North Korea’s Lazarus hacking group has reportedly resorted to using an old method to launder $23 million that was stolen in a recent cyber attack. According to investigators at blockchain research company Elliptic, the funds were part of the $112.5 million stolen from the HTX cryptocurrency exchange in November and were laundered through the Tornado Cash mixing service.
Elliptic noted that the use of Tornado Cash by the Lazarus group is significant because the service was sanctioned by U.S. authorities in August 2022, leading the hackers to switch to another mixing service called Sinbad.io. However, the U.S. Treasury Department sanctioned Sinbad.io in November, prompting the hackers to return to Tornado Cash.
The company stated that the hackers sent the $23 million through Tornado Cash in approximately 60 transactions. Elliptic also pointed out that Tornado Cash has been able to continue operating despite sanctions because it runs on decentralized blockchains, making it difficult to seize and shut down.
North Korean hackers have been using services like Tornado Cash and Sinbad.io to obfuscate the source of their stolen funds and cash out from various crypto hacks. These funds help the regime evade international sanctions related to its weapons programs, according to the U.S. government.
Researchers estimate that North Korean hacker groups stole around $1.7 billion worth of cryptocurrency in 2022 and approximately $1 billion in 2023. Lazarus Group, which has been operating for more than a decade, has reportedly stolen over $2 billion in cryptocurrency to fund the North Korean government’s activities, including its weapons programs. The group itself was sanctioned by the U.S. government in 2019.
