U.S. moves to seize $2.7 million from Lazarus hacks traced through Tornado Cash, other mixers

Quick Take

  • The U.S. Justice Department has filed forfeiture actions for $2.67 million worth of cryptocurrency in the form of Tether stablecoins and Avalanche-bridged Bitcoin (BTC.b) the government says was frozen during attempts by North Korean hackers to launder the funds. 
  • The government has recovered about $1.7 million worth of Tether from the Deribit hack in Nov. 2022 and about $970,000 worth of BTC.b from the Stake.com hack in Sept. 2023. 

Two recent forfeiture actions filed by the U.S. Attorney for the District of Columbia have uncovered new details about how North Korean crypto hackers launder their funds, as the U.S. government seeks to seize about $2.67 million worth of cryptocurrency stolen in two major hacks. 

The forfeiture complaints, first filed on Friday, aim to recover about $1.7 worth of Tether (USDT)  traced through the Tornado Cash mixer from the North Korean-linked Lazarus Group's $28 million hack of crypto options exchange Deribit in November 2022 and about 15.5 Avalanche-bridged Bitcoin (BTC.b) worth about $971,000 at current prices from the group's $41 million hack of online crypto casino Stake.com. 

From Deribit to Tornado

The first of the two filings concerns the Lazarus Group's methods of laundering money from the Deribit hack through crypto mixer Tornado Cash, the service at the heart of an upcoming money laundering trial watched closely by crypto advocates. Law enforcement was able to trace some of the $28 million in funds laundered from the theft, which occurred after North Korean hackers obtained access to Deribit's hot wallet server, swapped the assets to Ethereum, and sent them through Tornado Cash to eventually wind up as Tether stablecoins on the Tron blockchain, as shown in a diagram from the filing. 

Law enforcement officials traced the funds through Tornado by noting similarities between certain Ethereum wallets. The wallets received similarly-timed transfers (within minutes of each other), utilized similar cross-chain bridges, received funding for transaction fees from the same address, and held funds which eventually wound up in the same consolidation addresses. 

The hackers attempted to convert the Ethereum assets to USDT in three waves, as the first two attempts to launder the funds were halted when law enforcement froze some of the funds in question. The third attempt saw the hackers successfully launder the remainder of the funds, leaving law enforcement with about $1.7 million in USDT frozen from five relevant wallets. 

From Stake.com to Sinbad, Yonmix

The second filing concerns the Lazarus Group's $41 million hack of online casino Stake.com and their attempt to launder the funds in three stages: the conversion of the funds into BTC through Avalanche's Bitcoin bridge, moving the stolen BTC through Bitcoin mixers Sinbad and Yonmix, and finally converting the Bitcoin into stablecoins such as USDT. The relevant funds were frozen during the first and third stages, likely through asset freeze requests to Avalanche Bridge. 

During stage one, law enforcement froze assets from seven transactions that generally involved converting stolen assets into native tokens such as Polygon's MATIC tokens and Binance Smart Chain's BNB tokens and then bridging that value to Bitcoin through the Avalanche Bridge. However, despite the government's intervention, "the North Koreans were able to transfer the majority of the stolen funds to the BTC blockchain," the filing states. 

Once on Bitcoin, the hackers used mixers Sinbad and Yonmix, which provide a service similar to that of Tornado Cash on Ethereum, to further obfuscate the movement of the stolen funds. "Law enforcement traced the flow of the stolen funds through both mixing services to the next stage of the North Korean hackers’ laundering process," the filing states, though despite identifying the consolidation wallet the officials were only able to recover an additional .099 BTC, worth about $6,270 at current prices. 

Although law enforcement has improved its ability to trace and seize illicit cryptocurrency, the Lazarus Group remains active, with the group recently blamed for Indian crypto exchange WazirX's $230 million exploit among other attacks


Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Zack Abrams is a writer and editor based in Brooklyn, New York. Before coming to The Block, he was the Head Writer at Coinage, a Web3 media outlet covering the biggest stories in Web3. The story he co-reported on Do Kwon won a 2022 Best in Business Journalism award from SABEW. Other projects included a deep dive into SBF's defense based on exclusive documents and unveiling the identity of the hacker behind one of 2023's biggest crypto hacks — so far. He can be reached via X @zackdabrams or email, [email protected].