Sanctioned Crypto Wallet Linked to North Korean Hackers Keeps Laundering

It’s a game of wallet whack-a-mole despite Tornado Cash’s efforts. For now, the hackers appear to be winning.

AccessTimeIconApr 15, 2022 at 7:55 p.m. UTC
Updated Apr 26, 2022 at 9:31 p.m. UTC

Danny is CoinDesk's deputy business editor. He owns BTC, ETH and SOL.

An alleged North Korean Ethereum wallet tied to March’s $600 million crypto hack continues to launder its stolen ether (ETH) Friday in defiance of U.S. sanctions.

The blacklisted address that U.S. authorities say is controlled by North Korea’s elite “Lazarus” hacker group sent 2,915 ETH (around $8.8 million) to the cleaners this morning New York time, a day after federal officials listed it on its sanctions database.

Making a brief pit stop at a fresh, unsanctioned wallet, its crypto quickly flew through the popular coin mixer Tornado Cash, where the trail went cold.

It was a continuation of what one tracing expert told CoinDesk is a brute-force laundering strategy tailored for speed – even at the expense of some of the treasure. One month after draining the Ronin Bridge of over $600 million in crypto, the hackers are pushing their trove through Tornado Cash, about $10 million at a time.

Tracing company Elliptic on Thursday estimated the Ronin hackers have laundered $80 million through Tornado Cash. Friday morning’s transactions likely add at least another $8 million to this sum. It’s unclear how much Lazarus can successfully launder for its own purposes.

Open book

Ethereum’s transparent transaction ledger reveals the gambit.

For the last 10 days, the “Ronin Bridge Exploit” address has sent multimillion-dollar batches of ETH to intermediary wallets for processing through Tornado Cash. It moves fast, depositing 100 ETH tranches into Tornado Cash in a matter of hours and abandoning the relatively small sums that remain.

Shortly after Friday morning’s mix, Tornado Cash tweeted it uses a data feed from Chainalysis to “block [Office of Foreign Assets Control] sanctioned addresses from accessing the dapp.”

CoinDesk has not been able to confirm when the oracle integration went live. Either way, it only affects Tornado Cash’s front end, meaning savvy users can still interact with the smart contracts powering the decentralized service. The primary wallet hasn’t attempted to move funds through Tornado Cash since that tweet, but the operators of the sanctioned wallet only seem to send funds once a day.

Neither fact would make much of a difference for Lazarus’ laundering. Chainalysis added one wallet – the sanctioned “Ronin Bridge Exploit” address – to its free-to-use oracle service yesterday, and not the intermediary addresses the hackers are using.

A representative for Chainalysis said the company provides more comprehensive compliance tools with its paid products. Sources familiar with Tornado Cash did not respond. A Tornado Cash founder said on Twitter Friday that Chainalysis didn’t get back to him about the paid offering.

The U.S. Treasury Department said the wallet was linked to Lazarus Group on Thursday, but the FBI did not confirm until later in the day that federal officials believed the North Korean hacking group was directly responsible for compromising the Axie Infinity-linked Ronin bridge.

“Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29,” the FBI said in a statement.

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Danny is CoinDesk's deputy business editor. He owns BTC, ETH and SOL.

CoinDesk - Unknown

Danny is CoinDesk's deputy business editor. He owns BTC, ETH and SOL.

Trending

1
CoinDesk - Unknown
Bitcoin Dips Under $20K on Blunted Growth Sentiment as Spain Fuels Inflation Concerns

Traders assessed revived concerns of rampant inflation and growth for the coming months.

CoinDesk - Unknown
2
CoinDesk - Unknown
First Mover Asia: Remember ICOs? You Would Have Made a Fortune if You HODLed; Bitcoin Slogs Toward $20K

Investors who purchased a breadbasket of blue chip coin offerings about five years ago would have generated an 819% return, even with the current bear market; most cryptos fell in Tuesday trading.

CoinDesk - Unknown
3
CoinDesk - Unknown
Compass Mining Seen Losing Maine Facility After Failing to Pay Power Bill

The most valuable crypto stories for Tuesday, June 28, 2022.

CoinDesk - Unknown
4
CoinDesk - Unknown
Crypto Jobs: Who’s Cutting and Hiring?

A running reckoning to layoffs and hirings in the cryptocurrency/blockchain industry.

CoinDesk - Unknown