Lazarus APT group returned to Tornado Cash to launder stolen funds

North Korea-linked Lazarus APT group allegedly using again the mixer platform Tornado Cash to launder $23 million. 

North Korea-linked Lazarus APT group allegedly has reportedly resumed using the mixer platform Tornado Cash to launder $23 million.

Blockchain cybersecurity firm Elliptic linked the theft of $112.5 million from exchange HTX, which took place in November 2023, to the North Korea’s group. Now Elliptic reported that over the past day, the group laundered more than $23 million from this attack through Tornado Cash.

In August 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned the crypto mixer service Tornado Cash used by North Korean-linked Lazarus APT Group.

The mixers are essential components for cybercriminals that use them for money laundering, it was used to launder the funds stolen from the victims.

At the time of the announcement of the sanctions by OFAC, Tornado Cash was used to launder more than $7 billion worth of virtual currency since its creation in 2019. The Lazarus APT group laundered over $455 million stolen during the largest known virtual currency heist to date. Tornado Cash was also used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 Harmony Bridge Heist, and at least $7.8 million from the recent Nomad crypto heist. However, Tornado Cash has never interrupted its operations despite sanctions.

In response to the sanctions, Lazarus turned to the mixer, but this service was seized by US authorities in November 2023.

The researchers noted that the mixer operates through smart contracts on decentralized blockchains, making it immune to seizure and shutdown such as the one that lead to the seizure of the centralized mixer

“Lazarus Group now appear to have returned to using Tornado Cash as a way to launder funds at scale and obfuscate their transaction trail. Since March 13 2024, more than $23 million in ETH from the HTX/HECO thefts have been sent to Tornado Cash, across more than 60 transactions.” reads the report published by Elliptic.

“This change in behavior and return to the use of Tornado Cash likely reflects the limited number of large-scale mixers now operating, thanks to law enforcement takedowns of services such as and”

Lazarus APT Tornado Cash
A screenshot from Elliptic Investigator, showing the primary flow of funds from the HTX/HECO Bridge hacker wallet to Tornado Cash, as of March 15, 2024. (Not all transaction flows are displayed) (Source Elliptic)

Cryptocurrency exchanges and financial institutions are recommended to use tools such as wallet screening solutions to prevent transactions with sanctioned entities like Tornado Cash and the Lazarus Group.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus APT)

文 » A