Cybersecurity North America Trending

Hacking Cell Lazarus Group Exploit Major Web3 Mixing Service Leading to US Sanctions

The US Department of Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned major web3 mixing service, Tornado Cash.

OFAC said the service is often used by well known North Korean state sponsored hacking cell Lazarus Group, a cohort of prolific crypto hackers which are known to use stolen funds to help the rogue state finance its nuclear weapons program.

“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” said under secretary of the treasury for terrorism and financial intelligence, Brian Nelson.

Crypto mixing services aim to obscure the transparency of crypto transactions, shuffling together batches of hundreds to thousands of transactions.

In addition to sanctioning Tornado Cash itself, entities that are majority-owned by anyone who is blocked by these sanctions are also blocked from transacting in the US. All transactions in the US or transmitting to the US that involve any property or interests of those sanctioned are banned, unless authorised by OFAC.

This action is the latest step in Biden administration’s effort to crack down on North Korea’s ongoing illicit system, and follows actions by Treasury in April and May against wallets used by North Korean hackers to store stolen cryptocurrency.

Officials said the action also demonstrates the administration’s focus on putting pressure on the North Korean regime, given how hacks — and specifically hacks of cryptocurrency-related ecosystems — have been a source of hard revenue funding for the development of the DPRK’s weapons program.

The administration will continue to find and block mixing for illicit activity, according to senior administration officials, and is calling on the cryptocurrency industry to do its part to partner with governments worldwide and prevent the illicit activity.

This includes ensuring adequate cybersecurity measures, implementing know your customer measures, and complying with sanctions and anti-money laundering obligations, officials said.

‘Pretty much every major hack’

Since its launch in 2019, Tornado Cash has allowed cybercriminals to launder more than $7billion worth of cryptocurrencies, according to Treasury.

According to analysis by blockchain analytics firm TRM Labs, North Korean cyber criminals alone have used Tornado Cash to launder over $1billion of stolen funds this year, including part of the $620million Ronin Bridge hack against play-to-earn game, Axie Infinity.

Lazarus is also suspected to be behind last week’s hack on the crypto bridge project, Nomad, according to TRM.

Back on May 6, the OFAC sanctioned another mixing service,, marking the first time the US government had levied sanctions against a crypto mixing service. Citing’s use by Russian-tied ransomware groups as well as the Lazarus Group, the action raised questions about how the US government views crypto mixers.

As of Monday, approximately $13.6billion ($7.62billion in USD, $5.97billion in ether) has been deposited in Tornado Cash according to on-chain data tracked by Poma on Dune analytics.

The service has reaped over $18million in fees from 12,243 unique depositors.

It has also taken steps to add a sanctions screening tool to prevent money laundering by state sponsored hacking groups. Though, a senior Treasury official said the agency saw that it was insufficient to prevent the Lazarus group from continuing to launder the proceeds.

For mixing services overall, a report last month from blockchain intelligence firm Chainalysis found the number of illicit addresses sending crypto to mixing addresses has nearly doubled from last year.

In the first half of 2022, known illicit addresses made up 23 per cent of the total amount, up from 12 per cent0 for all of 2021. Of those illicit addresses the vast majority came from sanctioned entities followed by attackers trying to obfuscate stolen funds.

In the second quarter of the year, 30 per cent of funds sent to mixers came from Lazarus Group, Chainalysis found.

Because crypto transaction data is publicly available, it can be easily refined by both analytics firms as well as individual cryptocurrency users, allowing them to create webs of transactions, in many cases demystifying the financial dealings of well known companies, individual investors and, cyber criminals.

Marketed as open source privacy software to crypto users, Tornado Cash had caught the attention of many blockchain experts for serving as a privacy solution that had also garnered increased use from cyber criminals.

Notably, its backend technology uses award-winning cryptographic proofs, and the majority of funds tracked flowing to the app haven’t been proven to be criminal.

“Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them,” Nelson added in the release.

Officials also noted that since sanctioning, the service hasn’t continued to pose major issues.

Monday’s sanctions “reopens that question” according to Ari Rebord, head of legal and government affairs with blockchain analytics firm, TRM Labs.

“If you look at pretty much every major hack on a cryptocurrency business in 2022, whether it’s North Korea-related or not, the hacker very quickly moves funds through Tornado Cash after their theft,” Redbord said.


  • Francis is a journalist and our lead LatAm correspondent, with a BA in Classical Civilization, he has a specialist interest in North and South America.

Related posts

Saudi Arabian Based Fintech Event, LEAP, to Showcase Over 700 Start Ups’ Solutions

Francis Bignell

Paysend Makes Digital Money Transfers More Accessible for US Customers

Polly Jean Harrison

Drawbridge: Supply Chain Security – The Missing Piece

The Fintech Times