- $112.5 million was stolen from the HTX exchange and its HECO cross-chain bridge in November 2023 – Elliptic attributed this hack to North Korea’s Lazarus Group
- As of March 13, 2024, over $100 million from this hack has been laundered through Tornado Cash
- Lazarus turned to Sinbad.io as his mixer of choice after Tornado Cash was sanctioned in August 2022, but the service was taken down by US authorities in November 2023.
In November 2023, $112.5 million in cryptocurrency was stolen from the crypto exchange HTX and its cross-chain bridge, known as the HECO Bridge. Elliptical and others have attributed this theft to the Lazarus group from North Korea, based on various attributes of the hack and the subsequent movement of funds.
Monitoring often crypto-laundering patterns, stolen tokens are immediately exchanged for ETH, using decentralized exchanges. The stolen funds then lay dormant until March 13, 2024, when the stolen cryptoassets began to be sent via Tornado Cash.
Tornado cash is a decentralized mixer based on a smart contract. Was sanctioned by the US Treasury in August 2022, for its role in laundering $455 million from the Lazarus Group’s crypto hacks. In response, Lazarus Group stopped using Tornado Cash, relying instead on the use of cross-bridges and Bitcoin based mixerSinbad.io.
But in November 2023, Sinbad.io was alone confiscated by US authorities, eliminating the second option of interference.
However, Tornado Cash continues to operate despite the sanctions. Mixer works through smart contracts that run on decentralized blockchains, so it cannot be seized and shut down in the same way that centralized mixers like Sinbad.io were.
It appears that the Lazarus Group has now returned to using Tornado Cash as a way to launder large amounts of funds and cover up the trail of transactions.
As of March 13, 2024, more than $100 million in ETH has been laundered through Tornado Cash from the HTX/HECO thefts.
This change in behavior and return to using Tornado Cash likely reflects the limited number of large mixers now operating, thanks to the shutdown of services like Sinbad.io and Blender.io by law enforcement.
Crypto exchanges and other financial institutions should use tools like Elliptic’s crypto transaction solutions and wallet screening to ensure they are not engaging in transactions with sanctioned actors like Tornado Cash and Lazarus Group. Contact us to find out more.
This article has been updated to reflect the latest movements of funds in Tornado Cash and to correct the amount stolen from HTX and HECO Bridge.
Sanctions We represent North Korea