Sanctioned Crypto Wallet Linked to North Korean Hackers Keeps Laundering

An alleged North Korean Ethereum wallet tied to March’s $600 million crypto hack continues to launder its stolen ether ETH$2,799.34 Friday in defiance of U.S. sanctions.

The blacklisted address that U.S. authorities say is controlled by North Korea’s elite “Lazarus” hacker group sent 2,915 ETH (around $8.8 million) to the cleaners this morning New York time, a day after federal officials listed it on its sanctions database.

Making a brief pit stop at a fresh, unsanctioned wallet, its crypto quickly flew through the popular coin mixer Tornado Cash, where the trail went cold.

It was a continuation of what one tracing expert told CoinDesk is a brute-force laundering strategy tailored for speed – even at the expense of some of the treasure. One month after draining the Ronin Bridge of over $600 million in crypto, the hackers are pushing their trove through Tornado Cash, about $10 million at a time.

Tracing company Elliptic on Thursday estimated the Ronin hackers have laundered $80 million through Tornado Cash. Friday morning’s transactions likely add at least another $8 million to this sum. It’s unclear how much Lazarus can successfully launder for its own purposes.

Open book

Ethereum’s transparent transaction ledger reveals the gambit.

For the last 10 days, the “Ronin Bridge Exploit” address has sent multimillion-dollar batches of ETH to intermediary wallets for processing through Tornado Cash. It moves fast, depositing 100 ETH tranches into Tornado Cash in a matter of hours and abandoning the relatively small sums that remain.

Read more: Tornado Cash Adds Chainalysis Tool for Blocking OFAC-Sanctioned Wallets From Dapp

Shortly after Friday morning’s mix, Tornado Cash tweeted it uses a data feed from Chainalysis to “block [Office of Foreign Assets Control] sanctioned addresses from accessing the dapp.”

CoinDesk has not been able to confirm when the oracle integration went live. Either way, it only affects Tornado Cash’s front end, meaning savvy users can still interact with the smart contracts powering the decentralized service. The primary wallet hasn’t attempted to move funds through Tornado Cash since that tweet, but the operators of the sanctioned wallet only seem to send funds once a day.

Neither fact would make much of a difference for Lazarus’ laundering. Chainalysis added one wallet – the sanctioned “Ronin Bridge Exploit” address – to its free-to-use oracle service yesterday, and not the intermediary addresses the hackers are using.

A representative for Chainalysis said the company provides more comprehensive compliance tools with its paid products. Sources familiar with Tornado Cash did not respond. A Tornado Cash founder said on Twitter Friday that Chainalysis didn’t get back to him about the paid offering.

The U.S. Treasury Department said the wallet was linked to Lazarus Group on Thursday, but the FBI did not confirm until later in the day that federal officials believed the North Korean hacking group was directly responsible for compromising the Axie Infinity-linked Ronin bridge.

“Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29,” the FBI said in a statement.