Lazarus Group hackers appear to return to Tornado Cash for money laundering


North Korean hacker group Lazarus reportedly turned to a legacy service to launder $23 million stolen in a November attack.

Investigators at blockchain research firm Elliptic said Friday that during the last day they had seen the funds – part of the $112.5 million stolen from cryptocurrency exchange HTX in November – laundered via the Tornado Cash mixing service.

The use of Tornado Cash stood out to Elliptic because the service was sanctioned by the American authorities in August 2022, prompting Lazarus actors to turn to another mixing service called The US Treasury Department sanctioned in November.

“The Lazarus Group now appears to have resumed using Tornado Cash as a means of laundering funds on a large scale and obfuscating the path of their transactions,” Elliptic said, noting that the hackers sent more than $23 million in around 60 of transactions.

“This change in behavior and return to using Tornado Cash likely reflects the limited number of large-scale blenders currently in operation, thanks to law enforcement’s takedown of services like and “, the company said.

The researchers noted that Tornado Cash was able to continue operating despite sanctions because it operates on decentralized blockchains, meaning it “cannot be seized and shut down in the same way as centralized mixers such as were.”

Elliptical said it tracks the $112.5 million stolen from HTX since the exchange attributed the incident to Lazarus.

The funds remained unchanged until March 13, when Elliptic saw some flow through Tornado Cash. Other blockchain security companies confirmed they also saw funds flowing through the blockchain.

North Korean hackers are expected to use services like Tornado Cash and in order to hide the source of their stolen funds and cash out what they took in the numerous crypto hacks launched over the past three years. The revenue helps the regime evade international sanctions linked to its weapons programs, according to the US government.

According to the Treasury Department, North Korean hackers used Sinbad and its predecessor to launder some of the $100 million stolen on June 3 from Atomic Wallet customersas well as a significant portion of the more than $620 million stolen from Axie Infinity and the $100 million withdrawn from Horizon Bridge — two of the biggest crypto thefts ever recorded.

Researchers estimate that North Korean groups stole around $1.7 billion worth of cryptocurrency in 2022 and around $1 billion in 2023.

The Lazarus Group has been around for more than 10 years and, according to U.S. officials, has stolen more than $2 billion in cryptocurrency to help finance the North Korean government’s activities, including its weapons of mass destruction programs and ballistic missiles. The group itself was sanctioned by the US government in 2019.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

Leave a comment