HomeNewsNorth Korean wallet tied to Ronin hack laundering ether unperturbed
North Korean wallet tied to Ronin hack laundering ether unperturbed

North Korean wallet tied to Ronin hack laundering ether unperturbed

Last updated 30th Nov 2022
  • Elite “Lazarus” hacker group sent the equivalent of $9 million in either to the cleaners this morning
  • Trail went cold after Tornado Cash
  • Lazarus is using brute-force laundering, targeting speed above all else

An allegedly North Korean Ethereum wallet, implicated in the $600 million crypto hack of the Ronin Bridge last month, is laundering stolen ether despite U.S. sanctions, CoinDesk reported.

According to U.S. authorities, the elite “Lazarus” hacker group sent the equivalent of almost $9 million in either to the cleaners this morning Eastern Time, a day after being listed on its sanctions database.

Trail went cold after Tornado Cash

The money was transferred to a fresh, unsanctioned wallet briefly, after which it was processed by privacy coin mixer Tornado Cash. The trail went cold after that.

“Brute-force” laundering

In the words of one tracing expert CoinDesk spoke with, this is a brute-force laundering strategy targeting speed above all else, even at the expense of loss of funds. After the Ronin Bridge was drained of over $600 million in crypto, the criminals are now pushing the funds in small batches through Tornado Cash, about $10 million at a time.

According to tracing company Elliptic, the Ronin hackers have laundered $80 million through Tornado Cash so far. Another $8 million was processed yesterday morning.

Moving fast

The address behind the Ronin exploit has been sending ether in multimillion-dollar batches to interim wallets for Tornado Cash processing over the last 10 days. It’s moving very fast, depositing ether tranches of 100 ETH into the mixer in a few hours and leaving the relatively small sums that remain behind.

Chainalysis oracle proved ineffective

After the most recent tranche, Tornado Cash tweeted it was using an oracle from Chainalysis to “block OFAC sanctioned addresses from accessing the dApp.” Even if these data feed went live, they only impact the mixer’s front-end. Users can still interact with the underlying smart contracts.

Since that tweet, the primary wallet hasn’t tried to move any more funds through Tornado Cash, but that could be purely coincidental. Chainalysis commented that their paid products come with more effective compliance tools.

FBI confirmed allegations

Back on Thursday, the U.S. Treasury Department said the wallet was connected to Lazarus Group. Later that day, the FBI confirmed they believed Lazarus, the elite North Korean hacking group, compromised the Ronin Bridge, linked to popular P2E game Axie Infinity. The FBI stated:

Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29.

Daniela Kirova

Daniela Kirova

Daniela is a writer at Bankless Times, covering the latest news on the cryptocurrency market and blockchain industry. She has over 15 years of experience as a writer, having ghostwritten for several online publications in the financial sector.