Atomic Wallet Hackers Hide $35 Million Stolen Crypto Funds Using THORChain – Here’s What You Need to Know
Hackers that exploited Atomic Wallet for over $100 million earlier this month are using the cross-chain liquidity protocol THORChain to hide their loot.
According to on-chain data, 503 ETH equivalent to $870,000, associated with the Atomic hack, was moved to THORChain on the 18th and 19th of June and then exchanged for Bitcoin, as reported by blockchain investigator Mist Track.
Most of the proceeds in ETH from the exploit were converted to BTC using the SWFT blockchain.
Blockchain analytics firm Elliptic linked the Atomic Wallet exploit to the infamous North Korean hacker group Lazarus.
The same group has reportedly attacked multiple crypto exchanges all over the world to drain billions of dollars worth of crypto to fund DPRK’s ballistic missile programs.
Hackers Launder Stolen Funds Through Garantex
The Atomic Wallet hackers moved some of the stolen funds to crypto exchange Garantex last week.
The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury sanctioned the crypto exchange in April for its ties with Russian darknet marketplace Hydra and for enabling ransomware attackers.
At the same time, OFAC also announced sanctions against the crypto mixing services Blender and Tornado Cash that the North Korean hackers also used to launder funds.
Despite being sanctioned, Garantex continues to operate freely.
As per Elliptic security researchers, many crypto exchanges have already blacklisted addresses linked to the Atomic Wallet hack, but hackers managed to send a portion of the stolen funds to Garantex.
After transferring the funds to the sanctioned crypto exchange, the hackers traded the funds for bitcoin and then laundered them through the bitcoin mixer service provider Sinbad.
For example:
— MistTrack🕵️ (@MistTrack_io) June 20, 2023
According to @MistTrack_io monitoring, the hacker address (0xad3c…1e44) transferred 503.08 $ETH to @THORChain in the last two days and swap for $BTC, then bridged to the BTC address (bc1q…k2xm). pic.twitter.com/Y0N7uptxg7
Lazarus Group Uses Chain-Hopping to Hide Funds
This is not the first time that the North Korean Lazarus group has used chain-hopping to conceal their illicit funds.
The group used the REN protocol and other CEX to move their stolen assets into Bitcoin from the infamous $600 million Ronin Bridge hack last year.
Lazarus hackers had also used Sinbad to launder a portion of the stolen funds from the Ronin Bridge hack.
In June 2022, Horizon Bridge was exploited for over $100 million in a series of attacks. The FBI confirmed that it found strong links to the North Korean hacker group. The hackers used a similar chain-hopping strategy to launder those funds as well as using mixer services like Tornado Cash.
Lazarus has so far stolen over $2 billion in crypto assets from DeFi and crypto exchanges, according to Elliptic.
