US treasury whips up sanctions for crypto mixer Tornado Cash
Being the money launderer for North Korea’s Lazarus Group comes at a price
The US Treasury Department is levying sanctions against Tornado Cash, a notorious cryptocurrency mixer that it says has been used by threat groups like ransomware gang Lazarus to launder stolen digital assets.
According to the government agency, Tornado Cash has been used to launder more than $455 million stolen by the North Korean-supported Lazarus Group, including more than $96 million in Wrapped Bitcoin, Ethereum and other digital assets from blockchain startup Harmony's Horizon Bridge service in June.
Tornado Cash also has been linked to an array of other high-profile heists, including at least $80 million in Ethereum and Beans cryptocurrencies stolen from decentralized finance platform Beanstalk Farms in April and $1.2 million in cryptocurrency from decentralized autonomous organization Inverse Finance in June.
Most recently, Tornado Cash allegedly laundered about $7.8 million of $200 million in tokens stolen from cryptocurrency bridge Nomad earlier this month, according to Treasury.
Brian Nelson, Treasury under secretary for terrorism and financial intelligence, said in a statement Monday that the agency had no recourse but to levy the sanctions.
"Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks," Nelson said. "Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them."
- North Koreans spotted harassing SMBs with malware
- Here today, gone to Maui: That's your data captured by North Korean ransomware
- FBI warns of North Korean cyberspies posing as foreign IT workers
- Cryptocurrency laundromat Blender shredded by US Treasury in sanctions first
Under the sanctions, US citizens or anyone in the United States can no longer do business with Tornado Cash unless given specific approval by the US Office of Foreign Assets Control (OFAC). In addition, any entities that are directly or indirectly owned 50 percent or more by such people also are blocked.
The sanctions against Tornado Cash come three months after similar restrictions were put on Blender, another crypto mixer used by Lazarus and others to launder ill-gotten crypto gains. The Blender sanctions were the first of its kind levied against a crypto mixer.
According to Treasury, Tornado Cash is on the Ethereum blockchain and essentially processes any anonymous transactions through its operations, obfuscating their origin, destination, and parties involved. The entity doesn't try to determine their origin.
"Tornado receives a variety of transactions and mixes them together before transmitting them to their individual recipients," the agency said in a statement. "While the purported purpose is to increase privacy, mixers like Tornado are commonly used by illicit actors to launder funds, especially those stolen during significant heists."
The Treasury Department pointed to mixers as a national security threat to the United States, arguing that they are being used by threat groups to hide stolen money and to extend the use by those groups of technologies that enhance their anonymity.
In its latest National Money Laundry Risk Assessment Report issued earlier this year, Treasury wrote about the growing ransomware threat, noting that cybercriminals are increasingly targeting larger enterprises in hopes of a significant payday and they are expanding efforts to make themselves more difficult to detect.
That includes demanding ransom in cryptocurrencies that can enhance that anonymity – or requiring an additional fee from victims if they pay in a high-profile cryptocurrency like Bitcoin – and have the funds sent to virtual asset service providers – usually in foreign countries – like exchanges.
"To further obfuscate the laundering of ransomware proceeds, threat actors avoid using the same wallet addresses and use chain hopping, mixing services, and decentralized exchanges," the report's authors wrote.
In a report last year, Financial Executives International – an association of enterprise CFOs, controllers, treasurers, and similar corporate officials – noted the need of ransomware groups for crypto mixers (also known as crypto tumblers) in making it more difficult to trace funds back to the original sources.
"Threat actors use cryptocurrency tumbling services because they help create a much more convoluted path for law enforcement and fraud investigators to follow," the FEI wrote. "The user sends bitcoin or another cryptocurrency to the tumbler's address. Then, the user's bitcoin is mixed with other transactions and distributed among many wallets that belong to the tumbling service. Finally, after the process is complete, the clean bitcoin is sent back to the original user or another new user." ®