- North Korea's Lazarus Group laundered $13 million of stolen crypto via Tornado Cash this week, Elliptic said.
- Funds from previous hacks carried out in November were laundered through the mixer.
- US sanctions on Tornado Cash haven't deterred its use as a service for moving stolen crypto.
North Korean-linked cyber hackers have laundered $13 million worth of ether this week through sanctioned crypto mixer Tornado Cash, data from blockchain analytics company Elliptic shows.
North Korea's notorious Lazarus Group funneled stolen crypto in 40 transcations into the virtual currency mixer Tornado Cash on March 13 and 14, according to research from Elliptic.
The laundered funds were part of the $100 million of cryptocurrency stolen from exchange HTX and its HECO cross-chain bridge in November 2023.
"Following common crypto-laundering patterns, the stolen tokens were immediately swapped for ETH, using decentralized exchanges. The stolen funds then lay dormant until yesterday, March 13, when the stolen crypto assets began to be sent through Tornado Cash," analysts said in a note.
Tornado Cash and similar mixers obscure funds by blending tokens from diverse sources before transferring them. The service was blacklisted by the US Department of the Treasury in August 2022. The department said the mixer had been used to launder more than $7 billion since it was created in 2019.
Shortly after the sanctions hit, Lazarus Group turned to Sinbad mixer to obscure its funds, but US authorities seized Sinbad in November, forcing Lazarus back to Tornado Cash.
Now, Tornado Cash keeps is up and running despite sanctions, as it operates on decentralized blockchains and smart contracts, putting it out of reach of authorities.
Lazarus Group has orchestrated hacks totaling over $3 billion in the last six years, per cybersecurity firm Recorded Future.
The group masquerades as venture capital firms and banks to steal cryptocurrency. They pose as recruiters, targeting individuals with access to private keys, and use initial token offerings and social media to launch their attacks.