Sanctioned Crypto Wallet Linked to North Korean Hackers Keeps Laundering

It’s a game of wallet whack-a-mole despite Tornado Cash’s efforts. For now, the hackers appear to be winning.

AccessTimeIconApr 15, 2022 at 7:55 p.m. UTC
Updated May 11, 2023 at 4:43 p.m. UTC

An alleged North Korean Ethereum wallet tied to March’s $600 million crypto hack continues to launder its stolen ether (ETH) Friday in defiance of U.S. sanctions.

The blacklisted address that U.S. authorities say is controlled by North Korea’s elite “Lazarus” hacker group sent 2,915 ETH (around $8.8 million) to the cleaners this morning New York time, a day after federal officials listed it on its sanctions database.

Making a brief pit stop at a fresh, unsanctioned wallet, its crypto quickly flew through the popular coin mixer Tornado Cash, where the trail went cold.

It was a continuation of what one tracing expert told CoinDesk is a brute-force laundering strategy tailored for speed – even at the expense of some of the treasure. One month after draining the Ronin Bridge of over $600 million in crypto, the hackers are pushing their trove through Tornado Cash, about $10 million at a time.

Tracing company Elliptic on Thursday estimated the Ronin hackers have laundered $80 million through Tornado Cash. Friday morning’s transactions likely add at least another $8 million to this sum. It’s unclear how much Lazarus can successfully launder for its own purposes.

Open book

Ethereum’s transparent transaction ledger reveals the gambit.

For the last 10 days, the “Ronin Bridge Exploit” address has sent multimillion-dollar batches of ETH to intermediary wallets for processing through Tornado Cash. It moves fast, depositing 100 ETH tranches into Tornado Cash in a matter of hours and abandoning the relatively small sums that remain.

Shortly after Friday morning’s mix, Tornado Cash tweeted it uses a data feed from Chainalysis to “block [Office of Foreign Assets Control] sanctioned addresses from accessing the dapp.”

CoinDesk has not been able to confirm when the oracle integration went live. Either way, it only affects Tornado Cash’s front end, meaning savvy users can still interact with the smart contracts powering the decentralized service. The primary wallet hasn’t attempted to move funds through Tornado Cash since that tweet, but the operators of the sanctioned wallet only seem to send funds once a day.

Neither fact would make much of a difference for Lazarus’ laundering. Chainalysis added one wallet – the sanctioned “Ronin Bridge Exploit” address – to its free-to-use oracle service yesterday, and not the intermediary addresses the hackers are using.

A representative for Chainalysis said the company provides more comprehensive compliance tools with its paid products. Sources familiar with Tornado Cash did not respond. A Tornado Cash founder said on Twitter Friday that Chainalysis didn’t get back to him about the paid offering.

The U.S. Treasury Department said the wallet was linked to Lazarus Group on Thursday, but the FBI did not confirm until later in the day that federal officials believed the North Korean hacking group was directly responsible for compromising the Axie Infinity-linked Ronin bridge.

“Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29,” the FBI said in a statement.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Danny Nelson

Danny is CoinDesk's Managing Editor for Data & Tokens. He owns BTC, ETH and SOL.