Elliptic: Lazarus Hackers Returned to Using Tornado Cash after Blocking Sinbad Mixer
Hackers began to move funds from hacking the HTX crypto exchange to Tornado
Elliptic analysts have recorded the movement of funds related to the hacking of the HTX exchange and its HECO cross-chain protocol. As a result of the attack, which experts attribute to the North Korean Lazarus group, the platforms lost $100 million in November 2023. The stolen funds remained stationary for a long time, but on March 13 they began to move to the Tornado Cash cryptomixer, which was included in the sanctions list by the US Treasury back in August 2022.
Following common cryptocurrency laundering schemes, immediately after the hack, hackers exchanged the stolen tokens for ETH coins using decentralized exchanges (DEX), but then suspended further transfers.
Then, on March 13 and 14, Lazarus sent over $12 million to Tornado Cash as part of more than 40 transactions. The service was banned by the US authorities for helping to launder $455 million stolen by Lazarus. In response, the group stopped using Tornado Cash, and switched to using another cryptomixer called Sinbad.
Then in November 2023, the US Treasury banned Sinbad, also for its connection with hackers from the DPRK, which ruled out the possibility of its further use by the Lazarus group.
Nevertheless, Elliptic notes that Tornado Cash continues to work despite the sanctions. The service uses smart contracts on decentralized blockchains, so it cannot be hijacked and disabled in the same way as centralized mixers such as Sinbad.
"Now Lazarus Group seems to have returned to using Tornado Cash as a way of large—scale money laundering and hiding traces of its transactions," the company concluded.