North Korean hackers return to Tornado Cash despite sanctions (2024)
$112.5 million was stolen from exchange HTX and its HECO cross-chain bridge in November 2023 - Elliptic has attributed this hack to North Korea’s Lazarus Group
Since March 13 2024, over $100 million from this hack has been laundered through Tornado Cash
Lazarus turned to Sinbad.io as its mixer of choice following sanctions on Tornado Cash in August 2022, but this service was seized by US authorities in November 2023
In November 2023, $112.5 million in cryptocurrency was stolen from crypto exchange HTX and its cross-chain bridge, known as HECO Bridge. Elliptic and others have attributed this theft to North Korea’s Lazarus group, based on various attributes of the hack and the subsequent movement of funds.
Following common crypto-laundering patterns, the stolen tokens were immediately swapped for ETH, using decentralized exchanges. The stolen funds then lay dormant until March 13 2024, when the stolen cryptoassets began to be sent through Tornado Cash.
Tornado cash is a decentralized, smart contract-based mixer. It was sanctioned by the U.S. Treasury in August 2022, for its role in laundering $455 million from Lazarus Group crypto hacks. In response, Lazarus Group stopped using Tornado Cash, relying instead on using cross-chain bridges and the Bitcoin based mixer, Sinbad.io.
But in November 2023 Sinbad.io was itself seized by U.S. authorities, eliminating another mixing option.
However, Tornado Cash continues to operate despite sanctions. The mixer operates through smart contracts running on decentralized blockchains, so it cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been.
A screenshot from Elliptic Investigator, showing the primary flow of funds from the HTX/HECO Bridge hacker wallet to Tornado Cash, as of March 15, 2024. (Not all transaction flows are displayed)
Lazarus Group now appear to have returned to using Tornado Cash as a way to launder funds at scale and obfuscate their transaction trail.
Since March 13 2024, more than $100 million in ETH from the HTX/HECO thefts has been laundered through Tornado Cash,.
This change in behavior and return to the use of Tornado Cash likely reflects the limited number of large-scale mixers now operating, thanks to law enforcement takedowns of services such as Sinbad.io and Blender.io.
Crypto exchanges and other financial institutions should use tools such as Elliptic’s crypto transaction and wallet screening solutions to ensure that they do not engage in transactions with sanctioned actors such as Tornado Cash and Lazarus Group. Contact us to learn more.
This article has been updated to reflect the latest movements of funds into Tornado Cash and to correct the amount stolen from HTX and HECO Bridge.
Lazarus Group (also known as Guardians of Peace or Whois Team) is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010.
now appear to have returned to using Tornado Cash as a way to launder funds at scale and obfuscate their transaction trail. Since March 13 2024, more than $100 million in ETH from the HTX
HTX
HTX is a Seychelles-based cryptocurrency exchange. Founded in China as Huobi (Chinese: 火币网; pinyin: Huǒbìwǎng), the company now has offices in Hong Kong, South Korea, Japan and the United States.
Network Analysis. It's important to conduct network analysis when tracking money that was deposited or withdrawn from Tornado Cash wallets. By exploring transaction flows and connections between addresses, we can identify commonalities or clustering of addresses engaging with Tornado Cash.
This is a privacy tool used in EVM networks where all transactions are public by default. In August 2022, the U.S. Department of the Treasury blacklisted the service, making it illegal for US citizens, residents and companies to use.
Kimsuky-linked hackers use similar tactics to attack Russia and South Korea, researchers say. The threat actor known as Konni, which has been previously linked to the North Korean state-sponsored group Kimsuky, is intensifying its attacks on South Korea and Russia, according to a recent report.
We're talking about zCash, Monero, and Grin. All three cryptocurrencies have unique cryptographic implementations that obscure transactions that take place on their respective networks.
Quick Take. A judge in Tornado Cash developer Roman Storm's case granted a three-month delay of his upcoming trial over the objections of the prosecution. Each side also presented oral arguments at a recent hearing that could preview arguments made in the case, according to a report from The Rage.
Updated 9 am ET, May 14, 2024: A Dutch court has found Tornado Cash cofounder Alexey Pertsev guilty of money laundering and sentenced him to 64 months in prison.
- The slots game is intended for adult audiences over the age of 21 and is for entertainment purposes only. - The casino game does not offer real money gambling or an opportunity to win real money or prizes.
It is anonymous in that the coins/tokens you receive from it, is difficult to trace back to the source. For example, you have 100 laundered BTC in Wallet A and you put them through Tornado Cash app. Meanwhile 200 other people are also putting their 100 BTC through the app.
Why did the US Treasury sanction Tornado Cash? On August 8, 2022, Tornado Cash was sanctioned by the U.S. Treasury for allegedly failing to install sufficient controls to prevent it from laundering cash for harmful cyber actors on a regular basis.
When a user is ready to withdraw their tokens, they first split their deposit note in half.One side acts like a “secret,” and the other acts like a “lock.” After that, the user prompts the Tornado Cash smart contract to withdraw. Along with the prompt, the user supplies: A hash (or encoded form) of the “lock”
North Korea "operates a vast network of informants who monitor and report to the authorities fellow citizens they suspect of criminal or subversive behavior." North Korea has been described as a "massive police state", and its people "under constant surveillance".
- The slots game is intended for adult audiences over the age of 21 and is for entertainment purposes only. - The casino game does not offer real money gambling or an opportunity to win real money or prizes.
Tornado Cash would maintain that stance as, according to Dutch prosecutors, a billion-plus dollars more of stolen funds flowed through the service over the next two years, part of at least $2.3 billion in total funds from criminal and sanctioned sources that made up more than 30 percent of the service's overall ...
When a user is ready to withdraw their tokens, they first split their deposit note in half.One side acts like a “secret,” and the other acts like a “lock.” After that, the user prompts the Tornado Cash smart contract to withdraw. Along with the prompt, the user supplies: A hash (or encoded form) of the “lock”
Address: 58866 Tricia Spurs, North Melvinberg, HI 91346-3774
Phone: +50616620367928
Job: Real-Estate Liaison
Hobby: Graffiti, Astronomy, Handball, Magic, Origami, Fashion, Foreign language learning
Introduction: My name is Lilliana Bartoletti, I am a adventurous, pleasant, shiny, beautiful, handsome, zealous, tasty person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.