Lazarus Group hackers appear to return to Tornado Cash for money laundering

North Korea’s Lazarus hacking group allegedly has turned back to an old service in order to launder $23 million stolen during an attack in November. 

Investigators at blockchain research company Elliptic said on Friday that in the last day they had  seen the funds — part of the $112.5 million stolen from the HTX cryptocurrency exchange in November — laundered through the Tornado Cash mixing service. 

The use of Tornado Cash stood out to Elliptic because the service was sanctioned by U.S. authorities in August 2022, prompting Lazarus actors to turn to another mixing service called Sinbad.io. The U.S. Treasury Department sanctioned Sinbad.io in November.

“Lazarus Group now appear to have returned to using Tornado Cash as a way to launder funds at scale and obfuscate their transaction trail,” Elliptic said, noting that the hackers sent the more than $23 million in about 60 transactions. 

“This change in behavior and return to the use of Tornado Cash likely reflects the limited number of large-scale mixers now operating, thanks to law enforcement takedowns of services such as Sinbad.io and Blender.io,” the company said.

The researchers noted that Tornado Cash has been able to continue operating despite the sanctions because it runs on decentralized blockchains, meaning it “cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been.”

Elliptic said it has been tracking the $112.5 million stolen from HTX since the exchange  attributed the incident to Lazarus. 

The funds were held without movement until March 13, when Elliptic saw some go  through Tornado Cash. Other blockchain security companies confirmed they also saw the funds move across the blockchain. 

North Korean hackers have to use services like Tornado Cash and Sinbad.io in order to obfuscate the source of their stolen funds and cash out what they take during the numerous crypto hacks launched over the last three years. The proceeds help the regime dodge international sanctions related to its weapons programs, according to the U.S. government.

According to the Treasury Department, North Korean hackers used Sinbad and its predecessor Blender.io to launder a chunk of the $100 million stolen on June 3 from customers of Atomic Wallet, as well as significant portions of the more than $620 million stolen from Axie Infinity and the $100 million taken from Horizon Bridge — two of the largest crypto thefts on record.

Researchers estimate that North Korean groups stole about $1.7 billion worth of cryptocurrency in 2022 and about $1 billion in 2023.    

Lazarus Group has been operating for more than 10 years, and according to U.S. officials has stolen over $2 billion worth of cryptocurrency to help fund the North Korean government’s activities — including its weapons of mass destruction and ballistic missile programs. The group itself was sanctioned by the U.S. government  in 2019.