North Korean state-sponsored cyberfraudsters are attracting increasing attention and, so far, have been outsmarting the government authorities pursuing them. Here’s what fraud examiners can learn from the authoritarian regime’s tricks to exploit the latest technology and what they need to know to stop them.

When the Lazarus Group, a North Korean state-controlled hacking group, stole up to $625 million of digital tokens earlier this year from the Ronin network that supports Axie Infinity, a popular play-to-earn game, it marked the largest cyberattack to date in the decentralized finance (DeFi) space and the second biggest crypto theft of all time.

How did it find its way into the Ronin network? Simple. Fake job ads on LinkedIn. Posing as a company that offered high-paying posts for engineers, the criminal gang enticed one candidate to click on a PDF that initiated an infection chain that opened the door for the hackers. Lazarus has been tied to several such scams, and just this year it impersonated military contractor Lockheed Martin to lure job applicants to click on malicious links. (See “Now we know who’s behind one of the largest crypto heists in history: North Korea,” by Will Daniel, Fortune, April 15, 2022 and “Axie Infinity’s blockchain was reportedly hacked via a fake LinkedIn job offer,” by Adi Robertson, The Verge, July 6, 2022.)

But that isn’t the only trick that Lazarus and other North Korean military hackers have up their sleeves in a sophisticated multiyear spree of cyberfraud that the Hermit Kingdom is suspected to be using to fund its missile program. They’ve also been involved in cyberattacks on the entertainment industry, virtual heists of emerging-market banks using fraudulent SWIFT messages (the international banking networking system Society for Worldwide Interbank Financial Telecommunications), cyber-enabled ATM cash-out thefts, pilfering tens of millions of dollars of cryptocurrency and more. [See “Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe,” U.S. Department of Justice (DOJ), press release, Feb. 17, 2021.]

Over the years, North Koreans have proven themselves to be adept and wily cyberfraudsters. Rachel Wilson, head of cybersecurity for Morgan Stanley Wealth Management and former counter terrorism expert at the U.S. National Security Agency, says an estimated 7,000 people within the North Korean government are dedicated full-time hackers. Many of them are recruited as young as 11 years old and are torn away from their families to be trained in the art of cyber stealth and deception. (See “ The Lazarus Heist — a rollicking ride through North Korean cyber crime,” by Louise Lucas, Financial Times, Aug. 3, 2022 and “Rachel Wilson: Sleepless Nights and Cyber Threats,” by Paul Kilby, Fraud Conference News, June 21, 2022.)

And fraud examiners should be aware of North Korea’s exploits and skills because they’ve spilled over into the greater cybercrime universe. These state-sponsored recruits moonlight in their spare time as criminal hackers to supplement their meager state salaries, but they also work in conjunction with hardened fraudsters around the world. (See “International Money Launderer Sentenced to over 11 Years in Federal Prison for Laundering Millions from Cyber Crime Schemes,” DOJ, Sept. 8, 2021 and “Nigerian Instagram star helped North Korean hackers in $1.3B scheme: Feds,” by Elizabeth Elizalde, New York Post, Feb. 20, 2021.) 

At this point, the North Korean hackers and their co-conspirators have the advantage. Fraud examiners and law enforcement agencies need to understand what the cyberthieves know and how they know it so investigative actions aren’t completely and prematurely exposed, and then evaded, by the criminals.

All arms races include locks, lock pickers and then installation of better locks. Repeat. It’s time for a better lock to prevent cryptocurrency fraud — better than mere blockchain technology. Cryptocurrency blockchains are very slippery places with many darknet alleys, and they comprise the densest cyber environment — the perfect atmosphere for financial and other types of fraud.

“There is strong demand for intelligence surrounding crypto heists and Techniques, Tactics and Procedures [TTPs] of the bad actors utilizing cryptocurrency for nefarious activities,” says Rob Schuett, a former FBI special agent and director of custom intelligence, synthesis and reporting at cybersecurity firm Mandiant. “Our customers need assistance in educating their user base for defending themselves against the bad actors, as well as being able to identify when they are under attack.”

Outsmarting authorities

Lazarus is years ahead of authorities because its actors are remarkably adept at understanding how to time the movement of their stolen funds. When the U.S. Treasury Office of Foreign Assets Control (OFAC) first alleged in April that Lazarus was behind the Ronin attack and sanctioned addresses thought to belong to the group, the hack and the hackers themselves became the focus of considerable attention. (See “Treasury Sanctions North Korean Hacker Group, Confirms Ties to $625M Theft,” by Casey Wagner, Blockworks, Markets, April 14, 2022.)

Aware of this intense scrutiny and the investigation, the gang quickly complicated its movements in cyberspace to cover their tracks while also nimbly trading and swapping multiple cryptocurrencies from the Ronin heist and other criminal activities. CT6 analysts directly observed this high-level operational awareness in the real-time movements the fraudsters made on and off the blockchains. The good news is their getaway techniques left a trace for law enforcement to see at the time if they were enabled with the right real-time tracking technology.

Fortunately, now there’s a lot more focus on live tracking and alert systems for cryptocurrency, which can trace behavioral signatures on the blockchains in large part because of the impact of the Lazarus Group, as well as an intensified geopolitical landscape involving Russia and China. This means that fraudsters are no longer invisible in their transactional movements. If investigators use tracking technology and companies providing that technology to law enforcement and security researchers exercise operational security awareness discipline, we can intercept and redirect stolen funds. Most importantly, thanks to tracking technology, law enforcement agencies and the legal sector can track fraud back to identifiable sources for prosecution and litigation.

It’s essential fraud examiners are aware of these systems and use them if they’re working in organizations involved with cryptocurrencies. This includes, of course, banks and others in financial services, companies interested in initial coin offerings (ICOs) and private equity firms investing in the crypto market but also global nongovernmental organizations (NGOs). Public charities are increasingly inclined to accept cryptocurrency donations to boost overall funding and sponsorship, as well as meet IRS public funding requirements. However, NGOs are also a prime target for fraudsters, who are well aware these organizations are less savvy when it comes to fraud and forensic prevention and remediation. 

What we can learn from the Ronin attack

In the Ronin attack, Lazarus used a vulnerability in the Ronin protocol that enabled the use of compromised private keys (codes similar to passwords) to enable the fraudulent withdrawals. By the time the team behind Ronin found out, it was too late. (See “How The $600M Ethereum Ronin Bridge Hack Was Exposed 6 Days Later,” by Reynaldo Marquez, Bitcoinist.) Making the situation worse, Lazarus had many crypto accounts from previous criminal activities on multiple off-ramps (final destinations where crypto payments end up), making it difficult to track.

To bring to life the complexity of the crypto environment, the charts below show the movement of the crypto funds Lazarus stole mid-journey in the Ronin attack — posing as legitimate destinations — and the hidden accounts where they stashed the booty. The activity shown is by no means exhaustive. It’s also worth noting that there are specific points on the charts below where cryptocurrency can be converted to fiat currency, allowing law enforcement to obtain Know Your Customer (KYC) information for the fiat accounts. Law enforcement could additionally work with global banks to discover through their corresponding banking relationships accounts where the fiat conversions occur through these off-ramp exchangers.

Figure 1: Primary round of transactions in Ronin attack

Source: CT6 CryptoVoyant

  • Shows the flow of funds from the victims of the attack to initial Lazarus accounts receiving the stolen bitcoin. (See the black dots.)
  • From there, the initial attribution of the payments made to the off-ramp coin payments (one of the final destinations where the crypto payments ended up), along with the continued movement of funds, is displayed.

Figure 2: Secondary round of transactions

Source: CT6 CryptoVoyant

  • Lazarus transferred to their account at local bitcoins and began the obfuscation process by utilizing the mixing service WasabiWallet and payment service WYRE. (For more on mixing services see "Taming Tumblers" at the end of the article.)

The gray node with a snowflake is an example of one of the identified cold wallets. Cold wallets are designated as addresses that have received but never sent cryptocurrency.

Figure 3: Funds movement into off-ramps

Source: CT6 CryptoVoyant

  • Lazarus accounts are at off-ramps Luno, Patricia, Remitano, Kraken and Paxful. Off-ramps are the mechanisms that allow for economic value to flow from cryptoassets back into fiat money — essentially, cash-out registers.

Figure 4: Off-ramps, carding shops and cold wallets

Source: CT6 CryptoVoyant

  • Accounts are at off-ramps Huobi, MorphToken, BtcTurk and Binance.
  • Interactions are shown among Lazarus and carding shops TrustCCV and FeShop. (Carding shops are platforms where cybercriminals can buy and sell stolen card data.)

Two cold wallets (with snowflakes) are shown to be holding Lazarus funds, one of which contained $643,747.24 as of April 8. The Ronin Network attack, pictured in the charts above, was exploited on March 29. The fraudster stole about $625 million worth of cryptocurrencies, 25.5 million of the cryptocurrency stablecoin (USDC) and another 173,600 of Ethereum.

Because of the nature and breadth of its crimes, Lazarus is becoming one of the most famous cybercriminal groups. To combat such groups, with their commercial crime acumen and geopolitical goals, it’s essential to understand how they think, where they came from and precisely how they evolved and gained so much power. 

Never underestimate cybercriminal psychology

To get a feel for Lazarus, here are some of the many names of the subgroups associated with it: Dark Seoul Gang, HIDDEN COBRA, Guardians of Peace, APT38, APT-C-26, Labyrinth Chollima, Zinc, Bluenoroff and Stardust Chollima. It’s useful to understand the motives driving groups under the broader Lazarus umbrella because they often have particular focuses, such as fundraising or basic sabotage. (See “Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations,” by Michael Barnhart, Michelle Cantos, Jeffery Johnson, Elias Fox, Gary Freas and Dan Scott, Mandiant, Google Cloud, March 23, 2022.)

With just their alias names, the psychology starts to reveal itself. Some are designed to look legitimate and others to show off. This is critical to remember because cyberfraud is all about the human behavior of criminals and victims. Catching these fraudsters is all about understanding that and staying steps ahead of them.

“The Lazarus Group is often a confusing coverall term used by the media to say ‘North Korea’ when sometimes it is important to point out the particular actors in play as they can sometimes signal a shift in the requirements for the regime writ large,” says Michael Barnhart, a principal analyst at cybersecurity firm Mandiant and an expert in North Korean operations.

He tells Fraud Magazine that the attack on the Ronin Network mentioned earlier was aligned with the group called TEMP.Hermit, which is part of the North Korean intelligence agency known as Reconnaissance General Bureau. Given the size of the heist, the hack was likely designed to fund the North Korean regime, he says.

Origins and evolution

One of the ACFE’s basic tenets is that fraud examiners must think like criminals to catch them. To do that we need to look at the origin of the Lazarus Group and its evolution.

The Lazarus Group caught the eye of international experts as early as 2007 when it carried out its first known cyberattack against the South Korean government followed by other similar assaults against its southern neighbor. But the event that perhaps propelled it into the global limelight took place in 2014 when the FBI accused it of hacking Sony Pictures in retaliation for the film “The Interview,” a comedy that depicts the fictional assassination of the country’s leader Kim Jong-un. Since then, the group appears to have refocused its efforts on ways to profit from their attacks. (See “What Is the Lazarus Group? Is It Really Comprised of North Korean Hackers?” by Alexiei Zahorski, MUO, July 10, 2022.)

Between 2015 and 2018, the group reportedly carried out a series of cyberheists, often on central banks in emerging-market countries. Perhaps its most notorious robbery of this type took place in 2016 when it lifted $81 million from the Bangladeshi central bank. Again, their tactics were simple but effective. It used a seemingly innocuous email from a supposed job seeker to fool a bank employee to click on an attached resume.

Fortunately, just when the hackers were poised to transfer close to $1 billion held at the bank’s Federal Reserve account to a bank in Manila, enough alarm bells went off that enabled the prevention of the entire heist. Coincidentally, the address of the Manila branch used by the hackers was Jupiter Street. “Jupiter” raised red flags because it was the name of a sanctioned Iranian vessel, according to a BBC article. (See “The Lazarus heist: How North Korea almost pulled off a billion-dollar hack,” BBC, June 21, 2021.)

As Lazarus and other North Korean-sponsored groups have become more sophisticated and their deeds more widespread, the U.S. government has been seeking ways to crack down on the fraudsters and stop them from laundering stolen funds. (See “Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups,” U.S. Department of the Treasury, press release, Sept. 13, 2019; “Cyber Criminals Increasingly Exploit Vulnerabilities in Decentralized Finance Platforms to Obtain Cryptocurrency, Causing Investors to Lose Money,” FBI, Aug. 29, 2022; and “Taming tumblers” at the end of the article.) 

A more sophisticated and broader reach

Indeed, Lazarus’s attacks have become more sophisticated and increasingly directed at commercial interests and the digital infrastructure we all increasingly use to carry out everything from banking to e-commerce. Law enforcement believes Lazarus was behind the appropriately named ransomware WannaCry, which in 2017 reportedly infected up to 200,000 computer systems across the private and public sectors. Experts, who thought the ransomware was highly sophisticated, raised concerns about how such technological know-how might spill over into the criminal world and be used by other bad actors. (See “WannaCry ransomware has links to North Korea, cybersecurity experts say,” by Olivia Solon, The Guardian, May 15, 2017.)

In May 2019, Lazarus carried out a client token campaign, which is a form of malware that hosts malicious JavaScript files on compromised websites to steal card information during U.S. and European e-commerce transactions. Card Not Present (CNP) fraud became much worse with this sort of malware, which can literally snag card information once a cardholder logs into a website. CNP fraud, the unauthorized use of a payment card online or over the phone, has been rising amid a spike in online purchases following the COVID-19 pandemic. (See “Card Not Present Fraud is Skyrocketing,” by Ann Davidson, Allied Solutions, NAFCU, Aug. 2, 2022.)

Then in February 2020, Lazarus made an important modification to the malware, turning it into a cryptocurrency skimmer and targeting Bitcoin (BTC) e-commerce. Since that time, Lazarus has been able to steal cryptocurrency as easily as it had been stealing cards. (See “Lazarus Group Adds Javascript Sniffer to Cryptocurrency-Stealing Arsenal,” by Lindsey O’Donnell-Welch, Decipher, April 14, 2021.)

Most recently, Lazarus was linked over the summer to the theft of $100 million in cryptocurrency on Harmony Bridge, a service that allows users to move cryptocurrencies among different blockchains. In August, a similar service, deBridge Finance, was also subject to a failed hack that several reports attribute to Lazarus. (See “Harmony Hackers Begin Laundering Ethereum Stolen From Horizon Bridge,” by Jason Nelson, Decrypt, June 27, 2022 and “North Korea’s Lazarus Hackers Blamed in deBridge Finance Cyberattack,” by Stephen Alpher, Coindesk, Aug. 5, 2022.)

All this comes at a time when the cryptocurrency blockchains continue to grow in popularity despite the recent volatility in such assets. The blockchains always claimed safety and continue to do so, luring millions of devotees worldwide. That confidence in the technology, for instance, helped fuel the boom in ICOs that took place in 2017 through 2018 before it crashed. The cryptocurrency industry’s get-rich-quick answer to a traditional initial public stock offering raised billions in crypto to fund companies and, as a side effect, secured Ethereum’s (ETH) tenured place in the crypto market, alongside Bitcoin. It also involved a series of scams. (See “ICOs: A Brief History,” by Trent Barnes, Zerocap, July 29, 2022.)

Cryptocurrencies and blockchain are increasingly becoming part of the commercial infrastructure we use daily to make payments on a variety of items. Microsoft, Whole Foods and Home Depot are just some of the big names that are accepting crypto as payment these days. (See “The Rise of Cryptocurrency and What It Means for Ecommerce,” BigCommerce and “Cryptocurrency in ecommerce — more than just a hype,” by Paul Okhrem, Elogic Commerce, Finextra, blog, April 26, 2022.) 

Also growing in popularity is DeFi, which in short is a way for individuals to carry out financial transactions directly with each other through decentralized applications (a type of app known as a DApp) using smart contracts (computer-coded instructions). ETH, a decentralized blockchain powered by a cryptocurrency called ether, has been the dominant player in the DeFi DApp space. The Ronin Network, which Lazarus attacked and was mentioned in our first case, also works on a DeFi platform. And just as DeFi has disrupted the financial sector, some are propounding a similar shake up in the e-commerce and payments space. (See “Is Defi an Ecommerce Gamechanger?” 8PAY, April 16, 2021 and “Promises and pitfalls,” by Paul Kilby, Fraud Magazine, July/August 2022.)

“In 2017 we saw the rise of fake ICOs, cryptojacking and actors beginning to leverage blockchain networks as part of their malicious infrastructure. Since 2021, we have witnessed the era of smart contract exploits and bridge hacks. ‘What’s next?’ is the question we should all be asking ourselves,” says Randi Eitzman, senior threat analyst and certified cryptocurrency investigator at Mandiant.

Thriving on change 

All this bears watching as Lazarus has relished the marketplace evolutions, leveraging the false trust in the blockchains and the leadership of Bitcoin and Ethereum. Indeed, trust in new technologies such as stablecoins has opened doors for potentially fraudulent activity. The most confounding aspect of nation-backed criminals is their ability, at some point, to look legitimate, as well as to pivot and redirect with the nimble moves of an Olympic gymnast when they need to. They’re able opportunists with nothing to hold them down. They’re masters of creating diversions. That’s why the cryptocurrency blockchains are so perfect for their crimes. There are so many unwatched decentralized options for transacting and storing. Like in the movies, gangs in dense urban environments know the seedy places to transact, the abandoned warehouses to stash goods and money, and how to buy untraceable weapons on the black market, and they can easily hotwire stolen cars and make their getaways. They know where the security cameras aren’t. But in the real world, the FBI is better equipped and catches these criminals most of the time.

[See sidebar: “Stablecoins: Ponzi scheme or panacea for fraud?”.]

In the DeFi cyberspace, cybercriminals like Lazarus are unfortunately better, faster and stronger than most of the people trying to catch them. They leverage blockchain technology environments they didn’t even create but enable their every move, while law enforcement has generally yet to put the security cameras and alarm systems in those environments that shed light on criminal moves in real time. To make it worse, unlike other crimes, where law enforcement catches criminals when they make mistakes, there are no mistakes to make on blockchains. Criminals get away with so much fraud because no one is watching closely enough to correlate what they’re seeing.

Awareness is the first essential step. Fraud is a given when dealing with cryptocurrencies. But engaging the tracking and IDing technology that shines a light on cryptofraudster activity introduces the better lock in the cyberfraud arms race.

Patrick Westerhaus, CFE, CPA, is co-founder and CEO of CT6, a cybercrime prevention company, as well as a former FBI special agent and Wells Fargo executive in cybercrime loss prevention. At the FBI, he led investigations into corporate fraud, government fraud, cyber-enabled fraud, public corruption, terrorism and espionage. Prior to joining the FBI, his work as a CPA included auditing publicly traded companies and internal fraud investigations. Contact him at

Taming tumblers

Using U.S. money-laundering laws to combat international cybercrime

State-sponsored hackers have been using tumblers or mixers to hide money trails of illicit gains. Here we look at how fraudsters leverage this new technology and what law enforcement and the U.S. government are doing to prevent them from laundering money this way.

In May, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) took its first steps into a relatively unknown corner of the cryptocurrency market. It sanctioned what’s called a virtual currency mixer or tumbler named (or just Blender here).

The move came in response to a cyberattack by the North Korean-sponsored hacking entity the Lazarus Group, which had allegedly robbed about $625 million of digital tokens from a blockchain linked to the gaming project Axie Infinity in one of the biggest-ever heists of this kind. (See the cover story above.) Lazarus had used Blender to launder, or mix, over $20.5 million of illicit proceeds from the robbery, according to OFAC. (See “U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats,” U.S. Treasury, Press Release, May 6, 2022.)

“Today, for the first time ever, Treasury is sanctioning a virtual currency mixer,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said at the time.

“Virtual currency mixers that assist illicit transactions pose a threat to U.S. national security interests. We are taking action against illicit financial activity by the DPRK [North Korea] and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.”

Indeed, Lazarus is not the only state-sponsored group that has been using mixers like Blender for money-laundering purposes. OFAC said that Russia-linked cybercrime and ransomware groups — including Trickbot, Conti, Ryuk, Sodinokibi and GandCrab — have used the technology for the same purpose.

What is a cryptocurrency mixer?

A mixer or a tumbler is a process or system that mixes digital assets from various sources to anonymize the assets and disguise the transaction history. These terms commonly describe a service that charges customers a fee to convert traditional currency to convertible virtual currency (such as bitcoin) and then sends it to a designated address in a manner specifically designed to conceal and hide the source or owner of the original funds and digital assets. The mixer service provider also agrees to delete all customer-identifying information after the transaction. These services are usually associated with the purchase of illegal products on the darknet or in other illicit markets. (For an excellent description of how a mixer or tumbler works on the darknet see “Assessment of Civil Money Penalty,” FinCEN.) A “crypto mixer” is an informal term describing a specialized cryptocurrency exchange that deliberately commingles and scrambles the funds/digital assets of its customers attempting to anonymize the original funds and the digital assets purchased and erases the transaction history. (See visual representation below for how Blender mixes cryptocurrencies.)

Source: U.S. Treasury

Cracking down

Law enforcement has started strategically using U.S. money-laundering laws to combat international criminal groups protected by rogue states. And as illustrated in the Blender case above, the U.S. government is striking back, with enforcement actions against criminal groups connected to foreign states that are using convertible virtual currency (or cryptocurrency) to launder and disguise the proceeds of international cybercrime.

The Financial Crimes Enforcement Network (FinCEN), which is part of the U.S. Treasury, first began penalizing abuses of mixers in 2020 in a case involving Larry Dean Harmon, the CEO of bitcoin-mixing services Helix and Coin Ninja. FinCEN fined him $60 million for violations of the Bank Secrecy Act (BSA), such as failing to implement and maintain an effective anti-money-laundering program and report suspicious activities. (See “First Bitcoin ‘Mixer’ Penalized by FinCEN for Violating Anti-Money Laundering Laws,” FinCEN, Oct. 19, 2020, and “FinCEN Fines Bitcoin-Mixing CEO $60M in Landmark Crackdown on Helix, Coin Ninja,” by Danny Nelson, CoinDesk, Oct. 19, 2020.)

The case, which marked the first time the Department of Justice (DOJ) had called bitcoin mixing a crime, was seen broadening the reach of law enforcement in this area. Last year, Harmon pleaded guilty to operating a bitcoin mixer that had laundered over $300 million on the darknet. (See “Ohio Resident Pleads Guilty to Operating Darknet-Based Bitcoin ‘Mixer’ That Laundered Over $300 Million,” DOJ, Press Release, Aug. 18, 2021.)

Using traditional and jurisdictional law enforcement methods to address organized cybercrime occurring in some foreign countries, such as North Korea and Russia, has proven difficult. However, the subsequent transfer and use of the illicit proceeds derived from those criminal activities can be traced and attacked as criminals attempt to place their ill-gotten gains into legitimate markets. Criminals believe cryptocurrency is a good vehicle for moving illicit funds because of its perceived anonymity. But cryptocurrency, stolen or purchased, is usually converted back to traditional currency in a financial market at some point. Sooner or later, the illegal proceeds must enter the financial markets to be used. So, potential chokepoints exist at the entry and exit ramps where that occurs.

Tornado cash

Taking a chapter from the money-laundering enforcement playbook, OFAC has continued to slap sanctions on virtual-currency exchanges for allegedly mixing traditional cryptocurrency transactions with cybercrime proceeds derived from criminal organizations connected to North Korea and Russia.

In August, OFAC sanctioned another mixer called Tornado Cash, which it said laundered more than $7 billion in cryptocurrency since its creation in 2019. That amount includes more than $455 million stolen by the Lazarus Group. Tornado Cash also allegedly laundered an additional $103.8 million of cybercrime proceeds from recent cyber heists of Harmony Bridge and Nomad — services that allow users to send and receive tokens between blockchains. (See “U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash,” U.S. Treasury, August 8, 2022.)

“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,” Nelson said.

Shortly after Nelson made that statement, Dutch authorities announced on August 12 the arrest of the software developer working for Tornado Cash for his suspected “involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralized Ethereum mixing service Tornado Cash.” (See “Arrest of suspected developer of Tornado Cash,” FIOD, August 12, 2022.)

The general effect of these recent enforcement actions is to prohibit U.S. persons and entities from doing any business with these particular cryptocurrency exchanges (or “crypto mixers”) and excludes those exchanges from access to Western financial markets. In October of last year, OFAC published its first “Sanctions Compliance Guidance for the Virtual Currency Industry,” spelling out the risks involved.

But the U.S. Treasury has received some pushback in the wake of the sanctions on Tornado Cash. A group of crypto investors in September sued the U.S. Treasury amid accusations of legal overreach and privacy violations. (See “Investors Sue Treasury Department for Blacklisting Crypto Platform,” by David Yaffe-Bellany, The New York Times, Cryptocurrency, September 8, 2022, and “Are Crypto Mixers Legal?” by Rosie Perper, CoinDesk, August 14, 2022.)

The sanctions on Tornado Cash have raised all sorts of questions regarding the use of mixers and their legality, some of which OFAC has tried to address. Below we look at how these services might violate money-laundering laws.

How mixers violate money-laundering laws

Money-laundering laws are violated whenever proceeds from any illegal activity are used in a financial transaction that is intended to: 1) conceal the source, ownership or origin of those funds, 2) avoid a reporting requirement or 3) evade the law. (See Title 18, United States Code, Sections 1956 and 1957, Cornell Law School.) A crypto mixer violates those laws when it “mixes” or commingles legitimately obtained funds with illicitly obtained funds to destroy the money trail back to the criminal or the illegal activity.

The goal of the mix is to render illicit funds indistinguishable from the legitimate funds of other customers and hinder investigative efforts. This provides criminals an opportunity to hide the origin of stolen funds from investigators, which is an unlawful act under U.S. money-laundering statutes.

Follow the money

Using existing money-laundering laws and OFAC’s statutory authority to address international cybercrime is creative and welcome. Financial investigators and accountants are working closely with cybersecurity experts to trace funds and transactions to mitigate the increasing problems of ransomware and cybercrime. “Follow the money!” is wise advice once again.

These recent sanctions are an encouraging sign and indicate that the U.S. government is stepping up efforts against international cybercrime groups that enjoy the protection of rogue states. The U.S. Treasury and its financial investigators are applauded for taking aggressive action against the cryptocurrency exchanges that launder funds for these criminal organizations and the foreign nations that support them. These actions will severely limit the continued use of Blender and Tornado Cash as future warnings to other crypto mixers supporting criminal groups.

Kerry L. Myers, CFE, is an associate professor of instruction, teaching forensic accounting and business law at the Lynn Pippenger School of Accountancy, Muma College of Business, University of South Florida. He’s a former FBI special agent. Contact him at