The U.S. Treasury Department on Monday placed sanctions against crypto mixing service Tornado Cash, citing its use by the North Korea-backed Lazarus Group in the high-profile hacks of Ethereum bridges to launder and cash out the ill-gotten money.
Tornado Cash, which allows users to move cryptocurrency assets between accounts by obfuscating their origin and destination, is estimated to have been used to launder more than $7.6 billion worth of virtual assets since its creation in 2019, the department said.
Thefts, hacks, and fraud account for $1.54 billion of the total assets sent through the mixer, according to blockchain analytics firm Elliptic.
Crypto mixing is akin to shuffling digital currencies through a black box, blending a certain quantity of digital funds in private pools before transferring it to its designated receivers for a fee. The aim is to make transactions anonymous and difficult to trace.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” Brian E. Nelson, under secretary of the Treasury for terrorism and financial intelligence, said.
The development comes as North Korea’s Lazarus Group (aka Hidden Cobra) has been linked to the use of the decentralized crypto mixer to funnel the proceeds from a string of major hacks targeting virtual currency services, including that of Axie Infinity and Harmony Horizon Bridge in recent months.
The theft of $624 million worth of Ethereum from Axie Infinity’s Ronin network bridge is the largest known cryptocurrency heist to date, with the $190 million hack of Nomad Bridge last week taking the fifth spot. The Horizon Bridge theft comes in at 11.
Specifically, the Treasury Department pointed to Tornado Cash’s role in laundering over $455 million and $96 million worth of cryptocurrency stolen from the two heists. It has also been implicated for facilitating the theft of at least $7.8 million following the attack on Nomad Bridge.
“Tornado receives a variety of transactions and mixes them together before transmitting them to their individual recipients,” the agency said. “While the purported purpose is to increase privacy, mixers like Tornado are commonly used by illicit actors to launder funds, especially those stolen during significant heists.”
Also sanctioned by the department are 38 Ethereum-based addresses holding Ether (ETH) and USD Coin (USDC) that are linked to it, effectively prohibiting U.S. entities from transacting with these wallets.
“As a smart contract-based mixer, Tornado Cash is one of the most advanced methods available for laundering ill-gotten cryptocurrency, and cutting it off from compliant cryptocurrency businesses represents a huge blow for criminals looking to cash out,” Chainalysis said.
The move makes Tornado Cash the second cryptocurrency mixer to be blocklisted by the Office of Foreign Assets Control (OFAC) following the designation of Blender.io in May 2022, also for its part in laundering illicit funds siphoned by the Lazarus Group and cybercrime cartels like TrickBot, Conti, Ryuk, and Gandcrab.
It’s also the latest escalation in a series of enforcement actions aimed at tackling cryptocurrency-based crime, in the wake of similar sanctions imposed by the Treasury on virtual currency exchanges SUEX, CHATEX, and Garantex over the past year.
North Korea is ranked among the leading state-sponsored countries, and its history of financially-driven attacks signals the success it has had using cybercrime to fund its activities as a way to work around stringent international sanctions.
The crackdown, therefore, also aims to block the hermit kingdom from converting illicit crypto funds into more usable traditional currencies to finance nuclear development and meet its national objectives.
“Tornado Cash community tries its best to make sure it can be used by good actors by providing compliance tools for example,” Roman Semenov, one of the co-founders of Tornado Cash, said in a tweet. “Unfortunately it’s technically impossible to block anyone from using the smart contract on the blockchain.”
The sanctions seem to be having further repercussions, what with Semenov’s GitHub account suspended in the aftermath of the announcement. “Is writing an (sic) open source code illegal now?,” he tweeted.