North Korea’s Lazarus Hackers Resume Tornado Cash for Crypto Laundering

Estimated read time 3 min read

The Lazarus hacking group, who are known for their cyber heists to fund the North Korean regime, have been laundering their crypto using Tornado Cash crypto mixer, despite the service being sanctioned by U.S. authorities.

According to investigators at blockchain analytics firm Elliptic, over the past day, they detected around $23 million worth of cryptocurrency, believed to be part of the $112.5 million stolen from the HTX exchange in a November attack linked to Lazarus, being laundered through Tornado Cash.

“Lazarus Group now appear to have returned to using Tornado Cash as a way to launder funds at scale and obfuscate their transaction trail,” Elliptic stated, pointing out that the hackers sent the over $23 million in about 60 separate transactions.

Tornado Cash crypto mixer

Bouncing Back Despite Roadblocks

The researchers suggest that this change in tactics, reverting to Tornado Cash despite the sanctions, likely stems from the dwindling number of large-scale crypto mixers still operational due to law enforcement crackdowns on services like and

Tornado Cash‘s decentralized nature, running on blockchain technology, has allowed it to continue functioning despite the sanctions. This basically means it’s not controlled by any one person or company, making it super tough to shut down. So, Lazarus is taking advantage of this complexity to try and cover their tracks.

Elliptic has been tracking the $112.5 million stolen from HTX since the exchange attributed the heist to Lazarus Group. The funds remained dormant until March 13, when the security firm observed a portion being cycled through Tornado Cash—a move corroborated by other blockchain analysts.

A screenshot from Elliptic Investigator, showing the primary flow of funds from the HTX/HECO Bridge hacker wallet to Tornado Cash, as of March 15, 2024. (Not all transaction flows are displayed)

Fueling the Regime’s Ambitions

North Korean state-sponsored hacking groups like Lazarus have increasingly relied on cryptocurrency thefts and subsequent money laundering via mixers to bypass international sanctions imposed on the hermit kingdom over its nuclear and ballistic missile programs.

The U.S. government has directly linked the billions of dollars worth of crypto stolen in recent years, such as the record-breaking Atomic Wallet, Axie Infinity and Horizon Bridge hacks, to North Korean actors like Lazarus, funneling funds to support the Kim regime’s illicit weapons development ambitions.

With over a decade of cyber-criminal exploits under their belt and estimated to have pilfered upwards of $2 billion in digital assets, the Lazarus Group remains one of the most potent and persistent hacking threats emanating from North Korea’s state-backed cyberwarfare machinery.

June Bauer

Pop cultureaholic, Technology expert, Web fanatic and a Social media geek. If you have any questions or comments please feel free to email her at or contact her on X @JuneTBauer1

You May Also Like

More From Author