mixer Sindbad to launder stolen money since the sanctions.

Sindbad, however, was seized by Finnish authorities in November 2023 after U.S. sanctions went into effect, removing another mixing option for the hackers. The U.S. crackdown on crypto mixers also includes the closing of the Blender platform in May 2022.

Authorities are also targeting developers of such mixers. Tornado Cashs developers, Roman Storm and Alexey Pertsev, have been charged with several crimes by U.S. authorities, including conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money-transmitting business. The founder of the crypto mixer Bitcoin Fog was convicted of money laundering on March 12 in a similar development.