Investigators from blockchain analytics firm Elliptic found that some of the stolen funds from this month’s hack of Atomic Wallet have been moved to Garantex, a crypto exchange sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). 

At the time of imposing the sanctions, the Treasury estimated that Garantex had processed $100 million in transactions associated with illicit actors and darknet markets, including nearly $6 million from Russian ransomware-as-a-service (RaaS) gang Conti and $2.6 million from Hydra.

The Elliptic investigators found that the hackers traded their assets for Bitcoin on the sanctioned crypto exchange, after which they laundered the withdrawn Bitcoin through the coin mixer Sinbad. 

Earlier this month, a number of users took to Reddit to complain that they had lost the entirety of their crypto assets held on the non-custodial wallet Atomic. The firm addressed the reports in a tweet shortly after, saying they estimated less than 1% of monthly active users were impacted by the attack.

Blockchain sleuth ZachXBT estimated that more than $35 million was stolen in the exploit, with multiple users losing six figures across multiple chains. Investigators from Elliptic later attributed the hack to Lazarus, the North Korean state-sponsored cybercrime group responsible for several blockchain exploits that collectively amounted to billions of dollars.

A June 11 report from the Wall Street Journal found that a portion of the $3 billion in crypto stolen by the North Korean hacking unit was used to fund the country’s nuclear programs.