Lazarus Group, the North Korean cybercrime group that is believed to be behind the HTX and HECO bridge hacks last year, has started laundering a portion of the funds stolen through crypto mixer Tornado Cash.

Blockchain analytics firm Elliptic found that wallet addresses tagged to Lazarus had laundered $13 million from the hack through Tornado Cash over the last day. These funds were part of the $100 million worth of crypto that was stolen from crypto exchange HTX and its cross chain bridge HECO in November 2023, which compromised three HTX hot wallets.

Elliptic and other blockchain security firms later attributed the hack to Lazarus, which immediately swapped the stolen tokens for ether using decentralized exchanges. These funds were dormant until March 13, when the hackers transferred $13 million from the HTX/HECO thefts to Tornado Cash through 40 transactions.

Tornado Cash was sanctioned by the U.S. Treasury’s Office of Foreign Asset Control (OFAC) in August 2022, pointing to the mixer’s role in the laundering of $455 million worth of crypto stolen from Axie Infinity’s Ronin bridge — another hack attributed to Lazarus.

After the sanctions were imposed, Lazarus had largely relied on another coin mixer to launder funds, until it was sanctioned and seized by US authorities in November 2023.

Unlike Sinbad, which is a Bitcoin-based centralized coin mixing service, Tornado Cash runs on decentralized smart contracts, meaning that it has continued to operate despite US sanctions.

“This change in behavior and return to the use of Tornado Cash likely reflects the limited number of large-scale mixers now operating, thanks to law enforcement takedowns of services such as and,” noted Elliptic.