An allegedly North Korean Ethereum wallet tied to March’s $600 million crypto hack continued to launder its stolen ETH Friday in defiance of U.S. sanctions.

The blacklisted address that U.S. authorities say is controlled by North Korea’s elite “Lazarus” hacker group sent 2,915 ETH (around $8.8 million) to the cleaners this morning New York time, a day after federal officials listed it on its sanctions database.

Making a brief pit stop at a fresh, unsanctioned wallet, its crypto quickly flew through the popular coin mixer Tornado Cash, where the trail went cold.

It was a continuation of what one tracing expert told CoinDesk is a brute-force laundering strategy tailored for speed – even at the expense of some of the treasure. One month after draining the Ronin Bridge of over $600 million in crypto, the hackers are pushing their trove through Tornado Cash, about $10 million at a time.

Tracing company Elliptic on Thursday estimated the Ronin hackers have laundered $80 million through Tornado Cash. Friday morning’s transactions likely add at least another $8 million to this sum. It’s unclear how much Lazarus can successfully launder for its own purposes.

Ethereum’s transparent transaction ledger reveals the gambit.

For the last 10 days, the “Ronin Bridge Exploit” address has sent multimillion-dollar batches of ETH to intermediary wallets for processing through Tornado Cash. It moves fast, depositing 100 ETH tranches into Tornado Cash in a matter of hours and abandoning the relatively small sums that remain.

Shortly after this morning’s mix, Tornado Cash tweeted it uses a data feed from Chainalysis to “block OFAC sanctioned addresses from accessing the dapp.”

CoinDesk has not been able to confirm when the oracle integration went live. Either way, it only affects Tornado Cash’s front-end, meaning savvy users can still interact with the smart contracts powering the decentralized service. The primary wallet hasn’t attempted to move funds through Tornado Cash since that tweet, but the operators of the sanctioned wallet only seem to send funds once a day.

Neither fact would make much of a difference for Lazarus’ laundering. Chainalysis added one wallet – the sanctioned “Ronin Bridge Exploit” address – to its free-to-use oracle service yesterday, and not the intermediary addresses the hackers are using.

A representative for Chainalysis said the company provides more comprehensive compliance tools with its paid products. Sources familiar with Tornado Cash did not respond. A Tornado Cash founder said on Twitter Friday that Chainalysis didn’t get back to him about the paid offering.

The U.S. Treasury Department said the wallet was linked to Lazarus Group on Thursday, but the FBI did not confirm until later in the day that federal officials believed the North Korean hacking group was directly responsible for compromising the Axie Infinity-linked Ronin bridge.

“Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29,” the FBI said in a statement.


The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Read More